Password theft, MFA, and the Evolving Cleverness of Hackers

If you ask me what’s the most important thing you can do for cyber security, the answer is easy: MFA (multi-factor authentication). Password theft remains the most common cause of cyber security breaches, and MFA is the best way to combat password theft. So it’s a real shame that we still get pushback from some clients about implementing MFA for their Microsoft logins. 

The most common objection is that they can’t force employees to use personal phones for work. That sounds like a valid HR reason, except text messages are free and so is Microsoft Authenticator. Think of Microsoft Authenticator as a digital key you carry on your phone. That’s no different than carrying an office key in your pocket, right? If that’s asking too much, you might have bigger issues with your employees…

Ok, ok, I’ll do MFA. Are you happy now?

To be fair, MFA has seen pretty wide adoption. It’s just something you have to do this day and age, and most people (begrudgingly) accept it. However, in a proverbial cat-and-mouse game, hackers are now turning their attention to defeating MFA!

In the video below, a hacker sits between a user and a target site (Google in this case) to successfully steal access:

visualization of phishing - need for MFA

If you pay close attention to the browser’s address bar, it’s not hard to see that something phishy is going on. But that sort of thing can easily escape an untrained eye. 

Verizon released a highly respected annual report of data breach investigations, where in 2021 it stated:

“Eighty-five percent of breaches involved the human element”
https://www.verizon.com/business/resources/reports/2021/2021-dbir-executive-brief.pdf?_ga=2.240216515.1181598800.1645740434-370870604.1643065202

That’s a really polite way of saying hackers need suckers to be successful.

So clever you kind of have to admire it

In a recently observed breach, hackers bombarded victims with MFA notifications until the exacerbated victim finally said “YES!” just to make them go away.

https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

This isn’t a hack as much as a really clever bit of social engineering. Or is it a cruel fraternity prank? Either way, you kind of have to admire the diabolic genius of it. I’m sure they had a good laugh all the way to the inbox.

There’s still hope!

Microsoft has been quietly working on a concept called “passwordless sign-in”. It’s actually available now. It works like this:

Log in to your Microsoft account as usual

mfa via passwordless sign in microsoft authenticator step 1

You’ll be given a temporary code

mfa via passwordless sign in microsoft authenticator step 2

Type the code in Microsoft Authenticator from your phone

mfa via passwordless sign in microsoft authenticator step 3

You’re in! 

Notice something missing from the process? At no point did you have to type in a password. If you don’t have a password, it can’t be stolen. Simple, right?

Only catch is that you need to install Microsoft Authenticator on your phone. Did I mention it’s free?

In conclusion

Hackers are clever, but so are security professionals. You can be sure we’ll be sharpening our claws for their next bright idea. But please…don’t let a bratty employee ruin the party.

PS: Are you a bad friend or did you advise your friends not to buy Microsoft 365 Business Standard?

Shipping DepartmentShipping Department
22:28 04 May 23
Patrick OzierPatrick Ozier
22:32 07 Apr 23
Habazatchery DuftonHabazatchery Dufton
23:56 10 Feb 22
Eddie De La RosaEddie De La Rosa
15:30 09 Feb 22
Remote IT Services in my previous work experiences has always felt a bit disconnected and i even felt reluctant to ask for help at times.The guys at Relion are the best, we've gotten to know them well and all have been onsite when ever needed, even for something as little as setting up a new PC.Big or small Relion will treat you like you are client #1
Jorge SanchezJorge Sanchez
15:06 05 Feb 22
great customer service, very fast response. Always taking care of their customers.Thank you Relion Team
Stephen LealStephen Leal
19:17 02 Feb 22
Relion exceeds all of my expectations. Their team is super responsive when any issue should arise, and troubleshoots problems with lighting speed while always maintaining a high level of customer service and great clear communication. Thank you for continued excellence!
Henry WongHenry Wong
16:42 26 Jan 22
Customer service was excellent! A great team with broad knowledgeable in IT.
Mike WhiteheadMike Whitehead
17:06 18 Jan 22
Brian and the Relion's IT Crew are rated as number one in my view.The support team is excellent and very responsive to my needs. I highly recommend Relion for any size organization!
Jeanine BJeanine B
18:15 14 Jan 22
I absolutely Love working with the guys from Relion! Every person on the team is very kind, respectful and knowledgeable. I feel secure with Relion supporting and securing our internal and external communications as we are navigating various forms of technology each day while working remote, onsite or some hybrid version of either. They are the best IT team I have ever worked with!!
Wayne Lee (LEWAYHUN)Wayne Lee (LEWAYHUN)
00:20 13 Jan 22
Relion is our outsourced IT, although often times they feel more in-house:)
Alejandra AguilarAlejandra Aguilar
00:40 12 Jan 22
Always will go above and beyond
Lainy AbudayyehLainy Abudayyeh
00:00 31 Aug 17
The above and beyond service Relion provides is definitely unmatched. We've had technical difficulties anywhere from 5am to 10pm and we've always been able to get a hold of someone. I cannot even tell you the last time we have been down or offline. I am sure almost all companies can agree, losing all or any data would be catastrophic so there is always a comfort in knowing ours is in good hands.
Sung Kim, DPTSung Kim, DPT
17:43 28 Jul 17
Brian and his team stand head and shoulders above the rest. Their instantaneous response time is a life-saver. They're fast, they're efficient, and most importantly, they're honest. They don't try to up-sell you on this or that, like other companies we contacted. Give them a try. You won't regret it.
AnthonyAnthony
23:56 20 Jul 17
Quick response and really helpful. This group is awesome. I've needed them late at night when system was down and they had me up and going in no time. Customer service is excellent.
js_loader

BUSINESS

STARTING AT $1,000 PER MONTH

NON-PROFIT

STARTING AT $750 PER MONTH

Get a free consultation

Scroll to Top