2FA (Two Factor Authentication) and MFA (Multi-Factor Authentication) are two hugely popular, and generally reliable, security measures used to secure online accounts today. They are used to protect users against cyber-crimes related to exposed or easy-to-crack passwords.
Unfortunately, hackers are always discovering new ways to infiltrate our personal data, leading to a recent rise in 2FA and MFA-related cyber incidents.
This article will explore what 2FA and MFA are, the new scams associated with these authentication methods and how to protect yourself (and your business).
2FA and MFA are two online authentication methods used commonly today to help users protect their accounts with more than just their username and password. 2FA is a type of multi-factor authentication that requires only two ways for the user to prove their identity. Whilst MFA requires at least two, if not more types of verification.
The three most common kinds of verification, according to Microsoft, are:
Take this scenario, you’re trying to log in to your work email.
You use your username and password (something you know) – this is your first factor of verification.
You’re then prompted to log in to your free Microsoft Authenticator app on your mobile device (something you have) to access a unique 6-digit code (that is updated every 30 seconds) that you enter to access your emails – this is your second factor of verification.
However, you cannot access this app without using your facial recognition, or fingerprint (something you are) – this is your third factor of verification.
So, even with your username and password, it would be impossible for a hacker to access your account unless they also had your personal device and YOU there to unlock it. This is what makes MFA so effective.
And don’t worry, these apps take seconds to access and generally only prompt for this level of authentication the first time you sign in, after a password change, when your account is accessed from an untrusted device, or when prompted on a cycle (e.g. every 30-days as per your organisation’s security policy), meaning there’s no inconvenience on a day-to-day basis!
If you’re new to MFA, it works by triggering a one-time password (OTP) when you attempt to log into an application or platform. This OTP may be sent via email, SMS or via an authenticator app, which is the most trusted source of MFA (and one we recommend using).
This OTP is uniquely generated and updated every 30-seconds on most MFA applications, making it more secure than a static user-created password and, ultimately, more difficult to crack as it’s only accessible from a your personal device.
There has been a rapid increase in recent times where hackers are phoning their victims, claiming to be their IT support provider, or someone from Microsoft (or another trusted technology business) and requesting users share their OTP with them over the phone.
In these cases, cyber criminals have already managed to gain access to their victim’s username and password through advanced phishing methods, and need the MFA OTP as their final step to access the account. They source their victim’s personal phone number via their company website, email signature, or even LinkedIn, so that the request for this MFA information seems genuine.
This is a scam. Your OTP should never be shared with anybody, including your IT support provider or any other business-associated technology partners.
Previous reports of this scam reveal that victims have lost access to their Office 365, email accounts, CRMs and more – as well as the data within them.
Another less recent but very common 2FA scam is targeted around SMS. With 2FA, there are fewer hoops for the hacker to jump through, therefore accessing your account is quicker and easier than if it’s backed up with MFA. This is why we strongly encourage all our customers to use MFA where possible.
Cyber criminals are utilising 2FA in different ways to access OTPs sent via SMS.
One common way is, again, by phoning to request you share your OTP over the phone. They might spin a lie, saying they are working with a reputable business and need to authorise something for security purposes. This method of social engineering is hugely convincing and has led to many victims of this scam.
Another method is to intercept a victim’s SMS in cleartext, accessing the OTP themselves. There are lots of tools out there that can assist a cyber-criminal with this, arguably making SMS an unsafe way to receive authentication codes.
If using SMS as a method of security, it’s important to understand that these codes are phishable via open-source phishing tools, available to cyber criminals. As well as this, phone networks can often be a weak-link as they can be tricked into transferring numbers to cyber criminals’ SIM cards – meaning they have complete access to all OTPs that belong to another individual.
2FA and MFA scams are on the rise. We’re even witnessing large technology companies, like Microsoft, warning users about them.
Here are some quick and easy ways you can avoid falling victim to a 2FA or MFA scam:
As cyber security experts, we’re here to give as much free advice as possible. But sometimes, and especially in business, robust security measures are required to guarantee safety.
Our team can help your business by introducing email security, password policies and MFA – as well as training for your staff, so they can spot a cyber criminal before they have the chance to strike! We can also provide dark web scanning services, which will alert you if any credentials in your business have been compromised and are being sold on the dark web.
Learn more about our cyber security services here, or get in touch today! We’d be happy to assist with your cyber security questions/concerns.