Part 1 was about how attacks on two-factor authentication work.
Here in Part 2, we describe exactly what these attacks target and how you can protect yourself and your business.
Well-known brands under hacker attack
The potential uses of 2FA/MFA attack methods are vast. For example, a study by Barracuda, an IT and data security provider, found that cybercriminals focus on well-known brands – most notably Microsoft and Apple. Financial institutions are also being imitated with particular frequency. In the recent past, there has also been an increase in attacks in which hackers specifically penetrate internal corporate communication platforms such as Microsoft Teams and Slack. This is particularly perfidious because exchanges in these community forums are based on trust. This makes it easy for employees to be tricked with fraudulent emails that purport to come from their superiors, colleagues or business partners.
Do not hesitate, act quickly!
The worsening threat situation requires companies to act quickly! They would be well advised to switch to the latest techniques for 2FA and to systematically train their employees in recognizing phishing attacks.
Safe from access with FIDO2
FIDO2 (Fast Identity Online) provides an innovative method for secure online identification. Because registration with the web service is encrypted, cybercriminals are unable to take over the account. Each time a user registers, a new key pair consisting of a private and public key is generated on a device in use. While the public key is registered with the web service, the user authenticates himself by proving the private key, which must be unlocked by a specific action – for example, PIN or voice entry. The private key always remains on the user’s device and never has to be entered manually or retrieved from any website. By using the WebAuthn standard, FIDO authentication can be enabled via a standard web programming interface in the online service.
The FIDO Alliance was launched in 2013 by Paypal, Lenovo, Infineon, Nok Nok Labs, Validity Sensors and Agnitio to advance passwordless online identification. While the alliance was later joined by other prominent corporations such as Microsoft, Google and Samsung, it now includes hundreds of technology companies around the globe.
Complete solution IT-Seal Awareness Academy
In addition to these technical security measures, another focus should be on establishing a sustainable security culture within the company. Security awareness training for employees is a key instrument for this. With the Awareness Academy, IT-Seal offers companies a complete solution that combines classic e-learning as well as online and face-to-face seminars with innovative spear phishing simulations.
Spear phishing simulations are particularly effective because they recreate authentic phishing attacks in everyday work. If employees fall for a fraudulent e-mail, they are immediately redirected to an interactive explanation page. Here, they can find out how they could have easily recognized the e-mail as a fake: for example, by letter rotations in the address line, different URLs or subdomains. Spear phishing simulations use the “most teachable moment” of employees to educate them to handle e-mails and required log-ins with caution.
Unique measurement method patented
With the recently patented Employee Security Index – ESI® for short – IT-Seal has developed a unique method to align security awareness training with the individual learning needs of employees and to document the learning progress. Companies receive a tangible and reliable key figure to compare their individual employee groups in a standardized manner and to derive the targeted use of further training measures. In this way, any desired level of security can be achieved without time-consuming and costly wastage.