Multi-factor Authentication (MFA): Is it enough?

You know when you try to log in and you are sent a code by text or email? That’s MFA. It feels safe – an extra step in the ongoing quest to keep your online identity, and your real one, safe from scams and the pirates of the internet. But as Scott Coleman of JEI Tech explains, MFA isn’t the failsafe and fool-proof end-all-be-all to online safety.

“Is it better than just a password?” he asked. “Absolutely. Is it going to fix everyone’s issues? No.”

The problem with MFA is multi-faceted. Not everyone is using it, so there’s that. It’s incredibly easy to compromise at the provider level and even easier at the receiving side. All that’s needed is a cloned SIM card or your stolen phone number and the online bandits are in. Once they have either one of those things, they can log in everywhere you’ve been and you won’t even know.

“MFA has quickly been corrupted by bad actors,” as Scott likes to call them.

He recalls the most sophisticated attack he’s ever seen. It was one of JEI’s customers. One of the customer’s long-time clients was the victim of the attack. There was an email string, just like so many before it, where the two were creating another purchase agreement; just as they’d done many times in the past. This time, however, the person on the other end wasn’t their long-time customer. They’d been hacked and this correspondence was with some unknown entity.

“The attacker eventually said ‘let’s sign just like last time sending the link via DocuSign’,” explained Scott, “but the link was sent via AdobeSign.”

This was the first clue that the person on the other side of the email address was not who they claimed to be. The customer questioned the new signing platform, but the (still unknown) attacker just said, “yeah, we’ve changed signing platforms.” They verified their credentials then asked for the MFA. Once they had that, they had access to the entire network.

JEI’s tools caught it because the sign in came from out of country.

“It’s not possible to have a customer here in Canada one second and the next signing in from France,” said Scott.

JEI’s system reset everything and revoked all sessions, forcing sign out on all computers within 30 seconds. It’s a good system.

Then a JEI technician contacted the client to let them know what happened and why their computers and networks were locked down. They reset all the passwords and crisis averted.

This story just goes to show how even with MFA in place data breaches happen, and frequently. The best way to be secure online isn’t to rely on some man made mechanism, it’s to rely on yourself.

“You should still use MFA,” said Scott. “Yes, there are ways around it, but still make sure you go and enable it because it gives you better protection.”

Now you’re all waiting for it – the best way to stay safe online, secure your accounts and keep phishing and cyberattacks at bay. Ready? It’s user training, simple as that.

“We’ve got to get to a point where we (people) MFA everything we do” explained Scott.

In the story you just read, if JEI’s customer had just done one simple thing, and verified the new purchase agreement over the phone, the entire attack would have ended right there in an attempt. 

Attackers target people, not devices. MFA needs to be everywhere in every process. It comes back to training managers and staff about MFA, phishing, how to spot a scam and social engineering.

Want your staff to become experts on how to work safely on the internet? JEI Tech can help. Offering training in online safety and more, give them a call so you can become your own multi-factor authentication system