99.9% of Compromised Accounts Did Not Use Multi-Factor Authentication, Says Microsoft (zdnet.com) 30
Speaking at the RSA security conference last week, Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks. From a report: The cloud giant said it tracks more than 30 billion login events per day and more than one billion monthly active users. Microsoft said that, on average, around 0.5% of all accounts get compromised each month, a number that in January 2020 was about 1.2 million. While all account hacks are bad, they are worse when the account is for enterprise use. Of these highly-sensitive accounts, only 11% had a multi-factor authentication (MFA) solution enabled, as of January 2020, Microsoft said. In most cases, the account hacks happen after rather simplistic attacks. The primary sources of most hacks of Microsoft accounts was password spraying, a technique during which an attacker picks a common and easy-to-guess password, and goes through a long list of usernames until they get a hit and can access an account using said password.
99.9%... (Score:1)
Re: 99.9%... (Score:3)
But .1% really enjoyed getting rammed really hard.
This makes me want to play river city random again.
Re: (Score:2)
a study by microsoft (Score:3)
Re: (Score:3)
Sure. But that's because home users are tricked into signing up for an online account as their computer login and have no idea that their password is open to attack from the Internet. To them, it's a local computer password.
Tell me about the 0.1% (Score:4, Interesting)
"people reuse passwords between websites" isn't news.
But I really want to hear about the 0.1% edge cases. 120,000 accounts that were hacked *with* 2FA piques my interest. SMS? Autheticator? Yubikey?
Re:Tell me about the 0.1% (Score:5, Interesting)
They seem to be particularly fond of it(compared to, say, Google, who has an authenticator app but has made a much more visible push into yubikey type fobs); and while, to the best of my knowledge, the implementation is technically sound(MFA challenge is triggered, authenticator app registered with account gets the "approve/deny" pop-up; no room for fishing attacks that work if you are fast enough, as with SMS codes or time-based passcodes, where you just need to complete the malicious login before the code expires, which is easy); but suffers from a disconcerting flaw in terms of user behavior:
If people get habituated to periodically having to hit "approve"(as is fairly plausible if they have MFA enabled on their account and are hitting a number of MS services potentially from more than one device); there's little reason to expect that they won't hit "approve" if someone with stolen credentials triggers the MFA challenge. The app provides no context, so approval requests from your webmail login at home timing out while you are at work look identical to approval requests for some guy in Lagos opening up a programmatic EWS session to strip-mine your contact list and send everyone on it more phishing emails.
By comparison, the FIDO2 stuff is typically used in ways that make it harder to inadvertently approve logins unrelated to what you are doing; and are specifically designed to prevent feeding a one-time password or TOTP or the like to a spoof domain.
Re: Tell me about the 0.1% (Score:2)
Probably spear phishing combined with someone ready to enter the code entered into the phishing account "2FA" field.
Most problem caused by excess security (Score:2)
Sites that are not financial sites do not real security. Be honest here, what use does Slashdot have for a password? That someone will make obnoxious comments under your username? I do that well enough on my own. ;-D
The prevalence of passwords for social sites creates way too many passwords for people to remember.
And encourages people to leave yourself logged in, which is worse than having no password.
Re: Most problem caused by excess security (Score:1)
Re: (Score:2)
encourages people to leave yourself logged in, which is worse than having no password.
That depends entirely on the physical security of the system.
Re: (Score:1)
Love how you post AC to hide the fact that you just outed yourself as a real coward! Looks like you have TWO reasons for a /. account, now!
If you want to call me a coward, fine but the reason for AC posts is that I'm sure some of my foes wouldn't mind down modding my posts.
Since 2007 I have only made two posts that aren't AC and only since Aug 2019 did one need an account to post AC.
So, I'll clarify, in 2003(?) I created an account for one reason, comment score modifiers. In fact, I once had to trim my foes list because I had reached the max allowed entries.
What's so hard about scrolling past the comment, coward? Too scared to reach for the middle mouse wheel? Does it threaten you?
I like how I get shit for down modding frequent posters but nothing about up modding c
Re: (Score:2)
Really? Then I guess you're OK with letting random strangers look at your medical records and use the data there to steal your identity.
wait, so multifactor was compromised (Score:2)
What I'm reading is they had accounts with MFA in place that still got hacked.
With 99.9% didnt have MFA, no numbers of how many MFA to non MFA for all accounts, but their subset of enterprise only 11% of them have MFA. So the ratio of safety using MFA looks liek to many accounts with MFA are being hacked (while ~10x safer)
99.9% of Compromised Accounts (Score:2)
Just my 2 cents
What percent without 2FA? (Score:3)
Worse than useless (Score:3)
Nice try, MS! (Score:4, Insightful)
Call us, when you got an actual second factor, that actually can improve security.
No, my phone isn't one. It's just the first factor again.
Biometrics? Don't make me laugh, our computer club faked the biometric passport of the politician who pushed them into legislation, from a glass in a cafe and a photo, more than a decade ago.
An actual serious second factor would be e.g. an USB drive with a key, encrypted with a password.
But frankly, I've tried that, and with all the security holes in websites, OSes, software, websites (so bad they have to be listed twice) and even CPUs, it's only annoying security theater.
The simplest solution is to keep your data offline, in your locked home, update your software, and make sure the actual base (CPU, NIC, firmware, drivers, software, networking stack, applications that go online) is secure, before focusing on adding military-grade security features.
But that would go against pusher Microsoft's dream of getting everyone on the "cloud" needle, now would it!
Re: (Score:3)
Gotta say it does seem that the push for two factor authentication is little more a veiled attempt at data mining.
I mean, less than convenient, but it would make more sense to have the person decide what the second authentication method is. Some one using their cell as ID when that wasn't the approved method is an obvious read flag. Or even pull a Frank Abagnale approach and as ID is first established, discard all other identifying information and two passcodes.
Have the Swiss had problems with identity thef
Re: (Score:3)
Yep - the reason I don't use SMS for 2FA is not because I'm afraid of SS7 spoofing. I just don't want all these providers having my phone number as yet another data point in their monitoring and aggregating arsenal.
Seems low (Score:4, Interesting)
99.99% of accounts don't use 2FA.
Re: (Score:2)
>"99.99% of accounts don't use 2FA."
Yep. And 99% probably don't need it.
Re: (Score:2)
What about regional blocking? (Score:2)
Why do they allow 'password spraying'? (Score:3)
Why not disallow that? Especially if it's from an unfamiliar IP for the given account? 3-5 attempts and move to some other system that requires more comprehensive user verification that would be difficult for a bot?
Seems like a lot more could be done server-side to protect the account.
Microsoft says (Score:2)
We would like to force you give us your phone number. Our data mining records are not good enough.
They were forced to create those accounts (Score:1)