Just when your thought your cloud applications were secure by implementing multi-factor authentication, hackers are developing strategies to beat this defence.
If you didn’t already know, Multi-factor authentication is an essential part of your IT security for logging into your devices and cloud applications. With multi-factor authentication, you need to enter your username and password plus a second form of authentication – this may be an app on your phone, an SMS message, or an automated voice call.
New threats don’t mean that MFA is no longer necessary – hackers are developing techniques to beat some forms of MFA and weaker and, therefore, more vulnerable types of MFA.
This is a prime example of how IT security keeps us on our toes.
What are the issues with some forms of Multi-factor authentication?
Using Microsoft 365 as our example, we have customers with MFA enabled with their cloud software. When they log into 365, they must enter their username, passwords and another form of authentication; This may be an SMS text, which we have covered on its security issues as a form of MFA, and an authenticator app or automated call to confirm the login.
Multi-factor authentication is a technique used by criminal gangs such as Lapsu$, who breached Microsoft, okta and Nvidia, and the team that breached SolarWinds in 2019 – 2020, who are yet to be uncovered.
How does it work?
One method is making phone calls to request the victims of the cyber attack to press the hash key to enable the authentication. Unfortunately, these gangs may call the number hundreds of times until the recipient gets fed up and accepts the login.
‘Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it.’ – Lapsu$.
The same is true for using google authenticator; the cybercriminals will continue requesting and prompting the app to pop up and ask for approval. Eventually, the victims will accept the request, and the hackers will have beaten the authentication. Some hackers use the technique by sending just two a day and hoping one gets taken.
What is the answer to this IT setback?
Using a more secure form of Multi-factor Authentication such as a FIDO2. It will massively assist in reducing the risk of Cyber Attacks. FIDO2 is still Multi-factor Authentication, but the MFA is tied to the device being used; examples of FIDO2 are:
- Fingerprint readers on devices
- Cameras built-in for facial recognition
- Using a YubiKey
YubiKey’s are physical forms of MFA, and they can be used by employees, therefore, eliminating the need for MFA authenticators on personal devices such as smartphones. You can purchase a YubiKeys on Amazon.
These techniques will all avoid the issues of Multi-factor Authentication bombing.