How to Block Social Engineering Attacks From Bypassing Your Multi Factor Authentication
It’s been just over a year since the FBI released its warning that Multi Factor Authentication on its own still potentially leaves your organization open to risks. While credential theft of usernames and passwords is more challenging with two factor authentication enabled, it’s still not a complete solution. SIM swapping was, and continues to be, a relatively easy way to get around 2FA - not to mention how relatively easy it is to socially engineer access to the 2FA code.
Even with multi factor authentication, if one of the factors is still username/password and the authentication is all single channel...the FBI notes examples of man in the middle attacks or session hijacking to gain credentials.
The average consumer usually isn’t the primary target for more sophisticated attacks. While hacking, phishing, and general identity theft is a definite concern, the level of effort a cyber criminal is likely to expend on a single individual is much lower than targeting a larger organization. As long as you enable 2FA, or MFA where it’s offered, and practice good password hygiene, you can keep your personal accounts relatively safe.
An enterprise or prominent individual, on the other hand, is a prime target for the type of extra effort needed to get through 2FA or multi factor authentication. The high profile Twitter hack earlier this summer, for example, was an example of a highly targeted social engineering attack to gain access to notable Twitter accounts. In that case, it was a group of younger hackers, one just 16 years old, who managed to manipulate multiple Twitter employees to get the access they wanted.
That was a teenager that appeared to just be pulling a massive prank. Imagine a sophisticated hacker out to cripple your business systems and hold them ransom - and the repercussions if they succeed. While this article won’t go into the methods for battling the customized, highly targeted types of ransomware such as WastedLocker, simpler or lower-effort ransomware attacks can be blocked in part by the same methods that mitigate phishing attacks.
First Layer of Security: Education and Training
One of the most effective ways to prevent phishing is through educating your team! Often easier said than done, this is one of the most recommended methods for preventing successful phishing attempts. Teach your employees how to recognize some of the most common phishing or social engineering tactics, such as:
- Fake websites
- Unexpected links or attachments in emails
- Phone calls from people you don’t know asking for internal hierarchy or contact information
- Fake notifications or warnings from social networks and software
- Strange emails coming from senior executives
Two common, and effective, tactics that criminals will use to get through your organization’s cybersecurity perimeter is to spoof a warning from a common tool or social media network. Even employees that are security minded can be taken in by a clever spoof that preys on their conscientiousness. A warning from DropBox claiming that their account has been compromised can often make a user forget best practices and simply click through out of worry.
That’s the exact reaction you want to teach people to stop and think about first! There is no harm in taking a little extra time to be sure something is legitimate, and a lot of risk if you just click through on any notification you see.
You also want to train staff not to provide sensitive internal information or access without identity verification, as happened in the Twitter hack.
The Simple Solution: Out of Band Biometric Authentication
You can also help your staff easily thwart phishing attempts by requiring that changes to systems and software are approved through Out of Band Authentication. We’ve mentioned out of band authentication before - it’s just providing authentication through a different communication method, or channel, than the one you’re asking for access on.
Out of band authentication using one time passwords (OTP) or simple yes/no prompts through a mobile device app can be extremely effective at blocking access attempts using stolen credentials. Unfortunately, if the only authentication factor is something as simple as OTP or yes/no prompts, then attacks bypassing 2FA such as SIM swapping can still be effective.
That’s where using Biometric Authentication, as recommended in the FBI’s bulletin, comes in. Biometric authentication is several magnitudes harder to bypass, ensuring that those requesting access are who they say they are.
By using both biometrics and out of band authentication to guard your system admin rights, installation permissions, or information access, you make it exponentially harder to gain unauthorized access. When even accessing a workstation requires a quick facial authentication to log in, your organization’s risk of a breach from compromised credentials drops. Configure your identity platform to require authentication for permission changes, new installation of software, or similar types of failsafes, and you can make yourself so hard to hack that it’s no longer worth the time to try.
The option for out of band authentication paired with biometrics is key for secure authentication. For convenience, you can offer passwordless login with biometrics, and for situations requiring additional security, require an out of band authentication method to confirm. From an end user’s perspective, it’s simply which biometric modality they authenticate with on either their computer or mobile device. Massively improved cybersecurity, minimal user friction.
Protect your data with a secure identity platform.
ImageWare’s Identity Platform helps secure your data through biometric authentication for access. Easily integrate with any SaaS product your organization is already using through APIs, OIDC or SAML connectors, or work with our team for custom SDKs for a truly customized implementation. Our identity platform is frictionless for the end user, easy for your IT team to set up and implement - and dramatically improves your cybersecurity.
Learn more about the identity platform, powered by our patented biometric engine, by scheduling time to speak with us. Click below to get started.