As organizations continue to take steps to prevent cyberattacks, a near-universal recommendation is that they should implement multi-factor authentication (MFA), and for good reason. Organizations subject to the updated FTC Safeguards Rule, for example, are required to implement MFA. The Cybersecurity & Infrastructure Security Agency (CISA) includes MFA as a best practice. And for the insurance industry, “MFA has quickly become a minimum standard requirement for companies to be considered for cyber insurance coverage.”
However, according to a recent HIPAA Journal article, bad actors figured out a way around MFA (no April Fool’s joke here!):
The Los Angeles County Department of Mental Health has recently notified the California Attorney General about a breach of an employee’s email account. The email account had multi-factor authentication (MFA) in place; however, MFA was bypassed. The cyber threat actors bypassed MFA using a technique known as push notification spamming, where a user is sent multiple MFA push notifications to their mobile device in the hope that they will eventually respond. The employee did respond, resulting in their email account being compromised.
This is not to say that MFA is not a critical safeguard for securing an organization’s systems. But, it also is not the first instance of MFA being bypassed. Instead, the incident referred to above should be a reminder that no means of system security is perfect. Organizations need to continue to make reasonable efforts to identify vulnerabilities and address them. They should not be overconfident in the security that MFA provides.
There are several ways to strengthen MFA, including through the use of hardware-based MFA, limiting login attempts, training, etc. That determination should be part of an ongoing process of continually monitoring the organization’s systems and assessing information risk, including by way of the enhanced capabilities and creativity of bad actors, including as aided by AI. Doing so will not only help to protect the organization, but it also will improve its defensible position in a litigation or compliance review, and avoid a data breach.