The Importance of MFA
(Multi-Factor-Authentication)

Case Example - “It’s a Fire Sale!”

Some time ago a private user did not have any MFA enabled on any accounts. An attacker had managed to breach the users credentials and had no problem with logging into amazon.co.uk using said credentials. The attacker then locked out the legitimate user from their own accounts and proceeded to purchase as many items as possible until the legitimate users bank was declining transactions as funds had run dry.

• LESSON - Enable MFA. All major services such as amazon and email providers support MFA. This will prevent attackers from being able to login as you, even if they have your password.

Case Example - “Wanna Go for a Drive?”

A user was buying a new sports car and dealing with an off-island dealership. Suddenly the users phone prompts them to approve a sign in. With all that was going on that day - and that the user has been signing in and out of systems all day - they automatically (almost like a reflex) approved the sign in. 

At that instant this user was compromised.

The notification was a login from Eastern Europe. The malicious attacker then managed to intercept email correspondence between the user and dealership, change the bank details on attached PDFs; compromising both Confidentiality and Integrity. The attacker was successful, as the victim wired over the money to the attacker’s bank account.

• LESSON - Be vigilant to the Mobile Authenticator requests. Have you just this second entered your password into a login portal...?

What is MFA?

Multi-Factor-Authentication (MFA) is when you will be challenged to prove that it is you that has just attempted to sign into a system or service.

In recent years you’ve most likely noticed an increase of your company requesting that you set up Multi-Factor-Authentication with little to no understanding of the why. My hope is that the two case examples (mentioned above) of local incidents will give clarity.

Types of MFA (Multi-Factor-Authentication)

• Text message - The original method of MFA. This is when you will receive an SMS message with a code that you are then expected to enter into a login portal.
• Authenticator Applications - Applications that you can download from your App store, such as Microsoft Authenticator or Google Authenticator. These Applications prompt you to confirm that you have just attempted to sign in, or ask you to enter the code displayed in the authenticator app (more secure still)
• Phone Call - Similar to ‘Text Messages’ . The least common option. The service will call your phone and readout a numerical code that you must enter into the login portal.

In Conclusion

• Always Enable MFA for logging into anything. If the ability is there? Use it.
• Keep personal email/website passwords different from your work passwords.
• At the very least keep your personal email password one of a kind, unused anywhere else.

Article written by Emanuel Pontes, Junior Technical Consultant - Logiq Limited 

Logiq