Multi-Factor Authentication: Are You Still Exposed to Scams?

1. SIM Swapping

Most of us would now be familiar with one of the most common MFA controls: the one-time-passcode sent to your mobile device.

It works quite simply: Once you enter your username and password to login to an application, you get sent a code via SMS. Only when you enter the code into the web application are you authenticated and able to complete the login.

So, how are scammers circumventing this widely used security measure?

It starts with the scammers contacting your telco provider. They attempt to deceive representatives at the telco into believing they are the legitimate owner of your mobile number. Of course, the scammer will need to have acquired enough information about you to deceive the telco representative. This is usually achieved by a combination of social engineering and open-source intelligence.

If the scammer succeeds in deceiving the telco representative, they can have your mobile number assigned to their SIM card.

This opens the way for scammers to gain access to a wide range of applications, including email accounts. They then have the ability to spoof representatives of your organisation or supplier organisations, in order to launch BEC attacks.

2. Device Theft

SIM swapping requires quite a bit of effort on the part of scammers. However, if you misplace your mobile device, or it is stolen, information may be exposed to scammers that enables them to launch BEC attacks.

Once a scammer has access to your mobile device, they will be able to use MFA to authenticate on any number of applications, including email accounts.

The physical security of devices is essential to preventing unauthorised access to your organisation’s data. Never leave devices unattended, even momentarily. If one of your devices is lost of stolen, make sure your organisation’s IT department is made aware, so they can remotely wipe any sensitive data.

3. Man-In-The-Middle Attacks

It is easy to assume that if you login to an application using MFA, that any data transfers to or from that application are fully secure.

That is not necessarily the case, particularly if you are using public Wi-Fi networks.

In an era when so many staff are working remotely, many may be tempted to work in coffee shops or other public settings, where Wi-Fi is available. However, in many cases, these public Wi-Fi networks don’t offer the levels of security offered by either enterprise or even residential Wi-Fi networks.

A Man-In-The-Middle attack can occur when a scammer is able to intercept the data you are transferring across a public Wi-Fi network. This type of attack may expose a range of sensitive information, including passwords to applications and email accounts.

Naturally, once a scammer has access to these details, they can conduct all sorts of damage, including BEC attacks.

It is therefore always preferable to use known, trusted workplace or residential Wi-Fi networks. However, if you need to use a public Wi-Fi network, always do so with a Virtual Private Network, or VPN. This ensures data is encrypted, making it much harder for a scammer to intercept it.

4. Phishing

Phishing remains one of the most common and effective methods for scammers to obtain email login credentials, allowing them to access mailboxes and carry out BEC attacks.

Most phishing attempts involve sending fake emails or SMS messages containing malicious links. Often, these links will redirect the recipient to a fake website that is carefully designed to look identical to a legitimate website.

In many cases, even the URL of the fake website will closely resemble the legitimate website. Just one of two characters may be altered, such as replacing the letter “O” with a zero.

Many times, the fake websites are designed to imitate webmail applications. The victim will be prompted to login using their username and password. In cases where MFA is configured, the scammer may already have compromised the victim’s mobile phone number through SIM swapping, giving them unfettered access to email accounts.

At this point, there are no impediments to launching a BEC attack.

How can eftsure help?

As you can see, there are many tactics scammers are using to bypass Multi-Factor Authentication. Whilst MFA certainly increases your levels of security, it should not be seen as foolproof. Smart scammers are finding new ways to circumvent MFA on a daily basis, thereby paving the way for them to engage in Business Email Compromise attacks.

With eftsure sitting on top of your accounting processes, you will be able to ensure that outgoing payments are being sent to the intended recipient. Even if a cyber-criminal has successfully circumvented your MFA controls, their capacity to steal your funds will be constrained.

eftsure verifies all outgoing EFT payments against our database comprising over 2 million Australian organisations. Verification takes place in real-time immediately prior to a payment being processed by your Accounts Payable team.

With eftsure in place, scammers will be blocked from profiting at your expense, irrespective of whether or not they managed to evade your MFA security controls.

Contact us today for a no-obligation demonstration and learn how eftsure can secure your organisation from the threat of scammers and fraud.