Think you’re safe with Multi-Factor Authentication? Think again.

Gone are the days where a password alone was sufficient to securing your online life or your organization. With hackers and nefarious third parties engaging increasingly sophisticated approaches to gain access to your accounts, information and money, being on top of your security approach is more important than ever.

Naturally, you will have found your employer, service providers and subscription services will have made use of multi-factor authentication to eliminate the impacts of password theft. Multiple factors involve not just ‘something you know’ (i.e. your password), but also ‘something you have’, this could involve something like a hardware or software token that generates a series of numbers every minute which you enter following your password. These numbers would be known as a one-time password, often shortened to OTP. The OTP, as its name suggests is only used once and can only be obtained from the hardware/software token in your possession, stealing your password alone is not sufficient to gain access to your account.

Alternatively, a second factor might involve ‘something you are’, so instead of a token, biometrics may be used instead. This can be in the form of facial recognition or a fingerprint. For the most secure approach a combination of the three can be used, hence where the terminology of two-factor authentication (2FA) has moved to multi-factor authentication (MFA). A common example of MFA would be the usage of the Microsoft Authenticator application used on an iPhone. Microsoft Authenticator holds software tokens that provide OTP’s, but to gain access to those tokens FaceID can be employed. Combined with your password, the token and FaceID we have completed the trio of ‘something you know’, ‘something you have’ and ‘something you are’.

You would be forgiven that with such an approach that you would think that now on par with Fort Knox. While MFA is an essential component of a modern security approach, you must not be lulled into a false sense of security. There are still ways for a nefarious 3rd party to gain access to your accounts that you must be on guard for.

A prime example of such an approach would be in the form of token theft. This is different to the hardware/software token we were talking about earlier. A different kind of token is generated when you successfully log into your account. The token is an entity that establishes and maintains an active login session. These tokens are usually valid for a defined period of time, so for a bank, they may only be valid for 30 minutes, while a Google Account may be valid for months.

Indeed, a famous example of token theft was a high profile YouTube content creation company who had the token for their YouTube account stolen, and within a matter of minutes their entire video library was deleted and replaced by Elon Musk related cryptocurrency scams. This was achieved through sending a malicious PDF document to one of the company’s employees. Simply by launching this PDF, the third party was able to gain access to the employee’s file system and steal the token for the login session to YouTube.

This is an important reminder that with MFA you are still not 100% protected. You and your employees must be vigilant for malicious documents being sent to your organization. Email providers do provide deep scanning and detection for malicious code in email attachments, often as a paid for added service which can offer an extra level of defense.

The other major risk that your organization may face is social engineering. This attack can take many forms such as an innocuous caller asking about details of your organization, to full on spear-phishing attack. The latter being a specifically targeted attack towards an individual in the organization that has an authority to make payments, has superuser access or access to personal identifiable information.

Spear-phishing attacks often follow attempts at reconnaissance against your organization to understand your organizational structure and understand which employees have sensitive responsibilities. These attacks may involve someone posing as the company CEO and pressure the employee to make a wire payment. Attackers often use time pressure and authority to coerce these employees into complying with the request.

It is therefore important that an employee verify this request through an alternative line of contact, such as directly calling the person through their published phone number or through a non-email medium. Additionally your employees should be trained that if they’re being pressured, check the email address for any irregularities, and never provide sensitive company information to an external address.

These are just two of many methods a third party could sidestep your MFA in order to steal company data, funds and personally identifiable information. It is important to remember that MFA alone cannot protect you but instead it must be a part of your arsenal of defenses against malicious third parties.

If you need a review of your security policies, training or configuration of your company’s IT resources please get in touch at sales@baytech-america.com or call (360) 483-5101