Can we still trust 2FA to protect our data in the wake of widely-publicized data breaches?
We published a blog post in March 2019 called “What Is Two-Factor Authentication And Does It Work?” In it, we explained that two-factor authentication, often referred to as 2FA, is a security procedure that requires users to login with two different types of credentials. Usually this involves a username and password as well as answering a security question, inputting a code from your text messages or email, or responding to a push notification. It could also involve using a key fob or biometric scanner. The goal is to add a second layer of protection to your account so hackers have to work harder to get in.
Our blog post reported that cyber attacks were on the rise, up 200% in just the first six months of 2019. Unfortunately, that trend has continued and cyber attacks are now the fastest growing crime in the U.S. By 2025, it is expected to cost the world $10.5 trillion annually.
Clearly, cyber security is something we must all take seriously. But is 2FA enough?
Who is Affected by Cybercrime?
You may think cybercrime only affects big businesses that can be exploited for lots of money. But that’s just not the case. Cybercrime is becoming a reality for businesses of every size, as well as ordinary people like you and me. Stolen data can be held for ransom, used for blackmail, or sold in bulk on the dark web.
In a 2019 Washington Post article, FBI agent Elvis Chan was quoted saying that so much personal data has been stolen and sold on the dark web that “Every American person should assume all of their data is out there.” And as I write this post, tech journalists are reporting on a Microsoft Exchange Server breach that was announced this morning.
The COVID-19 pandemic has only contributed to a rapid increase in cyber attacks over the last year. Many businesses have desperately scrambled to get online. Some may have taken measures to protect their data, but for others inexperience led to poor security choices that have been exploited. Networks employees use at work often have better security protections in place than their home wifi setups, and popular communication tools like Zoom have created security weaknesses. All told, cloud computing company Iomart reports a 273% increase in large-scale data breaches in the first quarter of last year.
Overall, 2020 was a good year for black hat hackers.
Can 2FA Be Hacked?
One of the most common questions to come up in a Google search for 2FA is, “Can 2FA be hacked?” The answer is yes and no.
In 2011, security company RSA admitted that its SecurID authentication token had been compromised. These tokens were either physical objects (like fobs or USB sticks) or software that would generate new authentication codes every 60 seconds. These codes were the second factor of authentication for users logging in with SecurID, so hackers who accessed these tokens could access users’ accounts across the web. However, RSA pointed out that their 2FA had not failed. Rather, the tokens were breached through a phishing attack where an employee opened a file in this email, which allowed malware to access the RSA network.
This is usually the way that 2FA “fails”: hackers simply go around it. The Chinese state-sponsored group APT20 famously infiltrated U.S. government agencies in 2019 by exploiting weaknesses in server software the agencies were using. These weaknesses allowed the hackers to access security tokens and login throughout the government networks. The more recent SolarWinds attack was similar, with hackers using a supply chain attack. Many U.S. government agencies and multinational companies use the popular software SolarWinds Orion Platform. By infiltrating this software, Russian hackers were able to sneak into these government and civilian networks.
There are also a number of sneaky attacks that target individuals. SIM swap fraud is one example where attackers port someone’s mobile number so they can receive 2FA security codes. Another threat is man-in-the-middle attacks, where hackers trick users into entering login credentials in websites that are not legitimate. Once the credentials are entered in the fake site, the hackers have them to use. This was seen last September when attackers targeted a number of high profile YouTubers. And, of course, many people simply disable 2FA because they find it inconvenient.
Is 2FA the Answer to Cybersecurity Threats?
Whether 2FA is the answer to our cybersecurity woes is complicated. As long as 2FA can be bypassed, it’s not a perfect solution. But we have to remember that 2FA was never meant to be a perfect solution on its own. It’s unrealistic to expect any technology to prevent every cybersecurity threat.
And when used with other security measures, 2FA has been proven to be extremely effective. Microsoft famously reported that using multi-factor authentication blocks 99.9% of account hacks. This statistic was based on data pulled from their cloud services, which see over 300 million fraudulent sign-in attempts daily. That’s a much higher rate of success than many other security features, and much higher success rate than using passwords alone. (Passwords are really ineffective.)
Most security experts predict that MFA is set to become an integral part of our online experience. Writing for Tech Beacon, Rob Lemos goes as far as claiming that 2021 is the year we’ll see “the end of the solo password.” He backs up that claim, stating, “Adding a second factor is a game-changer. Even one of the weakest forms of two-factor authentication—two-step verification through SMS text messages—can stop 100% of all automated attacks, 96% of bulk phishing attacks, and three-quarters of targeted attacks, according to Google.”
Secplicity, an online cybersecurity publication, goes further, claiming, “Every service without MFA will suffer a breach.”
Are You Ready for Easy, Reliable Security?
2FA is a foundational element of strong cybersecurity. It’s an integral as the firewall and antivirus protection you’re probably running on your network right now.
If your business is operating without 2FA, you’re leaving yourself vulnerable to crippling security failure, including data loss, data theft, and hijacking. That’s in addition to the credibility such failures cost you with your clients.
Don’t be vulnerable. Contact TracSoft today and learn how we can protect you. Our TS 2Factor can be set up remotely in under half an hour without any disruption to your business. With over 20 years of experience in cybersecurity and application development, we have a record of success you can count on.