Bob and Hacker Harry: A Multi Factor Authentication Story

“Security is not convenient.”

This is true.  Running a business comes with many challenges and headaches. This means that most businesses these days are not implementing the most effective cybersecurity solutions, even the ones without substantial cost.  Maintaining strong cybersecurity practices has gone from a good idea for a business to consider having to an absolute must have in a very short amount of time.  

One cybersecurity solution that will immediately make an organization more secure but often faces push back from owners and employees is Multi-Factor Authentication or MFA. Statistics say you’ve probably heard of MFA, but you probably aren’t using it or using it fully.  

The story of Bob and Hacker Harry

Meet Bob, Bob has Office 365. Bob doesn’t use MFA with Office 365 because it’s “a pain in the neck” or his company hasn’t implemented it. Bob, like so many others, uses the same password for everything requiring a password. Recently Bob’s credentials were posted to the Dark Web after Bob fell for a phishing attack. Unfortunately, Bob didn’t bring this to the attention of his company (or possibly didn’t even know) and therefore nobody knows about it except for Bob’s new friend, Hacker Harry.

Once Hacker Harry has the password he decides to see if Bob’s email is linked to an Office 365 account. Low and behold after going to portal.office.com and entering in Bob’s email address and password he gains access to Bobs email account. Hacker Harry is thrilled and decides to copy all of Bob’s email information and all the information Bob has access to in Office 365. Things like One Drive, Share Point, Network drives and more.

While perusing Bob’s email, Harry finds an email about payroll and a completed deposit. Intrigued Hacker Harry decides to try the same user credentials on the payroll site as he did for Office 365 and what do you know, Hacker Harry gets in with ease. Harry overwhelmed with joy decides to change some of the routing information for the payroll company, so that now he will receive all of Bob’s deposits.

However, Hacker Harry isn’t done yet because he knows that the bank will send information to Bob periodically. So, what does Hacker Harry do? He creates a rule to automatically delete any emails that come in from the bank to Bob. Two weeks later Bob notices that he was never paid. Naturally he brings the issue up with the HR department and they tell Bob that he was in fact paid and it even went to the new bank account he entered two weeks ago. As you can guess at this point the HR department of Bob’s work, the bank, and soon the police are all involved in trying to recover the lost funds and correct the routing issue. Could this all have been avoided? Bob was told to change his passwords and make them unique, would that have been enough? What can we learn from Bob’s mistakes?

This is a simple, yet extremely common mistake.  If Bob’s organization had mandated the use of Multi-Factor Authentication when it was made available from Office 365 none of the events that happened to Bob would have happened.

What is Multi-Factor Authentication?

Simply, MFA requires one additional verification to validate who you say you are when you login with a password.

In MFA we have 3 main validation points for authentication. Something you know, something you have, and something you are. These three components can be used in different combinations to provide trusted and secure authentication. To help you wrap your head around this let’s look at one aspect of MFA that most everybody is already familiar with, a password to an account. A password is considered something we know and is generally the easiest form of security to put in place.

Another example of something you know can be a PIN code, sometimes pin codes can be used as a validation point in MFA. For example, when one goes to the ATM, they are using multi-factor authentication. The bank card serves as the “something you have” and the pin code serves as the “something you know”, put them together and you now have a form of MFA.

This leads us to the last aspect of Multi Factor Authentication which is “something you are”. Something you are has to do with biometrics. Face Scan, Palm Scans, Fingerprint Scans, even writing patters as well as voice recognition can be used a form of “something you are”. Using all three forms of authentication together will help your company defend against cyberattacks like the one initiated by Hacker Harry.

Today almost all “cloud” based applications (Salesforce, Facebook, Paychex) offer MFA. Some even require it whereas other provide the option to use it. MFA is undeniably the way of the future but even if it is not required, you still need to leverage MFA whenever it is available. The security MFA extends to an organization far surpasses the slight inconvenience that comes with it.

Contact Greystone today if you aren’t sure you’re using this or using it effectively.