IE11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

How modern phishing defeats basic multi-factor authentication

Read the article to learn how modern phishing attacks defeat basic phone-based MFA, and how hardware security keys such as the YubiKey can help.

The vast majority of all IT security breaches are due to stolen or weak login credentials, and the most common attack vector is phishing. Old school phishing scams trick users to download a file or reveal sensitive data to a fraudster website. The new, most sophisticated spear phishing attacks compromise accounts without the user noticing. In fact, 95% of all attacks targeting an organization’s networks are caused by successful spear phishing. 

 

The COVID-19 pandemic provided perfect conditions for many types of social engineering and phishing attacks. We’ve seen plenty of reports and warnings from the FBI, CISA, Interpol, and other reputable organizations about the growth in coronavirus-related attacks, from spear-phishing to vishing, ransomware, and more, as the world adapts to remote working and its associated risks. Look at the rise in phishing attacks related to COVID stimulus and relief for example. 

In many ways, social distancing and remote work have created more fertile conditions for hackers, but the types of social engineering attacks we’re seeing today aren’t too different from what we’ve seen in the past. So, why are we still seeing major breaches making news headlines on a regular basis? 

Because most of the multi-factor authentication (MFA) solutions in place today across state and local government agencies are defeated by modern phishing attacks.

Watch Yubico CTO Christopher Harrel, show what it’s like to be phished with these modern attacks when using several types of basic multi-factor authentication: Modern phishing v/s common phone and OTP authentication

The only authentication technologies proven to stop these attacks all use public key cryptography, including smart cards, and hardware security keys such as the YubiKey

The YubiKey, a FIPS 140-2 validated hardware security key from Yubico, has been proven to offer the highest levels of security against account takeovers in independent research, preventing targeted attacks. YubiKeys offer the strongest security against phishing attacks and account takeovers, as well as the best user experience. To authenticate, users simply tap/touch their security key. YubiKeys do not require batteries, have no breakable screens, do not need a cellular connection, and are water-resistant and crush-proof.

YubiKeys feature modern protocols like FIDO2 and WebAuthn, as well as OTP, SmartCard (PIV), OpenPGP, earlier FIDO versions, and more. A single key supports multiple applications, allowing YubiKeys to work with current applications and authentication methods, and advanced and emerging protocols at the same time.

 

Many state and local governments are using YubiKeys to secure their critical systems and applications, remote workers, first responders, field workers, CJIS systems, citizen-facing web services, and election ecosystems.


Contact me or Yubico to learn more about stopping phishing attacks and account takeovers with hardware-backed strong authentication using the YubiKey.

Michael.Santini@Yubico.com

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and digital accounts, and helps government and industry organizations mitigate cybersecurity risk by securing access to critical business and customer data with high-assurance multi-factor authentication using the YubiKey.