How businesses can protect against MFA attacks

Hooded figure of a hacker
(Image credit: TheDigitalArtist / Pixabay)

New cyberattacks are constantly being reported in the media. It was reported that Gloucester City Council has been hit twice in the last decade, most recently in December. It begs the question whether governments, individuals and companies can protect themselves efficiently. These types of reports explain in detail the damage hackers can cause. Yet, many hardly even bat an eyelid.

About the author

Katie Petrillo is Director of Product Marketing at LastPass.

To even begin on improving a businesses’ cybersecurity methods, we need to take an even closer look at cybercriminals methods. By understanding their modus operandi before an attack takes place, companies can better protect themselves from Multi-Factor Authentication (MFA) attacks.

What is MFA and how is it used by companies?

Passwords remain the most popular form of authentication. But they alone can only protect individuals and companies to a limited extent. The use of MFA adds an additional layer of authentication to the login process. It is designed to prevent hackers from hijacking third-party systems.

There are many ways to use MFA. One of the most common is SMS token authentication, in which a code is sent to the stored mobile phone number in the event of a login attempt. Users can use this to verify themselves once. Authentication with the aid of an email token is also frequently used, in which the same type of code is sent by email. Biometric authentication, on the other hand, uses fingerprints or other biometric information to verify the login attempt.

Some apps and websites can be connected to such authentication apps to optimize user protection. It is also worthwhile for companies to use a secure, integrated password manager that offers features such as adaptive authentication, which combines biometric and contextual information.

How cybercriminals use MFA to attack businesses

According to a recent study by Microsoft, over 99.9 percent of Microsoft accounts compromised each month do not have active MFA. Companies must improve their network security and implement MFA. However, there is a catch. Hackers are always on the lookout for new ways into systems and do not shy away from MFA-secured devices.

When it comes to cybersecurity, businesses must find a balance between convenience and safety. MFA is no exception. Because SMS authentication is the most common form of MFA for convenience – it is also the most insecure. Cybercriminals can easily imitate the target’s phone through a tactic called the SIM swap scan. This gives hackers access to incoming messages and completes the login process unnoticed. The intruder can then move freely through the entire network.

Many may think they are safe from an attack, but hackers count on this false sense of security. Cybercriminals can also infiltrate corporate networks uses pass-the-cookie attacks. Here, they exploit the fact that many browsers and websites store authentication information in cookies. These cookies are convenient for users because they allow them to stay logged into their accounts without having to repeatedly confirm their identity. But unfortunately, this convenience can come at a high price when cybercriminals can steal stored information which enables them to carry out attacks with the credentials.

Take the proper steps

These threats may seem daunting at first, but cybercriminals are not invincible. If companies learn to think like hackers, they can identify potential risks early on and implement appropriate security measures.

First and foremost, businesses must take a zero-trust approach to cybersecurity. Hackers detect and abuse gaps in security systems and user behavior. Even the best security tools can't protect organizations without constant review for suspicious behavior and activity. If something seems suspicious, it probably is.

Organizations should also approach MFA with caution. A weak or immature MFA implementation will not provide the necessary protection. They need to look to tools that combine MFA with adaptive authentication techniques to reliably verify user identity.

If an attack does happen, businesses that have multi-level cyber defense will be in good stead to warn hackers off the scent. If hackers successfully log into an account, they know they may have control of the entire system. It’s therefore imperative that companies do not rely on MFA alone. Some are using an ongoing authentication model where users are asked to prove their identity at regular intervals – limiting the access window hackers have to gain entry.

The most important step a business can take is to provide regular security training. Employees need to embrace the zero-trust approach, and that comes with education. As more and more professionals work in a hybrid environment, regular training can strengthen security awareness so that suspicious behavior can be identified, and potential attacks can be averted.

Hackers continue to get bolder and more ambitious. They spare no effort to threaten companies. While these crimes are worrisome for any internet user, they provide valuable insight into how to improve the protection of ourselves and businesses. Only with proper understanding, can we secure ourselves and prevent the worst from happening.

At TechRadar Pro, we've featured the best identity theft protection.

Katie Petrillo is the Director of Product Marketing at LastPass.