By now, many have heard about the recent ransomware attack against the San Francisco’s “Muni” system on Black Friday where the hacker locked out the railway’s system and demanded 100 BTC as payment. The second, less known, part of the story was published by Brian Krebs on his blog yesterday:
“On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same email@example.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password.”
The important lesson to be learned, both by consumers and enterprises, is that just a security question is simply not a viable option for multi-factor authentication (MFA) anymore. Social engineering and phishing have never been so easy as it is today because of the amount of personal information available online.
What Can Consumers Do?
In your personal life, try to find an alternative method to authenticate yourself or reset your password (if the site allows) so that your security question isn’t your last line of defense. If you must use a question, make the answer something outlandish or a boldfaced lie that only you would know the answer to. If your pet’s or elementary school’s name is on Facebook/Twitter/Snapchat, then that answer is about as useful as a boat in the desert.
What Can Enterprises Do?
In business organizations, if you are still not leveraging an enterprise-grade MFA tool, remember it’s not a matter of if someone gets into your systems, it’s a matter of when and how much damage they will cause. With the bevy of MFA solutions out there, there isn’t reason to not secure your users, your applications and your entire infrastructure from top to bottom with this additional layer of security — especially when you take into the consideration that the $73k demanded from the “Muni” is more expensive than an org-wide MFA solution for a mid-sized company.
Strengthen Security with Adaptive MFA
Passwords are a very weak link in your security. They offer inadequate protection against cyber attacks, data breaches and fraud. Centrify strengthens security with adaptive multi-factor authentication (MFA) across enterprise identities and resources — without frustrating users. Implementing MFA across every user (end-users and privileged users), and every IT resource (cloud and on-premises apps, VPN, endpoints, servers and privilege elevation) helps block cyberattacks at multiple points in the attack chain — and protects against compromised credentials.
To learn more about today’s MFA, check out our eBook: “Level Up Your Security.”