We Already Set Up MFA – We’re Safe

Businesses around the world are reading in the news and hearing from industry experts that they need to turn on multi-factor authentication (“MFA”) on all their accounts. While this is a recommendation I.T. consultants have been preaching for years, many businesses have avoided MFA until recently. This is partially because Microsoft and Google learned that businesses weren’t heeding their advice and finally had to force the business’s hand. Whatever the reason, businesses are now adopting MFA. But many now have a false sense of security thinking MFA is the end-all-be-all solution for cybersecurity. This is because the I.T. industry often fails to explain the “why” behind many cybersecurity recommendations. Let us try to lead by example and provide some more background information about MFA. 

The Threat of Password Compromise 

People have terrible password hygiene. With the average person using close to 100 different technologies, each requiring a password, it’s no surprise that people use the same exact password for multiple different websites and technologies. It’s no surprise to the bad actors either.  

Threat actors will target giant technology platforms such as Facebook and Netflix, hack into their networks, and steal their massive databases of users. They will then “de-hash” the usernames and passwords, post the lists on a dark-web marketplace, and sell them for a profit. 

The next group of bad actors now picks up the torch. After purchasing a list of compromised users credentials, the bad actors will feed this information into a special computer program they also purchased from the dark web. This program automatically references the list of usernames and passwords and tries to use the credentials to log into the most common web platforms (Microsoft 365, Google, Facebook, etc.). Able to process through thousands of credentials and websites per minute, the computer program outputs a report of websites and credentials that were confirmed to log in successfully. 

A couple of things happen next. First, the threat actor can take this confirmed list of credentials and post them back on the dark web, selling them for a much higher profit than the original unconfirmed list. Second, threat actors can begin targeted attacks using the confirmed credentials. In the business world, they will often log in to the business’s email platform (Microsoft 365 or Google) and begin their reconnaissance of the business.  

Now inside the operations of the business, the bad actor will learn who the key players are, who approves the monetary transactions, and who their customers are. In one of the most common attack strategies, the threat actor will send an email to a customer from the business, notify them that their banking information for ACH payment has changed, and then provide them ACH information for an account in the threat actor’s control. Since the email came straight from the business the customer is working with, they rarely question it. Moments later, the customer is sending money to the threat actor, and the business is wondering why their customer hasn’t paid them.  

There are many different exploitation strategies used by threat actors, but the source of the attack is the same. Breach a large network of users, steal their credentials, use computers to test and confirm them, and then begin a targeted attack.  

Why MFA Works 

With these types of attacks spreading like wildfire, many technology providers such as Microsoft and Google have mandated that all users of their platforms turn on MFA. When MFA is enabled, any time a user logs into their account from a new device, they must provide a code or approve a prompt on their smartphone in addition to their normal username and password. Obviously, this means that the bad actor can’t log in to the user’s account unless they are in physical possession of the user’s phone as well. Problem solved, right? 

Threat Actors Have Adapted 

As we said earlier, many users and businesses have adopted MFA now, many by force. And this isn’t a secret, especially to bad actors. Those special computer programs they use to verify user credentials against popular websites can now also identify when the account has MFA enabled. While threat actors will obviously focus first on accounts without MFA, the presence of MFA is no longer a hard stop for them. But how could they possibly get around MFA? Simple: Prey on the human vulnerability. 

The default MFA methods Microsoft and Google implement leverage a “push-based” notification to the user. Essentially, when the user logs in from a new device, they receive a notification on their phone asking if they are trying to log in. The notification gives them the option to either approve or deny the request. Nice and simple! But it has an Achilles heel. 

Imagine for a moment it’s 2 am and you are fast asleep in bed. A notification on your phone wakes you up, and you see it’s an MFA prompt from Microsoft. Obviously, you’re not trying to log in right now, so you deny it. Seconds later you receive another prompt. Once again, you deny it. A few more seconds, another prompt. This continues a few more times and then you start to get annoyed. You think to yourself “Did I leave my computer logged in? Did I forget to close a program and it’s timed out?” Annoyed at the constant notifications, and having justified a possible cause, you approve the prompt. 

Game over! The threat actor managed to get past MFA without having to “hack” anything. They simply understood human behavior and preyed on that weakness. This isn’t just a hypothetical. This is an extremely common tactic used by bad actors today. 

What’s the Solution? 

Most importantly, understand that there isn’t a single solution. Effective cybersecurity defenses require multiple different layers to protect all the different attack vectors that threat actors leverage. Secondly, understand that as your cybersecurity defenses evolve, so will the attack strategies. Just because a cybersecurity defense works today doesn’t mean it’s going to work six months from now. It is critical that businesses partner with a mature managed I.T. service provider (“MSP”) that has a deep understanding of cybersecurity and a culture of innovation to keep you continuously adapting to the ever-changing threat landscape. 

One recommendation mature MSPs will give is: Avoid using push-based MFA unless you have another mechanism for securing that vulnerability. Time-based one-time password (TOTP) apps, such as Authy, are a simple yet effective solution. Instead of the user being prompted on their phone to “approve” or “deny,” they open the app to retrieve a random 6-digit code any time they’re logging in from a new device. If a threat actor tries to log in, the user doesn’t receive any sort of notification that the threat actor can exploit. 

Secondly, businesses can take cybersecurity to the next level by implementing advanced solutions such as Conditional Access and Device Compliance from Microsoft 365. By leveraging these solutions, even if a threat actor managed to get past MFA, they would hit yet another roadblock if they were not logging in from a device that was previously enrolled and trusted by the business. 

Consult The Experts 

The worst thing a business can do is try to navigate this threat landscape alone. Technology is complicated, and cybersecurity even more so. Even if you have a team of internal I.T. on staff, their focus is on your business alone, resulting in tunnel vision. An outside consultant, such as an MSP, can help educate your team, identify potential vulnerabilities in your cyber defenses, and recommend risk mitigation plans to improve your overall cybersecurity posture. Also, be sure to partner with a mature MSP, such as Digital Boardwalk, with a proven strategy and a successful track record.