How can you best secure your online accounts?
For many years, Macktez has been pushing clients to enforce multi-factor authentication (MFA) on every platform where it’s available. By requiring time-based one-use codes in addition to the usual username + password combination for verification, users can protect their online accounts from unauthorized access in the event that their passwords are compromised.
But hackers keep innovating, and there are quite a few ways available today for criminals to trick users into giving away their password and MFA key. The attack vector starts with an email from a legitimate contact (not faked) and leads to a web page that displays a legitimate login screen for a service you use like Google or Microsoft (again, not faked). Unfortunately there’s still a lot of subterfuge going on, and by logging in you are providing a hacker with unfettered access for as long as that service allows a single web browser session to persist (usually something like 14 days, maybe longer).
(Technically these hacks are called “reverse-proxy phishing” and lead to “session token hijacking.” Here’s a pretty good blog post about how this works and why it’s so insidious: https://www.leftbrain.io/blog/legacy-mfa-is-no-longer-keeping-you-safe-heres-what-to-do.)
To protect yourself, you need some new tools added to your old tools.
First, the old tools: your eyes and your brain
Even though the email you received with a link is from someone you know and the email address is not faked in any way, were you expecting that email? Is it normal for this person to reach out with an opportunity that requires you to click a link? Does that link have a URL that you recognize? Are you surprised when the link asks you to sign into your Google/Microsoft/Dropbox account?
Don’t ever follow along blindly — always pay attention to where you are being led and what action you are being asked to take. If your Spidey sense tingles at all, take a step back and reconsider what you’re being asked to do.
In particular, if at any point you are asked to enter credentials, triple-check the URL in your browser. Are you logging into Microsoft at login.live.com or login.llve.com? One of those is a legitimate Microsoft page, but the other one is not a typo — it’s a hacker’s hideout.
New tools to verify your identity
If hackers are innovating, then cybersecurity experts need to innovate too. Luckily, they have, and there are already established tools that can protect users from reverse-proxy phishing attacks.
- Federating user verification to a third-party identity provider breaks the flow of data in a reverse-proxy attack, hiding critical authentication steps from hackers. (Federated identity is a central feature of Macktez Identity Management.)
- Requiring a phishing-resistent authentication method as part of MFA further prevents hackers from getting access to the credentials they need. That means setting aside the MFA tools most people have relied on, like SMS codes, time-based codes generated by apps, and push notifications. Instead, adopt a tool using the WebAuthn protocol that responds only to requests from legitimate websites and bypasses the back-and-forth data transfer that hackers can intercept — tools like fingerprint readers, facial recognition, and physical security keys.
- Adding conditional access policies such as geographical location or IP address verification will lock out hackers from an unauthorized location, even if they do manage to pinch your credentials.
Macktez Identity Management includes all of the above
- Macktez Identity Management relies on JumpCloud as the third-party identity provider. Microsoft, Google, and other online services federated to JumpCloud are redirected to JumpCloud for authentication, which is Step One in thwarting a hacker’s attempt to hijack a session token.
- Step Two is enforcing a feature called JumpCloud Go, which leverages biometric identification on your computer to authorize access to federated online services.
- Step Three, for clients who need additional protection, is to configure any number of conditional access policies at JumpCloud to dramatically reduce the number of ports for entry.
These are the best cybersecurity tools available to your organization right now. Macktez is well-prepared to implement these policies to protect your users from criminals, and to stay prepared for whatever new threats materialize.