According to Dark Reading, there are more than 24 billion credentials currently circulating on the Dark Web, up 65% from 2020. What’s even more frightening is that many of them belonged to people who did everything right with regards to their username and password — and still had them compromised anyway.
Each year, organizations that millions of us use each day are attacked by cybercriminals who steal passwords and email addresses (along with social security numbers, medical records and whatever else of value they can get their hands on). Once your credentials are in a cybercriminal’s possession, they can be exploited for further attack, used to steal your identity, sold on the Dark Web, and more.
If your credentials are stolen in an attack like this, it won’t matter how cleverly constructed your password is or that you never shared your account information with anyone. The apps and services you depend on for your daily life — including your email, your banking institution, your social media accounts or your retail shopping accounts — will have no way of knowing it isn’t you at the other end of the connection once the criminal inputs your login info.
By this point, prevention is off the table: your only real options consist of things like contacting customer service, monitoring your credit (or placing a credit freeze) and other forms of damage control.
But there is something you can do right now to keep this sort of attack takeover from happening in the first place.
What is MFA
Multifactor authentication (MFA), sometimes referred to as two-factor authentication or 2FA, requires anyone wanting to get into your account to present at least two pieces of evidence that they’re actually you.
These pieces of evidence are generally divided into three categories:
- Something you know: A password, passcode or PIN
- Something you have: A confirmation text on your cellphone or an alert from your authentication app
- Something you are: Facial recognition scan, retina scan, fingerprint or other biometric marker
Unfortunately, the “something you know” is both the easiest piece for cybercriminals to get hold of, and by an overwhelming margin the most commonly requested. In fact, it’s usually the only piece requested, though this is beginning to change (albeit slowly).
No country in the world has a majority of business employees using MFA. Denmark comes closest at 46%, with the U.S. and Canada lagging at 28% and the U.K. doing slightly better at 33%. Microsoft has reported similar results, saying just 22% of enterprise customers that are able to implement MFA actually do so.
Another finding by Microsoft puts a rather fine point on how important MFA is to securing accounts: The company recently found that 99% of compromised Microsoft accounts hadn’t enabled MFA prior to the attack.
MFA Best Practices
MFA isn’t difficult to implement, but there are still some best practices that will help make the process simpler and safer.
- Ensure MFA is implemented company-wide. Mandating MFA to protect top executives, R&D or finance alone won’t do much good if someone in marketing, customer service or HR falls for a phish.
- Choose an authenticator app over receiving codes via text where possible. SIM-jacking is rare, but it does happen. Plus, this will cover you in cases where your cellular signal is weak or nonexistent.
- But be flexible about the implementation method. Allowing verification via authentication app, email or SMS messaging, based on whatever is most convenient to the end user, will help encourage uptake. In any case, while some authentication methods are safer than others, any MFA is better than no MFA.
- Check the web services you log into frequently. Some, such as Facebook, Intuit/Turbo Tax and Amazon have MFA built in as an option.
- Many of the popular password managers also include MFA (in case you needed yet another reason to start using a password manager.)
- And of course, set up passwords/passcodes on your laptop and mobile devices. Multifactor authentication can help prevent the vast majority of breaches, but you shouldn’t depend on it as a guarantee: Unless you’ve set up a biometric factor, it can’t do much if someone gains possession of your device, particularly if the device autoloads your username and password.
We at SonicWall hope this Cybersecurity Awareness Month has helped make you a safer and more secure individual, employee and citizen. Thanks for your commitment to seeing yourself in cyber, and check back for more CSAM tips and best practices in 2023!