MFA & 2FA Scams: Important Information

.

2FA (Two Factor Authentication) and MFA (Multi-Factor Authentication) are two hugely popular, and generally reliable, security measures used to secure online accounts today. They are used to protect users against cyber-crimes related to exposed or easy-to-crack passwords.

Unfortunately, hackers are always discovering new ways to infiltrate our personal data, leading to a recent rise in 2FA and MFA-related cyber incidents.

This article will explore what 2FA and MFA are, the new scams associated with these authentication methods and how to protect yourself (and your business).

What are 2FA and MFA, and what are the differences?

2FA and MFA are two online authentication methods used commonly today to help users protect their accounts with more than just their username and password. 2FA is a type of multi-factor authentication that requires only two ways for the user to prove their identity. Whilst MFA requires at least two, if not more types of verification.

The three most common kinds of verification, according to Microsoft, are:

• Something you know: E.g. a password, or a memorized PIN.
• Something you have: E.g. a smartphone, or a secure USB key.
• Something you are: E.g. a fingerprint, or facial recognition.

Take this scenario, you’re trying to log in to your work email.

You use your username and password (something you know) – this is your first factor of verification.

You’re then prompted to log in to your free Microsoft Authenticator app on your mobile device (something you have) to access a unique 6-digit code (that is updated every 30 seconds) that you enter to access your emails – this is your second factor of verification.

However, you cannot access this app without using your facial recognition, or fingerprint (something you are) – this is your third factor of verification.

So, even with your username and password, it would be impossible for a hacker to access your account unless they also had your personal device and YOU there to unlock it. This is what makes MFA so effective.

And don’t worry, these apps take seconds to access and generally only prompt for this level of authentication the first time you sign in, after a password change, when your account is accessed from an untrusted device, or when prompted on a cycle (e.g. every 30-days as per your organisation’s security policy), meaning there’s no inconvenience on a day-to-day basis!

MFA Scams: Requests for a one-time password

If you’re new to MFA, it works by triggering a one-time password (OTP) when you attempt to log into an application or platform. This OTP may be sent via email, SMS or via an authenticator app, which is the most trusted source of MFA (and one we recommend using).

This OTP is uniquely generated and updated every 30-seconds on most MFA applications, making it more secure than a static user-created password and, ultimately, more difficult to crack as it’s only accessible from a your personal device.

The scam

There has been a rapid increase in recent times where hackers are phoning their victims, claiming to be their IT support provider, or someone from Microsoft (or another trusted technology business) and requesting users share their OTP with them over the phone.

In these cases, cyber criminals have already managed to gain access to their victim’s username and password through advanced phishing methods, and need the MFA OTP as their final step to access the account. They source their victim’s personal phone number via their company website, email signature, or even LinkedIn, so that the request for this MFA information seems genuine.

This is a scam. Your OTP should never be shared with anybody, including your IT support provider or any other business-associated technology partners.

Previous reports of this scam reveal that victims have lost access to their Office 365, email accounts, CRMs and more – as well as the data within them.

2FA Scams: Infiltrating SMS one-time passwords

Another less recent but very common 2FA scam is targeted around SMS. With 2FA, there are fewer hoops for the hacker to jump through, therefore accessing your account is quicker and easier than if it’s backed up with MFA. This is why we strongly encourage all our customers to use MFA where possible.

The scams

Cyber criminals are utilising 2FA in different ways to access OTPs sent via SMS.

One common way is, again, by phoning to request you share your OTP over the phone. They might spin a lie, saying they are working with a reputable business and need to authorise something for security purposes. This method of social engineering is hugely convincing and has led to many victims of this scam.

Another method is to intercept a victim’s SMS in cleartext, accessing the OTP themselves. There are lots of tools out there that can assist a cyber-criminal with this, arguably making SMS an unsafe way to receive authentication codes.  

If using SMS as a method of security, it’s important to understand that these codes are phishable via open-source phishing tools, available to cyber criminals. As well as this, phone networks can often be a weak-link as they can be tricked into transferring numbers to cyber criminals’ SIM cards – meaning they have complete access to all OTPs that belong to another individual.

How to protect yourself from 2FA and MFA scams

2FA and MFA scams are on the rise. We’re even witnessing large technology companies, like Microsoft, warning users about them.

Here are some quick and easy ways you can avoid falling victim to a 2FA or MFA scam:

1. NEVER share your OTP with anyone. Whether it was received by email, text or via an MFA app, your one-time password is to be treated as completely confidential and should not be shared with anybody.
2. Steer away from telephone and email-based 2FA & MFA. Instead, download a trusted MFA app, like Microsoft Authenticator, which will eliminate risks of OTP’s being leaked via SMS or emails. Tools like this are simple, fast and highly secure. Plus, they are only accessible from your device.
3. Spot the signs of an attack! If you suspect an OTP has been infiltrated, or you’re experiencing unusual events e.g. allocation of a random OTP, or calls from someone requesting an OTP for a specific account – change your log in credentials immediately as they may possess these. We would also recommend changing the password for any other services at work or home that use the same password.
4. Raise it with your IT partner. If you’re a business, then working with an IT partner that specialises in cyber security, like Virtuoso, will mean you can raise your security concerns immediately. They will provide you with advice and technical support to avoid a cyber-attack and restore a high-level of security for your business.

Get help with cyber security

As cyber security experts, we’re here to give as much free advice as possible. But sometimes, and especially in business, robust security measures are required to guarantee safety.

Our team can help your business by introducing email security, password policies and MFA – as well as training for your staff, so they can spot a cyber criminal before they have the chance to strike! We can also provide dark web scanning services, which will alert you if any credentials in your business have been compromised and are being sold on the dark web.

Learn more about our cyber security services here, or get in touch today! We’d be happy to assist with your cyber security questions/concerns.