MFA Phishing Warning: Beware of fake callers and SMS messages

MFA Phishing Warning: Beware of fake callers and SMS messages

It has recently come to our attention that a number of our clients are getting targeted by multifactor authentication (MFA) phishing attacks.

What does this consist of you ask? It is exactly as it sounds, cyber criminals pretending to be legitimate companies, employees, or as yourself, in order to ‘phish’ for MFA and one-time passcodes (OTPs) to get into their accounts.

Whilst MFA adds additional access requirements to password-based authentication, MFA is not flawless.

Are some MFA options better than others?

Unfortunately all authenticators in common use today are vulnerable to relatively low-cost attacks (such as Channel Jacking and Real-time Phishing). However, there are those that are harder to crack than others.

The five most common phone-based MFA by rank of security:

  • MFA by app: Most secure option! Without hackers physically having the phone in their hands, they cannot access your account even if they have your username and password.
  • MFA by text: Less secure than using an app (vulnerable to account takeover attack also known as SIM swapping), however is more commonly available and still better than having no MFA.
  • MFA by push notifications: Less secure, as messages that pop up on your phone that can easily be authenticated by mistake. However, still better than having no MFA.
  • MFA by email: No longer considered safe as cyber criminals have worked out ways to trick users via fake emails. This method should no longer be used.
  • MFA by phone call: No longer considered safe as cyber criminals have worked out ways to trick users via phone calls. This method should no longer be used.

In a blog post, Alex Weinert, director of identity security at Microsoft, argues SMS and voice protocols were not designed with encryption, are easy to attack using social engineering, rely on unreliable mobile carriers, and are subject to shifting regulation. The National Institute of Standards and Technology (NIST) also discourages SMS and voice in its latest Digital Identity Guidelines.

Are there other ways we can secure our users?

Most certainly. Password replacement options can help organisations offer convenience and ease of use without high security risks. With passwordless authentication (such as advance technologies using biometric verification and public/private key cryptography) you can have an authentication ecosystem that meets the organisational needs for high security, as well as usability and interoperability amongst devices.

Ten reasons to love passwordless authentication:

  1. FIDO2-based credentials developed and adopted by the industry.
  2. Compliance with NIST2 Authenticator Assurance Levels 2 and 3 (AAL2 and AAL3).
  3. Biometric authentication stored locally to uniquely and securely identify users.
  4. Faster sign-ins with Windows Hello built into your PC3.
  5. Portable security keys in a variety of form factors that work across platforms.
  6. Helpdesk savings from password reset requests.
  7. Convenient sign-ins with Microsoft Authenticator app on your smartphone.
  8. Phishing-resistant credentials that reduce risk of compromise by over 99.9 percent.
  9. Easy setup and recovery of passwordless credentials with Temporary Access Pass.
  10. No passwords needed for end users to be productive and secure.

Best multifactor authentication options for ABT customers:

As the cyber security landscape evolves, clients need to improve their security practices along with it. ABT does its best to ensure your company is secured by multiple levels of authentication (not just one), whilst reviewing your overall login experience.

That being said, as your IT managed services provider we will always advise the best practices for your individual organisation’s security posture, however what level of security compliance that is deployed is your responsibility.

Always remember – The frontline of protection will always start with you, the user.

  • Microsoft will *never* call up and ask for MFA codes.
  • Don’t ever assume that a MFA prompt on your phone is always coming from something you’re trying to access.
  • Use the Microsoft Multifactor Authentication app wherever and whenever you can.
  • Empower users with the ability to use ‘Passwordless’ technologies such as ‘Windows Hello for Business’ or ‘FIDO2 security keys’, make phishing near impossible. Read more.

And if you ever need help in implementing these technologies be sure to talk to us first to get the most out of the services that may already be available to you.

Share this post