MFA Phishing Warning: Beware of fake callers and SMS messages

23Jun

MFA Phishing Warning: Beware of fake callers and SMS messages

By eNewsletter, Identity & Access, IT Security, Microsoft, News & Updates , , , , , 0 Comments

It has recently come to our attention that a number of our clients are getting targeted by multifactor authentication (MFA) phishing attacks.

What does this consist of you ask? It is exactly as it sounds, cyber criminals pretending to be legitimate companies, employees, or as yourself, in order to ‘phish’ for MFA and one-time passcodes (OTPs) to get into their accounts.

Whilst MFA adds additional access requirements to password-based authentication, MFA is not flawless.

Are some MFA options better than others?

Unfortunately all authenticators in common use today are vulnerable to relatively low-cost attacks (such as Channel Jacking and Real-time Phishing). However, there are those that are harder to crack than others.

The five most common phone-based MFA by rank of security:

  • MFA by app: Most secure option! Without hackers physically having the phone in their hands, they cannot access your account even if they have your username and password.
  • MFA by text: Less secure than using an app (vulnerable to account takeover attack also known as SIM swapping), however is more commonly available and still better than having no MFA.
  • MFA by push notifications: Less secure, as messages that pop up on your phone that can easily be authenticated by mistake. However, still better than having no MFA.
  • MFA by email: No longer considered safe as cyber criminals have worked out ways to trick users via fake emails. This method should no longer be used.
  • MFA by phone call: No longer considered safe as cyber criminals have worked out ways to trick users via phone calls. This method should no longer be used.

In a blog post, Alex Weinert, director of identity security at Microsoft, argues SMS and voice protocols were not designed with encryption, are easy to attack using social engineering, rely on unreliable mobile carriers, and are subject to shifting regulation. The National Institute of Standards and Technology (NIST) also discourages SMS and voice in its latest Digital Identity Guidelines.

Are there other ways we can secure our users?

Most certainly. Password replacement options can help organisations offer convenience and ease of use without high security risks. With passwordless authentication (such as advance technologies using biometric verification and public/private key cryptography) you can have an authentication ecosystem that meets the organisational needs for high security, as well as usability and interoperability amongst devices.

Ten reasons to love passwordless authentication:

  1. FIDO2-based credentials developed and adopted by the industry.
  2. Compliance with NIST2 Authenticator Assurance Levels 2 and 3 (AAL2 and AAL3).
  3. Biometric authentication stored locally to uniquely and securely identify users.
  4. Faster sign-ins with Windows Hello built into your PC3.
  5. Portable security keys in a variety of form factors that work across platforms.
  6. Helpdesk savings from password reset requests.
  7. Convenient sign-ins with Microsoft Authenticator app on your smartphone.
  8. Phishing-resistant credentials that reduce risk of compromise by over 99.9 percent.
  9. Easy setup and recovery of passwordless credentials with Temporary Access Pass.
  10. No passwords needed for end users to be productive and secure.

Best multifactor authentication options for ABT customers:

As the cyber security landscape evolves, clients need to improve their security practices along with it. ABT does its best to ensure your company is secured by multiple levels of authentication (not just one), whilst reviewing your overall login experience.

That being said, as your IT managed services provider we will always advise the best practices for your individual organisation’s security posture, however what level of security compliance that is deployed is your responsibility.

Always remember – The frontline of protection will always start with you, the user.

  • Microsoft will *never* call up and ask for MFA codes.
  • Don’t ever assume that a MFA prompt on your phone is always coming from something you’re trying to access.
  • Use the Microsoft Multifactor Authentication app wherever and whenever you can.
  • Empower users with the ability to use ‘Passwordless’ technologies such as ‘Windows Hello for Business’ or ‘FIDO2 security keys’, make phishing near impossible. Read more.

And if you ever need help in implementing these technologies be sure to talk to us first to get the most out of the services that may already be available to you.

Share this post

Author

Related Posts

15Apr

Announcement: We are now ISO27001 certified!

We are thrilled to announce that our company has achieved a significant... read more

20Dec

What Is Microsoft Sales Copilot & What Does It Do?

The use of AI-driven processes is exploding. Every time you turn around,... read more

26Nov

Dealing with Business Impersonation Scams

In the ever-evolving business landscape, so do the shadows of potential scams;... read more

25Nov

Unmasking Microsoft Impersonation Scams: A Guide to Stay Safe Online

Scams have become an unfortunate reality that continues to grow very quickly.... read more

24Nov

Unveiling the Scam Landscape: Tips to Protect Yourself Online

On 30 September 2023, Scamwatch received a total of 234,672 reports with... read more

01Sep

Cloud migrations: the Ingram Micro partnership in a Case Study

Last May, Alliance Business Technologies won the Ingram Micro’s Cloud Growth Partner... read more

25Jul

Securing Digital Identity: Enabling Passwordless MFA

In our continuous effort to enhance the security and convenience of connecting... read more

27Jun

Microsoft Edge for Business: Empowering Productivity in a Dedicated Work Environment

To fully realize Microsoft's commitment to delivering the finest browser for business... read more

26Jun

Securing Digital Identity: The Significance of Passwordless Authentication

In the realm of digital identity security, passwordless authentication plays a pivotal... read more

23Jun

How to Create Insightful Dashboards in Microsoft Power BI

Data visualization is a powerful tool for communicating complex data. It presents... read more