Multi-Factor Authentication: Your First Line of Defence

Multi-Factor Authentication (MFA) is one of the most important security features to help secure your organisation’s networks, applications, endpoints and critical data.

The good news is that adoption of MFA is quite widespread. Every time you’re prompted to enter a One-Time Password (OTP) that is sent to you via SMS or email, that’s MFA at work. Some systems require you to install an application on your mobile device that provides a time-restricted OTP. Other systems require you to be in possession of a token or USB stick that acts in a similar way. There’s even a trend towards biometrics as a way of authenticating users.

The core principle behind MFA is that you should have at least two, but preferably three of the following in order to authenticate:

  • Something You Know (Such as a password)
  • Something You Have (Such as an OTP, token or USB stick)
  • Something You Are (Such as your fingerprint or iris scan)

MFA aims to ensure only an authorised individual is being authenticated to access a particular system.

Why is Multi-Factor Authentication Necessary?

In a world beset by data breaches, a simple password is not enough to secure your organisation.

Passwords are routinely compromised and available to cyber-criminals through the dark web. Cyber-criminals now routinely engage in brute-force attacks where they bombard a system with millions of passwords in an attempt to gain entry.

And, despite years of awareness raising, anecdotal evidence indicates that many employees continue to use weak passwords, or the same password for multiple systems and applications.

A better way than a simple password is urgently required.

MFA has emerged as the answer. Rather than just requiring a login and password, MFA requires evidence that the individual seeking access to a particular system or application is a legitimately authenticated individual.

If your organisation doesn’t yet have MFA installed on all your systems and applications, in particular your email clients, then stop everything and make it your top priority!

Can Multi-Factor Authentication be Circumvented?

In short, it’s not easy, but it is possible in some circumstances.

Recently, it was discovered that unauthorised access to a mailbox was possible in some instances, despite MFA being enabled. Following a thorough investigation, it was discovered that accessing mailboxes through webmail using legacy protocols, such as IMAP, POP3 or SMTP, could allow an attacker to bypass MFA.

Unlike the Outlook application available through Office 365 (o365), webmail alternatives that rely on legacy protocols do not prompt MFA. All that’s needed to access a webmail based mailbox is the standard userID and password.

Despite having migrated to o365, many organisations have neglected to disable legacy webmail. There may be valid reasons for retaining webmail. It is often convenient for staff to have access to their work email from any device without having to install the Outlook application on every device.

However, this convenience may be coming at the expense of exposing your organisation to a greater risk of BEC attacks. Because these legacy protocols don’t prompt MFA, they have emerged as the preferred entry points for cyber-criminals seeking entry to your organisation’s mailboxes and paving the way for BEC attacks.

Ideally, legacy protocols should be blocked at the o365 level. However, if that is going to cause too much inconvenience to your staff, an alternative approach is required.

How can eftsure help?

If your organisation still enables webmail access to mailboxes that rely on legacy protocols, you need some way to ensure you are not being defrauded through BEC attacks.

Having eftsure sitting on top of your accounting processes will help you achieve the layer of security you need.

Every time an EFT payment is about to be processed by your Accounts Payable department, the banking information will be cross-matched against our database comprising over 2 million Australian organisations.

This ensures that the banking information is legitimate and has not been manipulated by cyber-criminals with unauthorised access to your mailboxes.

For a full demonstration of the many ways eftsure can help protect your organisation from the risks of BEC attacks, contact us today.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.