Craig discusses how cybercriminals are now bypassing multi-factor authentication and what you can do to protect yourself.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] I’ve been harping on multifactor authentication, and now a little bit concern because based on what kind you’re using, the bad guys are getting around some of it.
Hey, Craig Peterson here. Thanks for joining me online and here on WGAN make sure you tune in every Wednesday morning when I’m on with Matt Gagnon for the early morning shift, as he goes through the latest in tech news with me. It’s really fun. I like having a host to talk to who really understands things, he’s on the ball and Matt is certainly one of those, no question about it.
Businesses are faced with the real problem as our consumers and that is how do you keep the bad guys out of your systems? One of the things that we’ve been using for the last few years is called MFA multifactor authentication. As I have said for decades, the best security combines something, along with something you have.
So for instance, in the computer world, something, might be the email address to sign in with and of course the password that you sign in with. So there you go, something know, something you have. In many cases, it’s turned out to be your smartphone and people are using the smartphone to do authentication.
So you try and log in. It’ll send you a text message than with that text message, you can now say, yeah, that’s me and you type in the code, right? A four-digit, six-digit code and you are let in, I’ve explained before why that is a bad idea, using texts or SMS as it’s called, and it’s a very bad idea.
If you have anything at risk, something to lose, there have been many cases now well-documented of people that are big business people all the way on through people who own Bitcoin. Where, what will happen is the bad guy will transfer your phone number to a phone, not yours, but one the bad guy has control over.
So now he tries to log in because he got your username and your password from the dark web. If you haven’t checked it out yet, make sure you go to have I been poned.com. And check out your email address, and you’re almost certain to find your email has been compromised and your password was stolen along with your email address and maybe even more things like your social security number, your home address, et cetera.
So the bad guys will do is say, okay, so I’m going after company X and I am going to now find out what the guy’s phone number is. They use little social engineering, find out the phone number, and then once they have the phone number, they can go to the next step, which is let’s transfer that phone number to my phone.
Then they log as you. Let’s say even your Yahoo mail account or whatever your mail account is, and then they look around and, yeah. Okay, great. He has an account at Bank of America. So they go to Bank of America site, cause they just found Bank of America emails. I count emails in your email box and they use your username and the password they got for your username.
You’re smart and Bank of America and your Yahoo email account use different passwords. Goody for you because now all they have to do is say I forgot my password. Where is Bank of America going to send the password reset? It’s good. I’m going to send it to your email box. So now your email box has a password reset.
They reset it to it, whatever they want to. And then Bank of America says yes, but wait. we need multifactor authentication. So we’re going to send a text to your phone to make sure it’s you and Romero. We’re the bad guy. They just went ahead and tried, transferred your phone number to their phone. So what does that text from?
Bank of America? Go right into their hands. So now they’ve got your Bank of America account and they are in, and they transfer the money out in according to the United States secret service, 90 seconds later, it is likely out of reach and out of the country. That’s how bad it is right now. It’s really bad.
So that’s why I warned you guys forever. Don’t use SMS as a way to authenticate yourself as part of multifactor authentication. There are a number of apps out there that will work quite well for you. You might remember 10, 20 years ago, probably 20 plus years ago. Now actually people had these little key fobs.
I think it was Bank One that had the first one that I ever used. And you put it on your key chain and it had a little six-digit number that changed every 30 seconds.
So when you went to log in. You knew your username, you knew your password, and you looked at the key fob to see what the code was for this 30 second period and it would let you in. That’s actually a great way to do it, but if you use one password or Google authenticator or last pass, there are a number of ways you can do it.
I recommend a few. You just don’t have the money. If you’re not a business, just use Google authenticator. Most websites will work with Google authenticator.
So what will happen is the website will pop up a QR code on the screen and you then take a picture of that QR code with Google authenticator will say, Oh, okay, great. I got it. And then it’ll start giving you codes. New codes, every 30 seconds that you can use. So all you have to do is have your smartphone.
Now make sure your smartphone is locked down, but it’s a little harder for them. If they’re in Belarus or somewhere else, a little harder for them to get a hold of that phone so that they can then hack you by looking at your phone in order to get that code.
Now one password does the same thing and then we combine one password with Duo and a little key fobs and everything else. So depending on how security has to be, there may be multiple levels, but that’s the basics.
Dark reading has an article out this week, talking about this legacy, email clients, and what they’re doing. So I explain to you the right way to do multi-factor authentic occasion right now, and it’s really, it’s considered to be a very strong measure to protect you against an account takeover attack.
But the bad guys have a way around it and here’s what they’re doing. I have normal security this week is reporting that they’ve seen an increase in attacks where the bad guys are using legacy apps with old email protocols. So nowadays, for instance, You might be using something called OAuth 2 behind the scenes, whom you as a user probably wouldn’t know that, but is used to authenticate you.
We have it set up for ourselves and our clients that you have to read completely we authenticate every week, which gets to be a bit of a pain, but it’s actually a very good thing. In fact, I should probably have it set up to do it every day, but every week is pretty reasonable. And it uses more advanced protocols to authenticate me.
But if you’ve been around for a while, you’re familiar with a protocol called pop, which was the post office protocol. I used that for many years, and that allowed me to connect to the mail server, download all of them. My email would be deleted off the server. I’d have it on my laptop and hopefully, I had my laptop.
Backed up so that I wouldn’t get totally messed up if everything went wrong, but there’s an old protocol. All that really shouldn’t be used anymore. In most cases, another one is called Imam and it’s a more modern protocol, but it doesn’t have all these security checks supported. SMTP is another one that we’ve been trying to.
Beef up somewhat. And they’ve done that by putting some encryption TLS on top of this simple mail transport protocol. So what the bad guys are doing is they’re connecting to your business, email server, or a third-party email server. They’re collecting all of the data, all of the information that they can about you.
Then there’s signing in using a protocol that does not support and therefore it’s not required to have multi-factor authentication. Very interesting. And they’ll look at the email account information. They’ll find it on paste sites. They’ll find it out on the dark web. But one example is an old email client like mail bird, which allows Gmail to be set up via IMAP, and then once they’re using iMac, they’ve gotten around the multifactor authentication.
So consider all of that stuff, If you’re using Microsoft office three 65, there are multiple versions of it. Microsoft has well over 12,000 skews. And in other words, individual products that you can buy. Most of the time we find businesses are buying the wrong. Microsoft office three 65 products. They have whole groupings of them, but here’s what I want you to pay attention to. If you are using Microsoft office three 65, most of their licenses give your organization the ability to turn on access policies, to restrict these older protocols. Legacy access using all of these protocols we were just talking about is enabled by default called on Microsoft office three 65.
So if you’re a security guy, gal, You’ve got to go in. You have to disable legacy access on a per person basis across the whole organization. How’s that for fun? Now, there are some ways to do this using some CRM, why tools looking through, but you’ve got to do it one per one. But even so the best protection an organization can implement is multifactor authentication and conditional access, best policies for all of these legacy apps, just like I constantly advise. You have to have restrictions, access policies by the group for different people and different groups within your organization. That goes down to the control, which in many cases is using a Microsoft tool in order to allow logins and other things. So keep an eye out for all of that.
By the way, the FBI estimated US businesses lost almost $2 billion to this type of fraud last year.
Stick around. We’ll be right back.
You’re listening to Craig Peterson.
We’re going to talk about the FCC and what they’re doing to help you.
Stick around. We’ll be right back here on WGAN and online.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: