by Sutapa Ghadial
With the passage of time and advancements in technology, phishing attempts that lure unsuspecting victims into disclosing their login credentials are getting more sophisticated and realistic.
In a phishing attack, the perpetrator sends an email or a text pretending to be a trusted contact or organization. The message calls for urgent action, typically requesting that the recipient click on a link and enter login information. Once the unsuspecting recipient navigates to the spurious website, the attacker uses the victim’s credentials to log into a real website, often causing extensive financial harm to the victim.
Industry and government agree … multi-factor authentication (MFA) can help to thwart phishing attacks.
Microsoft claims that MFA “can prevent over 99.9% of account compromise attacks.” An Office of Management and Budget memo released in January 2022, OMB M-22-09, indicates that the U.S. federal government will embrace “phishing-resistant MFA” as a tactic to counter phishing attacks.
In a phishing attack, hackers only need to steal a user’s password, which is “something you know,” to gain access.
In a phishing attack, hackers only need to steal a user’s password, which is “something you know,” to gain access. With MFA, additional identifying factors are required to log into an account.
Two-factor authentication, where a text message or one-time personal identification number (PIN) is used to confirm identity, is one of the most common types of MFA. Unfortunately, it’s not very secure and is not highly effective in blocking phishing attacks. These days, it’s too easy for hackers to intercept, redirect or spoof text and email messages.
Industry and government agree … multi-factor authentication (MFA) can help to thwart phishing attacks.
Phishing-resistant MFA provides another layer of security by ensuring that the application or service requires an additional factor such as:
Hackers typically cannot access these additional identifying factors. Even if they are able to steal a user’s password, phishing-resistant MFA is very effective in foiling attacks.
To be effective, however, it is essential that MFA technology be a default requirement, so users and organizations may not opt out. Otherwise, basic login information can be easily compromised or even cracked by hackers to gain access.
REFERENCES
Microsoft | “One simple action you can take to prevent 99.9% of account attacks” | https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to- prevent-99-9-percent-of-account-attacks/
Office of Management and Budget | “M-22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” | https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22- 09.pdf
The White House | “OMB Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture” | https://tinyurl.com/mrx8uj8c