The Hidden Risks of Legacy MFA

Sometimes, it turns out that the answers we struggled so hard to find were sitting right in front of us for so long that we somehow overlooked them.

When the Department of Homeland Security, through the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, issues a cybersecurity warning and prescribes specific action, it’s a pretty good idea to at least read the joint advisory. In their advisory AA24-242A, DHS/CISA and the FBI told the entire cybercriminal-stopping world that to stop ransomware attacks, organizations needed to implement phishing-resistant MFA and ditch SMS-based OTP MFA.

The Best Advice I Never Followed

This year, we have experienced an astonishing surge in ransomware payments, with the average payment increasing by a staggering 500%. Per the “State of Ransomware 2024” report from cybersecurity leader Sophos, the average ransom has jumped by 5X reaching $2 million from $400,000 last year. Even more troubling, RISK & INSURANCE, a leading publication from the cybersecurity insurance industry, reported that the median ransom grew to $20 million in 2023, up significantly from $1.4 million in 2022, while actual payments surged to $6.5 million, compared to $335,000 previously. Clearly, the imperative to stop ransomware attacks and data breaches is at an all-time high.

This alarming trend highlights the growing sophistication of cyberattacks and the weaknesses inherent in outdated security practices. The leading vulnerability across all organizations is the widespread reliance on legacy Multifactor Authentication, which is proving ineffective against modern threats. According to CISA, 90% of successful ransomware attacks start with phishing. After credentials are stolen, legacy MFA is defeated, and the rest is history. Thus the mandate to move to phishing-resistant MFA.

We’re All Gonna Die

The rapid rise in ransomware and data breaches has created a daunting challenge for organizations struggling to keep pace with the constant waves of novel attacks. This surge is driven by major advancements in cybercriminal techniques. As anticipated years ago, Generative AI has played a pivotal role in transforming cyberattacks, forcing many organizations to rethink their security approaches, but most have not adapted fast enough.

The rise of Generative AI has empowered cybercriminals to create highly convincing phishing emails, making them almost impossible for even the best-trained users to detect. Generative AI has significantly advanced phishing attack methods, making them more challenging for cybersecurity teams to defend against. Phishing remains the most common way attackers gain access to networks, accounting for 9 out of 10 ransomware incidents.

Cybercriminals are continually refining their strategies to maximize disruption and extract larger payments from vulnerable organizations. The world was shocked by the two-billion-dollar loss at Change Healthcare. Attackers understand the financial impact of their attacks and they leverage this to demand enormous sums, knowing many victims will comply to avoid even greater operational losses.

Generative AI has transformed phishing, enabling cybercriminals to craft realistic, personalized emails free of spelling and grammatical errors. In addition, these attacks often mimic trusted sources, making them extremely difficult to detect. By analyzing available data and mimicking different writing styles, AI-generated phishing attacks have become highly targeted and more effective, diminishing the value of traditional employee training for detecting phishing attacks.

Generative AI

Bringing a Knife to a Nuclear War

MFA has been a cornerstone of security for more than two decades, but ancient legacy systems such as One-Time Passwords (OTP) over SMS are no longer up to the task. Cybercriminals are easily bypassing legacy MFA solutions through phishing, SIM swapping, Man-in-the-Middle (MitM) attacks, and more. Legacy MFA has been breached in the majority of ransomware cases, underscoring its inadequacy in today’s cybersecurity environment.

While attacks have evolved, one thing remains constant: user limitations. Humans continue to be the preferred target for cybercriminals. No amount of training will equip the average user with the ability to spot every advanced phishing attempt or deepfake.

Compounding this is the rise of deepfake technology. AI-generated voices and videos are now used to impersonate executives and trusted figures. Attackers use spoofed phone numbers and fake Zoom calls from trusted colleagues to trick employees into transferring funds or sharing credentials. These attacks exploit the trust employees have in familiar voices and faces, making them particularly dangerous.

The tools to carry out these attacks, once considered sophisticated, are now widely available on the dark web and require little technical expertise. What once required skilled hackers is now accessible to almost anyone, thanks to Ransomware-as-a-Service (RaaS) and AI-driven tools. This shift enables even individuals with minimal skills to launch complex cyberattacks, making the threat landscape more dangerous than ever.

The Urgency of Phishing-Resistant MFA is the Next-Generation of MFA

The adoption of phishing-resistant MFA is no longer just a recommendation—it’s essential. Legacy MFA solutions are ineffective against today’s sophisticated attacks. To combat the rising tide of ransomware and data loss, organizations must adopt next-generation, phishing-resistant MFA solutions. These advanced solutions are FIDO2 compliant, incorporate biometric authentication, such as facial recognition and fingerprints, making it far harder for attackers to compromise. Hardware-based MFA, biometrics, and FIDO-compliant technologies can dramatically reduce the likelihood of successful phishing attacks and potentially save billions in losses each year.

Biometric authentication has become a necessity. Biometrics are unique to each user, making them highly secure and very difficult to steal or replicate. Biometric traits like fingerprints and facial features eliminate the risks associated with passwords and provide protection against phishing and other social engineering attacks. Additionally, biometrics offer a seamless and user-friendly experience, reducing the likelihood of human error or support requests while improving security.

Conclusion

The revolutionary advancements in the technology of cyberattacks, driven by Generative AI and the widespread availability of Ransomware-as-a-Service, have exposed the critical vulnerabilities in legacy MFA systems. Phishing-resistant MFA is no longer a luxury but a necessity in the fight against ransomware and data breaches. Traditional cybersecurity approaches, such as SMS-based OTP, have proven inadequate against next-generation attacks.

To stay ahead of these new threat, organizations must prioritize implementing phishing-resistant, next-generation MFA solutions that are FIDO2-compliant and use biometric authentication. These solutions not only offer stronger protection but also provide a more user-friendly experience, reducing human error and the risk of phishing. As cybercriminals continue to advance their techniques, shifting to phishing-resistant MFA is essential for safeguarding organizations from increasingly devastating ransomware attacks and data breaches.

Discover how Token’s phishing-resistant, Next-Generation MFA can protect your organization from advanced ransomware and data breaches at tokenring.com

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.