Are you protecting your remote workers against an endless barrage of COVID-19 related phishing attacks by requiring 2-factor authentication (2FA) to log into employee email accounts? Smart move—just don't let it give you a false sense of security.
With more than 75 million employees working from home due to the pandemic, the attack surface for cybercriminals and a growing number of state-sponsored threat actors has expanded exponentially. Malicious links and attachments are far from the only tricks email assailants have up their sleeves.
Since the start of the year, there has been a staggering increase in credential harvesting campaigns aiming to pilfer employee login credentials to Microsoft Office 365, Gmail and other popular cloud email platforms and services, including OneDrive, Sway, Teams, and more. Sixty-five percent of these assaults involved Google's file sharing and storage sites, according to TechRepublic.
The wide availability of phishing attack kits for setting up bogus login pages, and more recently phishing-as-a-service rackets, combined with anxious employees who are more dependent than ever on email and cloud-connected collaboration tools, makes for a particularly combustible mix.
When cybersecurity experts are asked about the best ways to curb these attacks their remedies almost always include 2FA. And to be clear, it's solid advice: 2FA plays an important role in login security for many businesses. But it's not even remotely sufficient on its own.
In fact, the widespread perception that 2FA is the ultimate, failsafe security measure could be increasing your exposure to risk instead of reducing it.
2FA and the ATO Arms Race
How could this be possible? Isn't 2FA a powerful antidote to account takeover (ATO) attacks? The answer that comes to mind is absolutely, positively yes-ish, at least as long as it's part of a multi-layered approach to security.
By requiring two forms of identity proof–in this case, "something you know" (your password) and "something you have" (typically a one-time passcode sent to your mobile device)—2FA makes it much, much harder for hackers armed with stolen login credentials to hijack your account.
Yet even as 2FA has seen explosive growth in recent years, so has the number of successful account takeover attacks. According to Verizon's 2020 Data Breach Investigations Report, nearly 40% of all data breaches involve stolen credentials.
With our heightened dependence on collaboration tools such as Slack, Teams, Zoom, GSuite and so forth, a successful email ATO grants infiltrators a launching point within an organization's own systems. Such attacks jumped 43% in the past year, a two-fold increase from the year before, Verizon reports. Stolen credentials were used in 80% of those cases. The price tag is steep. According to Ponemon Institute price tag for a successful breach averages nearly $8.2 million for US-based businesses.
Just as quickly as the use of 2FA has been increasing, cybercriminals have been finding cunning new ways to circumvent it.
A Mask Most Deceptive
SIM-swapping attacks are up over the last year, but so are more cunning approaches. Tools available in some phishing attack kits, for instance, can now capture 2FA passcodes just as easily as login credentials.
Targets may receive a fraudulent "password reset" or "action required" alert with a link that points to a phishing page that looks identical to their corporate cloud email, collaboration site—or even their personal or business bank account.
When users are prompted to enter their logins and the 2FA passcode, the kit simultaneously relays these credentials to the legitimate domain it's impersonating. The cybercriminals are then able to infiltrate the account before the passcode's 30-second window expires. Kits found in the wild include tools for keeping track of hacked accounts belonging to potentially tens of thousands of victims.
If that's too much trouble, there are simple social engineering tricks that work just fine. Cybercriminals with breached account logins for bank accounts or sensitive corporate systems, for instance, can text a fraudulent "unauthorized login" alert to the bank customer's smart phone, adding, "If this was NOT you, please text back the code we just sent you."
For employees navigating the countless kinks that come with a mass shift to remote working, it may be all too easy to take the bait.
Throw Up More Hurdles, or Avoid Attacks All Together?
More recently, physical security keys have been touted as a better way to avoid account takeovers. But while promising, their practicality remains to be seen, and they may still prove inadequate on their own.
In my view, a far more effective approach is to prevent credentials harvesting-based phishing attacks from ever reaching employees in the first place.
Modern identity-based protections like Cloud Email Protection, for example, leverage real-time threat intelligence from sender behavioral and telemetric data in order to recognize and block inbound email attacks—even if the attacks only involve simple, plain-text social engineering tricks. It also includes instances when the phishing emails themselves or are sent from accounts that have already been compromised.
So no, 2-factor authentication alone doesn't provide the bulletproof protection many may believe it does.
At a time when ever-evolving phishing attacks have become an epidemic of their own, a more robust, multi-layered approach that includes intelligent, identity-based defenses may be the only way to keep the contagion at bay.
To learn more about how to protect your organization from 2FA-defeating phishing attacks, read the guide: Anatomy of a Compromised Account.