General Consultant Discussion

https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

------------------------------
Mark Chinsky
Clients First Business Solutions
------------------------------

And most of what is seen as creating good passwords is wrong...

------------------------------
Phil McIntosh
President
Friendly Systems, Inc.
Asheville NC
678.273.4010 ext 5
------------------------------

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked. 

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

------Original Message------

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked. 

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

This is the way I believe it works - but let me know if you think I have it wrong!

The password is still critical as the primary, most-used way to access things. The 2FA is designed to be triggered if you use a new device or a certain amount of time on an existing device. 

So ... if I log in to DEVICE A today for the first time, it will trigger my second factor (code to my mobile or whatever) and I will authenticate DEVICE A. 

The next time I log in to DEVICE A, I won't need the code.

If I log in via a new system, DEVICE B, it will trigger my second factor code again and when I put it in, I will authenticate DEVICE B.

So the password is used for most logins ongoing. The 2FA is only used to authenticate the first time and then at regular intervals based on security policies for your company.

Some companies may say "every 60 days, you need to re-authenticate" and some companies may say "every week" or even "every time" to ensure maximum security.

And ... if your device goes missing, you can tell your IT Team, kill that authentication to DEVICE A immediately and haxx0r's won't be able to get in using that DEVICE.

------------------------------
Peter Wolf
Azamba Consulting Group
------------------------------

Original Message:
Sent: 08-27-2019 10:44
From: Mark Chinsky
Subject: Interesting regarding Multi-Factor Authentication

What I don't understand about 2 factor is why do you need to enter your password AND THEN 2 factor.

 

The password is almost meaningless.  Your fingerprint on your phone (or your face on apple faceid) is the real security.

 

They could actually make 2fa EASIER to use than passwords (short of someone cutting your finger off ��  )

Mark Chinsky Managing Director Clients First Business Solutions t: (732) 497-9915  |  e: mchinsky@clientsfirst-us.com w: www.clientsfirst-us.com a:  670 North Beers St. Bldg 4, 2nd Fl. ,  Holmdel ,  NJ ,  07733

++++ .....................................................................................................................................................................................

Original Message------

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked.

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

Yes - it's the social engineering that was, and always be, the biggest risk in play. 2FA / MFA slows this down too as the haxx0r will need to get that code in addition to your password. It makes it more awkward and puts a pause on someone who might be tricked into replying to a phishing email when the follow up comes "oh, can you tell me what that code is on your phone?"

The phishing emails used to be a complete joke. These days they are sophisticated and look very real - even to me and I'm always looking for them.

We adopted a corporate policy that says "don't f--king click on any link or document FROM ANYONE even if they are a friend or a co-worker unless you know for sure it was from them intentionally." 

For internal communications, we have shifted to Teams so we know that we aren't emailing each other links to "Salary Compensation - click here" or "Important payroll information - click here" or "Office update requires your login - click here" and other nonsense like that. 

Even with that policy, every time I see a phishing email, a small part of me says "which one of the team is going to click this?" Not because my team is dumb but because human psychology takes shortcuts on things and a well-written message abuses those shortcuts to create a high likelihood of clicking.

------------------------------
Peter Wolf
Azamba Consulting Group
------------------------------

Original Message:
Sent: 08-27-2019 10:40
From: Wayne Schulz
Subject: Interesting regarding Multi-Factor Authentication

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked.

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990
------------------------------

What you described is how some companies do it (i.e paypal) because entering a text code every time is annoying.

True MFA, (like how microsoft is mandating Azure admins do it), requires and MFA acknowledgement every time you log in.  Can't speak for IOS, but the Microsoft Authenticator App on android is great.  Even if my screen is off, it will popup in black and white and I can approve with a single tap.  Way better than opening a texting app and retyping 6 digits.

If they all went to this standard, the password becomes meaningless because you ain't getting into any service unless you can biometrically prove you are you.


------------------------------
Mark Chinsky
Clients First Business Solutions
------------------------------

Original Message:
Sent: 08-27-2019 13:03
From: Peter Wolf
Subject: Interesting regarding Multi-Factor Authentication

Yes - it's the social engineering that was, and always be, the biggest risk in play. 2FA / MFA slows this down too as the haxx0r will need to get that code in addition to your password. It makes it more awkward and puts a pause on someone who might be tricked into replying to a phishing email when the follow up comes "oh, can you tell me what that code is on your phone?"

The phishing emails used to be a complete joke. These days they are sophisticated and look very real - even to me and I'm always looking for them.

We adopted a corporate policy that says "don't f--king click on any link or document FROM ANYONE even if they are a friend or a co-worker unless you know for sure it was from them intentionally." 

For internal communications, we have shifted to Teams so we know that we aren't emailing each other links to "Salary Compensation - click here" or "Important payroll information - click here" or "Office update requires your login - click here" and other nonsense like that. 

Even with that policy, every time I see a phishing email, a small part of me says "which one of the team is going to click this?" Not because my team is dumb but because human psychology takes shortcuts on things and a well-written message abuses those shortcuts to create a high likelihood of clicking.

------------------------------
Peter Wolf
Azamba Consulting Group
------------------------------


Original Message:
Sent: 08-27-2019 10:40
From: Wayne Schulz
Subject: Interesting regarding Multi-Factor Authentication

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked.

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990

What people point out is passwords are hard to remember.  So people decide to just use one password across most sites.

Thus if just one site has bad security and their password database is hacked, it isn't hard for the bad guys to use your email address and same password on hundreds of other sites to see which ones work.

------------------------------
Mark Chinsky
Clients First Business Solutions
------------------------------

Original Message:
Sent: 08-27-2019 13:53
From: Mark Chinsky
Subject: Interesting regarding Multi-Factor Authentication

What you described is how some companies do it (i.e paypal) because entering a text code every time is annoying.

True MFA, (like how microsoft is mandating Azure admins do it), requires and MFA acknowledgement every time you log in.  Can't speak for IOS, but the Microsoft Authenticator App on android is great.  Even if my screen is off, it will popup in black and white and I can approve with a single tap.  Way better than opening a texting app and retyping 6 digits.

If they all went to this standard, the password becomes meaningless because you ain't getting into any service unless you can biometrically prove you are you.


------------------------------
Mark Chinsky
Clients First Business Solutions
------------------------------


Original Message:
Sent: 08-27-2019 13:03
From: Peter Wolf
Subject: Interesting regarding Multi-Factor Authentication

Yes - it's the social engineering that was, and always be, the biggest risk in play. 2FA / MFA slows this down too as the haxx0r will need to get that code in addition to your password. It makes it more awkward and puts a pause on someone who might be tricked into replying to a phishing email when the follow up comes "oh, can you tell me what that code is on your phone?"

The phishing emails used to be a complete joke. These days they are sophisticated and look very real - even to me and I'm always looking for them.

We adopted a corporate policy that says "don't f--king click on any link or document FROM ANYONE even if they are a friend or a co-worker unless you know for sure it was from them intentionally." 

For internal communications, we have shifted to Teams so we know that we aren't emailing each other links to "Salary Compensation - click here" or "Important payroll information - click here" or "Office update requires your login - click here" and other nonsense like that. 

Even with that policy, every time I see a phishing email, a small part of me says "which one of the team is going to click this?" Not because my team is dumb but because human psychology takes shortcuts on things and a well-written message abuses those shortcuts to create a high likelihood of clicking.

------------------------------
Peter Wolf
Azamba Consulting Group


Original Message:
Sent: 08-27-2019 10:40
From: Wayne Schulz
Subject: Interesting regarding Multi-Factor Authentication

The problem with passwords is they don't need to be guessed. I have a customer site where I have a login and am on email there. I get messages "We are moving our email to Teams - please log in with your Office credentials".

Boom. Hacked.

The customer is savvy and uses a third-party solution to fish their own people to see who falls for the fake emails and who reports them.

With 2FA you need a very determined and targeted attack to get around your second factor.

------------------------------
Wayne Schulz - Schulz Consulting - 860-516-8990