Last year, the University began requiring multi-factor authentication (MFA) for all students, faculty, and staff to access systems such as Banner and email. MFA requires people to identify themselves with more than a username and password, which are prone to being stolen or cracked by third parties. Adding an additional verification method, such as accepting a push notification to a phone app or entering a code sent via text message, drastically reduces the likelihood an account will be compromised. However, MFA is not fool proof.
The FBI has recently been warning companies to beware of attacks to circumvent MFA. Most of these attacks use “social engineering” to trick people into approving an MFA prompt that will grant unauthorized access to a system. Often, attackers will use that approved MFA prompt to enter the MFA enrollment portal. This allows them to enroll their own device so they can accept MFA prompts for accessing other resources in the future. Below is a list of variations of these attacks.
- Most MFA providers allow people to receive a phone call and push a key as the additional factor for authorizing an account. Attackers will place repeated calls, often in the middle of the night, until the person finally accepts the MFA request to make the calls stop.
- Attackers will repeatedly attempt to access a system requiring MFA until the person approves the request out of habit – How often do we say “No” to an MFA request? – or to make the prompts stop.
- Attackers will only attempt to access a system requiring MFA one or two times a day to avoid attracting attention but hoping the person will eventually accept an MFA prompt.
- Attackers will call someone pretending to be a fellow employee, usually a member of the information technology team, and asking the person to accept an MFA request as part of a company process or to resolve a technical issue.
While multi-factor authentication is a critical part of protecting accounts from being compromised, we still need to remain vigilant. Cybercriminals are constantly changing tactics in response to the technologies we use to protect information assets. In the end, we are the most important factor in keeping our data safe.
ITS will continue to simulate phishing and assign training to those most susceptible. If you believe you’ve been targeted by phishing, see Reporting a Phishing Message (How-to).
— Chris Mielke, ITS