Multi-factor authentication (MFA) has long thought to be a method of keeping cybercriminals out; IT users authenticate themselves by two separate methods, such as something they own (a biometric), and something they know (a password). However, there is increasing evidence that sophisticated cybercriminals are making some companies’ MFA efforts null and void.
With large companies and those specialising in cybersecurity becoming victims it is clear that all organisations are at risk from these ‘new’ threats and should be constantly revising their security protocols and updating employees as to what the threats look like, says AJ Thompson, pictured, CCO at the IT firm Northdoor plc. He says:
“We have seen two-factor authentication that uses one-time passwords sent by text under increasing pressure from multiple methods used by cybercriminals. However, MFA’s that use push notifications or hardware tokens have long been thought to be much harder to compromise. Unfortunately, even this method is now more easily breached.
“There are three techniques cybercriminals are using to break through MFAs. MFA flooding, proxy attacks and session hijacking – these all target different aspects – users, networks and browsers respectively.
“In the face of an increasingly sophisticated approach from cybercriminals, breaking through traditionally accepted, effective security solutions, companies have to do more to secure their data and infrastructure.
“They can no longer implement a solution and sit back pleased with a job well done. The threat facing them is so fluid that companies have to be equally as flexible with their cybersecurity approach. Companies have to be proactive in their cybersecurity implementation. Ensuring that they understand what the new threats look like, what vulnerabilities lie within their own systems and equally importantly how future threats might impact their defensive measures.
“All of this, especially for SMEs, seems like an impossible task when IT teams are small or non-existent. Bringing in consultancies that can offer security as a managed service can help take much of the pressure off smaller businesses. By bringing in such a team of experts businesses are able to focus on other, business critical functions, whilst having full confidence that there are constant eyes on evolving threats and vulnerabilities.”
