Just when your thought your cloud applications were secure by implementing multi-factor authentication, hackers are developing strategies to beat this defence.
If you didn’t already know, Multi-factor authentication is an essential part of your IT security for logging into your devices and cloud applications. With multi-factor authentication, you need to enter your username and password plus a second form of authentication – this may be an app on your phone, an SMS message, or an automated voice call.
New threats don’t mean that MFA is no longer necessary – hackers are developing techniques to beat some forms of MFA and weaker and, therefore, more vulnerable types of MFA.
This is a prime example of how IT security keeps us on our toes.
What are the issues with some forms of Multi-factor authentication?
Using Microsoft 365 as our example, we have customers with MFA enabled with their cloud software. When they log into 365, they must enter their username, passwords and another form of authentication; This may be an SMS text, which we have covered on its security issues as a form of MFA, and an authenticator app or automated call to confirm the login.
MFA Bombing
Multi-factor authentication is a technique used by criminal gangs such as Lapsu$, who breached Microsoft, okta and Nvidia, and the team that breached SolarWinds in 2019 – 2020, who are yet to be uncovered.
How does it work?
One method is making phone calls to request the victims of the cyber attack to press the hash key to enable the authentication. Unfortunately, these gangs may call the number hundreds of times until the recipient gets fed up and accepts the login.
‘Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it.’ – Lapsu$.
What is the answer to this IT setback?
- Fingerprint readers on devices
- Cameras built-in for facial recognition
- Using a YubiKey