We learned that MFA or 2FA (Multi or Two factor Authentication) is better than just a username and password to authenticate as all security people keep drumming into everyone right?
Just to review MFA is a second form if authentication where the first form is a username and password. The second form can be a variety of items:
- Mobile device push notifications for iOS and Android authenticator app
- Biometric (face or fingerprint)
- Voice recognition
- SMS codes (text)
- one-time passwords
Some companies have created a whole ecosystem around their MFA application (like Okta.com)which only means one becomes a target as hackers really want to attack and take advantage of the platform to attack clients. As you see in the Threatpost and Group-IB information, 130 companies were compromised with possible 9 million MFA accounts.
Somehow the hackers have figured out a way to defeat this MFA: In Group-IB.com Oktapus post and Threatpost post discusses this as well.
No matter what we have as defensive tools, the hacking community will always try to get around the defense. And if MFA is not set up correctly or at least tested properly then it can be beat.
Overt Software has a blogpost with “23 Ways to Hack MFA”
The article is extensive and discusses types of authentication – difference between one factor (just the username and password) and 2 Factor as well as more.
One thing we should always be careful about new tools and third party software, it is great when everything works, but not so great when the hackers figure out our tools and use them against us. This hack happened actually in August, and likely many months before that, as the hackers have a way of lurking and seeing what is the best way to make money before striking with ransomware or other methods. This is why one must have multiple methods of defense (layers of defense). One must already assume the hackers are in the network. (zero-trust architecture – we have discussed this before and i have written about it in my book “Too Late You’re Hacked”)