Cyber attacks and multi-factor authentication — who wins?

By the beginning of May 2022, about 40 countries in North America, South America, Europe, Africa, and Asia suffered from hacker attacks and hacks. The damage is estimated at tens of billions of dollars. At the same time, such global sectors as public administration, finance, energy, politics, media, and transport services were affected. 

Hackers not only steal data to get money from accounts but also sell confidential information to competitors. This can do much more harm than hacking a wallet. To protect against the negative impact of intruders, information security experts unanimously recommend the use of additional account protection methods, such as multifactor authentication (MFA).

What is Multi-Factor Authentication (MFA)

img pub key

The essence of this method is that when logging into an account, the user must prove that it is he who is connecting, and not a bot or an attacker. User verification can be based on several unrelated factors, for example: 

  • knowledge factor — what the user knows: a secret phrase or a series of numbers;
  • ownership factor — what the user has: a mobile phone or a hardware device, for example, a security key (spoiler — this method is the most reliable);
  • physical factor — unique biometric data, fingerprints is more often used; it is also determined using the appropriate device, for example, the YubiKey Bio key. This model can be used not only to connect MFA but also instead of passwords. 

Technically, this can work in any order.

How hackers hunt for data

To understand how multifactor authentication protection works, let’s take a closer look at common types of hacker attacks:

  • Phishing.
  • Keyloggers.
  • Brute force attacks.
  • Man-in-the-middle attacks.

Phishing

Phishing is a type of fraud, a set of technical and psychological methods by which attackers carry out data theft. 

In the last quarter of 2021, 4,200 companies suffered from phishing attacks. Moreover, in December, a record number of cyberattacks was recorded — 316,747. The financial sector and postal services suffered the most.

The principle of this method is that the attacker monitors the actions of the victim, and the resources that she uses. It then creates personalized, believable content and sends it to the user with a link to a login form on a fake site. 

Also, users often fell for the usual gift card scams or requests for donations. In the same way, the attackers also sent spam with links to malware. 

Phishing Protection

If the site is fake, then after entering the data, you will not receive a request from the server for additional account verification. Just nothing will happen, including you will not get into your account. This must seem suspicious. If such an error occurs, check the site address, log in to the account of the real site and change the passwords. 

Keyloggers

Keyloggers are a type of spyware that can be used by attackers to track user actions on the keyboard. Thus, they steal passwords, answers to security questions, bank card details and much more. 

The most dangerous and rapidly spreading keylogger in 2021 was the Snake Keylogger program. It is almost invisible, as it knows how to evade detection and sends data to the fraudster directly to the mail. It is sold by hackers on their private forums for only $500.

How can keyloggers appear on a computer? Most often, scammers distribute them along with viruses.

Keylogger Protection

So let’s say an attacker got your password. But will he be able to log into your account if you have multifactor authentication set up? No. He needs to go through the rest of the steps: either enter an additional one-time password that you receive on your phone or a code generated by your security key. 

Brute force attacks

Brute force attacks are password guessing methods, typically software-based. Since people often set simple passwords such as “123456”, scammers take advantage of this and simply install programs that automatically enter frequently used passwords until the account is hacked. The most common selection method is the so-called “dictionary attack”, when the program tries to enter all possible words and phrases, starting with the most popular ones. 

Microsoft’s experts report that every second, there are 921 password attacks in the world! 

Protection against brute force attacks

As you probably already guessed, this method will not bring any benefit to scammers with MFA enabled. Because in addition to the password to enter, he needs other confirming factors.

Man-in-the-middle attacks

Man-in-the-middle attacks are a form of cyberattack, a type of interception of data on the way from the user’s computer to the server. An attacker does this by compromising a communication channel, for example, Wi-Fi, interfering with the protocol and posing as an endpoint. Thus, he can intercept and listen to messages, and receive confidential information.

Defence against man-in-the-middle attacks

If you enable multifactor authentication, then a hacker will not be able to hack your account. Without being able to additionally confirm the entry using the user’s personal device, the hacker stops the attack. 

Important! When connecting multifactor authentication, use different factors that are not related to each other. For example, a check against the second password sent to the mail, if the mail is compromised, will be unreliable protection. Password verification in SMS is also a bad defence, as attackers can technically duplicate your SIM card. 

Why security keys are the best MFA factor

As we said at the beginning, you can connect MFA using personal devices — phone, iPhone, or keys. But the best means are the keys because they allow you to enter your account in a matter of seconds. 

In addition, they have many other benefits. No need to waste time searching for a message and entering a one-time SMS password. The keys themselves will send an encrypted code to the server and unlock the entrance. In addition, they are compact and inconspicuous, they can be carried with you in your wallet or on a keychain. And you can also use the keys instead of logging in with a password and forgetting about it completely. Then hackers will have nothing to steal.

It is interesting! To improve the security of the user experience on the network, on May 5, 2022, Apple, Google, and Microsoft announced that they plan to move to passwordless authentication in both browsers and mobile applications and desktop platforms. And they plan to introduce a single standard from 2023.

It will be possible to log into accounts using security keys or tokens. You can do it right now. The best devices today are YubiKey keys, which were developed back in 2012 under the order of the US government to protect voters’ data. And since 2017, they have been actively used by Google and Facebook employees to protect corporate accounts.

What is interesting about YubiKey keys:

  • the company regularly updates products and introduces new models that meet the latest network security requirements;
  • YubiKey’s keys have an unusually reliable case that cannot be accidentally broken; there are models with IP68 water resistance; 
  • all YubiKey keys support FIDO2, which means they are not only suitable for connecting multifactor authentication but can replace passwords;
  • you can choose keys with the necessary set of functions and degree of protection, no need to pay for additional settings; and conversely, for enhanced protection, you can choose safer and more durable models than others;
  • series of keys have different form factors, as a result, you can choose a key for any device — iPhone, laptop or tablet. There are also models with NFC support.

YubiKey’s keys are liked by millions of users from 160 countries of the world. Get yours today by getting in touch with us www.thekernel.com/contact

let’s talk!

Ready to build trust?