Stop What You Are Doing and Enable MFA
What do Target, Home Depot, JP Morgan, Sony Pictures Entertainment, Yahoo, the Office of Personnel Management, the Democratic National Committee, and three Ukrainian electric utilities have in common?
If your answer is that these organizations all experienced cyber intrusions that resulted in the large-scale theft of data, or the first ever power outages caused by a cyber attack, you are partially correct. Each of these incidents occurred because hackers were able to remotely gain access to the victims’ networks by simply compromising user passwords, and those passwords, alone, were the single form of authentication needed. It is impossible to say if these incidents could have been completely prevented; however, if the users’ accounts had been protected by multi-factor authentication (MFA), the hackers would have had to obtain an additional piece of information to gain access.
MFA—also known as 2-factor authentication or 2-step verification— provides an additional layer of protection for your accounts. This process requires at least two types of information to verify your identity. These factors include at least two of three categories of something that you:
Know: a password, a PIN code, or an answer to a secret question.
Have: a physical device, such as a mobile phone, key fob, USB stick, token, or an ID card.
Are: a biometric factor, such as facial or voice recognition, DNA, handwriting, fingerprint, or iris scan.
If It’s Broken, Fix It.
Despite the many high-profile incidents and data breach headlines over the years, many people continue to use and reuse weak passwords that are easy to remember. In many cases, having weak passwords is about as effective as having no passwords at all. If a hacker uses a compromised password to gain unauthorized access to one account, he or she can then attempt to use that password, or similar variations, for other accounts. In fact, Verizon’s 2016 Data Breach Investigations Report stated that “63 percent of confirmed data breaches involve using weak, default, or stolen passwords.”
MFA offers an extra layer of protection to reduce the likelihood of an account compromise. Typically, accounts that offer MFA require a password as the first authentication factor – something you know – and your mobile device or email – something you have – as the second factor, sending the user an access code to enter before granting access to the account. MFA prevents hackers from accessing accounts using passwords acquired through social engineering schemes, such as phishing, or through brute-force attacks designed to quickly and easily crack weak passwords.
Answers to security questions are often easy to acquire, especially now that many people openly share personal information on social media platforms and blogs. People with whom you interact regularly can easily learn the answers to common security questions, such as the year in which you graduated or other milestone dates, the city in which you were born, your mother’s maiden name, or your first pet’s name. Even if you don’t share this information on your social media profiles, it can often be found through public records or search engine simple queries.
The Ball is Rolling, but Slowly.
In the latest update of Apple’s mobile operating system, iOS 10.3, released last week, users who do not already have MFA enabled are prompted to do so after the update is installed. As usual, the setup process asks the user to select security questions and verify the credit card number, expiration date, and security code of the card they have on file. These factors alone are not sufficient for authentication, since a motivated criminal could easily find answers to security questions by researching their target and, in many cases, purchase stolen credit card numbers on the dark web and other underground marketplaces. Once a user has supplied the requested information to Apple, the company will send the user a code via text message. After entering the code, MFA becomes activated on the account. This is just one example of how companies are beginning to recognize the importance of MFA and provide methods for customers to protect themselves.
In March, Nest, the makers of the smart-home, Wi-Fi thermostats and cameras, announced the launch of MFA for user accounts. Without MFA enabled, a hacker could potentially access a home’s thermostat and drastically change the temperature settings, or could access the live video feed from Nest cameras throughout the home. Enabling MFA on smart-home devices makes it far less likely to be targeted by an opportunistic hacker.
It is certainly great to see more companies implementing and encouraging users to adopt MFA; however, it is safe to say that we still have a long way to go.
How?
We highly recommend enabling MFA whenever possible. Unfortunately, there is no magic wand you can use to enable MFA across the dozens of different online accounts you may have. There are, however, some great resources available to discover which sites and services offer MFA and how to enable it.
One site, twofactorauth.org, maintains a list of websites and services that currently support and do not support MFA.
Another website, turnon2fa.com, provides detailed tutorials – along with screenshots of each step – on enabling MFA on many popular online sites and services.
In 2015, the NJCCIC put this short video together to demonstrate how quick and easy it is to implement MFA on a Gmail account: https://www.youtube.com/watch?v=Xhbi7Xom1J4
We strongly encourage all of our members to take advantage of easy-to-implement security solutions such as MFA to help keep data and personal accounts secure.
For more information on MFA and strong authentication practices, please visit the following links:
The Chertoff Group: Strong Authentication in Cyberspace
NIST Blog: Questions…and buzz surrounding draft NIST Special Publication 800-63-3