Still Not Enabling 2FA? Hackers May Do It For You
Here's a story of how 2-Factor Authentication truly hits home.
Dennis Dayman is a chief privacy officer and has always tried to instill strong cyber hygiene in his family. One morning, his son could no longer access his Xbox gaming account.
When the two of them sat down to reset his password, the screen displayed a notice saying there was a new Gmail address tied to his Xbox account.
They quickly realized someone had stolen the son's password to gain access to his Xbox account. Naturally, they sought to change the password to reclaim the account. Unfortunately, they discovered that the hacker had taken additional steps to secure his position.
Dennis soon learned the unauthorized Gmail address added to his son’s hacked Xbox account also had enabled MFA.
This is the real "uh oh" moment. The individual who had snuck into the younger Dayman's account had enabled Multi-Factor Authentication. This means that the imposter would be notified of any change requests.
“[Microsoft] said their policy was not to turn over accounts to someone who couldn’t provide the second factor." - Dennis Dayman
Next, the cybercriminal began exploiting this newfound access.
“During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts]." - Dennis Dayman
So not only did the Daymans know they were being attacked, they also couldn't get Microsoft to help stop this attack!
Unfortunately, this is an unintended exploitation of MFA. In fact, Microsoft's policy is still correct. Only after jumping through several hoops, the Daymans finally recovered the account.
Any service to which you entrust sensitive information can get hacked, and enabling multi-factor authentication is a good hedge against having leaked or stolen credentials used to plunder your account.
This is a scary story, but it's a stark reminder that enabling 2FA or MFA is critical, at work and at home.
If you don't do it, a sneaky hacker may do it for you!
And are you wondering how the attacker got the son's password in the first place?
In 9 out of 10 cases, it's from Phishing (like here and here). Crafty Phishing attacks are hitting non-stop.
When it comes to work, it's time to protect your team and your assets from these attacks.