Password theft, MFA, and the Evolving Cleverness of Hackers

If you ask me what’s the most important thing you can do for cyber security, the answer is easy: MFA (multi-factor authentication). Password theft remains the most common cause of cyber security breaches, and MFA is the best way to combat password theft. So it’s a real shame that we still get pushback from some clients about implementing MFA for their Microsoft logins. 

The most common objection is that they can’t force employees to use personal phones for work. That sounds like a valid HR reason, except text messages are free and so is Microsoft Authenticator. Think of Microsoft Authenticator as a digital key you carry on your phone. That’s no different than carrying an office key in your pocket, right? If that’s asking too much, you might have bigger issues with your employees…

Ok, ok, I’ll do MFA. Are you happy now?

To be fair, MFA has seen pretty wide adoption. It’s just something you have to do this day and age, and most people (begrudgingly) accept it. However, in a proverbial cat-and-mouse game, hackers are now turning their attention to defeating MFA!

In the video below, a hacker sits between a user and a target site (Google in this case) to successfully steal access:

visualization of phishing - need for MFA

If you pay close attention to the browser’s address bar, it’s not hard to see that something phishy is going on. But that sort of thing can easily escape an untrained eye. 

Verizon released a highly respected annual report of data breach investigations, where in 2021 it stated:

“Eighty-five percent of breaches involved the human element”
https://www.verizon.com/business/resources/reports/2021/2021-dbir-executive-brief.pdf?_ga=2.240216515.1181598800.1645740434-370870604.1643065202

That’s a really polite way of saying hackers need suckers to be successful.

So clever you kind of have to admire it

In a recently observed breach, hackers bombarded victims with MFA notifications until the exacerbated victim finally said “YES!” just to make them go away.

https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

This isn’t a hack as much as a really clever bit of social engineering. Or is it a cruel fraternity prank? Either way, you kind of have to admire the diabolic genius of it. I’m sure they had a good laugh all the way to the inbox.

There’s still hope!

Microsoft has been quietly working on a concept called “passwordless sign-in”. It’s actually available now. It works like this:

Log in to your Microsoft account as usual

mfa via passwordless sign in microsoft authenticator step 1

You’ll be given a temporary code

mfa via passwordless sign in microsoft authenticator step 2

Type the code in Microsoft Authenticator from your phone

mfa via passwordless sign in microsoft authenticator step 3

You’re in! 

Notice something missing from the process? At no point did you have to type in a password. If you don’t have a password, it can’t be stolen. Simple, right?

Only catch is that you need to install Microsoft Authenticator on your phone. Did I mention it’s free?

In conclusion

Hackers are clever, but so are security professionals. You can be sure we’ll be sharpening our claws for their next bright idea. But please…don’t let a bratty employee ruin the party.

PS: Are you a bad friend or did you advise your friends not to buy Microsoft 365 Business Standard?

Leave a Comment

Your email address will not be published.