I read a blog post today from our friends and partners at cybersecurity firm KnowBe4 that was a bit unnerving. While we always list 2FA or MFA (either 2-factor or multi-factor authentication) as a critical tool for anyone’s cybersecurity toolbox, turns out it is not a foolproof solution. Hackers have figured out ways to intercept MFA and use it for their own access to other people’s accounts. And frankly, one of the very few things that can stop them is the awareness of the end user that this type of breach is even a possibility. It also reaffirms my latest (sadly-oh-so-cynical) mantra: Always. Be. Suspicious.
How they do it
I don’t want to spend a lot of time on the details of how hackers actually pull this off; there are apparently multiple methods. But if you are interested in just one way it can be done, check out this white hat hacker video. This one starts with a successful phishing attack. Through email, they trick the end user into logging into a legitimate site but — unknowingly — by way of their hacker site. This is referred to as a Man in the Middle – or MITM – attack. So now they can watch and record the actual login process (username and password). And if MFA is used, even though it is a one-time-only code, the hacker can intercept the “cookie” that the system generates once that MFA code is accepted. That cookie is their key to access the account by bypassing login altogether.
So what is the solution?
According to the security pros, your very best option is to seek out phishing-resistant MFA. Roger Grimes, who is KnowBe4’s “Data-Driven Defense Evangelist” published this list of the best and most phishing-resistant MFA solutions. So, if you are just beginning your MFA journey, start off with the right stuff. If, however, you already an MFA solution in place and there’s no going back, your solution lies with education. Educate yourself and your staff on:
- How to correctly use your particular MFA solution
- The common possible attacks for that type of MFA, and how to detect and prevent them
- What to do/not to do during suspected hacking attempts, and where to report them
Testing, testing 1-2-3
But beyond training specific to the MFA process, overall cybersecurity awareness training is key. And simulated phishing attacks are a great way to get users used to the idea of paying closer attention to what they receive through email. Only by getting “burned” in a safe environment (“this was only a test!”) will users learn to slow down and pay much closer attention to what they are being told or asked to do in a message.