Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft IT Technology

99.9% of Compromised Accounts Did Not Use Multi-Factor Authentication, Says Microsoft (zdnet.com) 30

Speaking at the RSA security conference last week, Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks. From a report: The cloud giant said it tracks more than 30 billion login events per day and more than one billion monthly active users. Microsoft said that, on average, around 0.5% of all accounts get compromised each month, a number that in January 2020 was about 1.2 million. While all account hacks are bad, they are worse when the account is for enterprise use. Of these highly-sensitive accounts, only 11% had a multi-factor authentication (MFA) solution enabled, as of January 2020, Microsoft said. In most cases, the account hacks happen after rather simplistic attacks. The primary sources of most hacks of Microsoft accounts was password spraying, a technique during which an attacker picks a common and easy-to-guess password, and goes through a long list of usernames until they get a hit and can access an account using said password.
This discussion has been archived. No new comments can be posted.

99.9% of Compromised Accounts Did Not Use Multi-Factor Authentication, Says Microsoft

Comments Filter:
  • 99.9% of all made up statistics use 99.9% as the percentage.
    • But .1% really enjoyed getting rammed really hard.

      This makes me want to play river city random again.

    • It's also a self-fulfilling prophecy: 100.0% of the compromised accounts didn't use stool-sample-biometrics for protection. That doesn't mean that adding that shit would have worked, or made them safer, just that no-one used it in the first place.
  • by FudRucker ( 866063 ) on Friday March 06, 2020 @07:29PM (#59805134)
    how much you want to bet all those compromised accounts were being accessed by someone using MS_Windows, it was more than likely because of a compromised MS_Windows operating system
    • Sure. But that's because home users are tricked into signing up for an online account as their computer login and have no idea that their password is open to attack from the Internet. To them, it's a local computer password.

  • by 0100010001010011 ( 652467 ) on Friday March 06, 2020 @07:31PM (#59805138)

    "people reuse passwords between websites" isn't news.

    But I really want to hear about the 0.1% edge cases. 120,000 accounts that were hacked *with* 2FA piques my interest. SMS? Autheticator? Yubikey?

    • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 06, 2020 @07:59PM (#59805188) Journal
      Unfortunately Microsoft would have to break the numbers down for us; but I'd be inclined to suspect Authenticator.

      They seem to be particularly fond of it(compared to, say, Google, who has an authenticator app but has made a much more visible push into yubikey type fobs); and while, to the best of my knowledge, the implementation is technically sound(MFA challenge is triggered, authenticator app registered with account gets the "approve/deny" pop-up; no room for fishing attacks that work if you are fast enough, as with SMS codes or time-based passcodes, where you just need to complete the malicious login before the code expires, which is easy); but suffers from a disconcerting flaw in terms of user behavior:

      If people get habituated to periodically having to hit "approve"(as is fairly plausible if they have MFA enabled on their account and are hitting a number of MS services potentially from more than one device); there's little reason to expect that they won't hit "approve" if someone with stolen credentials triggers the MFA challenge. The app provides no context, so approval requests from your webmail login at home timing out while you are at work look identical to approval requests for some guy in Lagos opening up a programmatic EWS session to strip-mine your contact list and send everyone on it more phishing emails.

      By comparison, the FIDO2 stuff is typically used in ways that make it harder to inadvertently approve logins unrelated to what you are doing; and are specifically designed to prevent feeding a one-time password or TOTP or the like to a spoof domain.
    • Probably spear phishing combined with someone ready to enter the code entered into the phishing account "2FA" field.

  • Sites that are not financial sites do not real security. Be honest here, what use does Slashdot have for a password? That someone will make obnoxious comments under your username? I do that well enough on my own. ;-D

    The prevalence of passwords for social sites creates way too many passwords for people to remember.

    And encourages people to leave yourself logged in, which is worse than having no password.

    • Create a standard using something consistent about every page you go to such as 3rd letter of url in caps+a personal pin/password+last letter of url in lower case+symbol. You could use the first three letters of your favorit product on the site, it doesn't matter. Just consistent. It doesn't have to be rocket science to make a fairly decent password unique to each site.
    • encourages people to leave yourself logged in, which is worse than having no password.

      That depends entirely on the physical security of the system.

    • Sites that are not financial sites do not real security.

      Really? Then I guess you're OK with letting random strangers look at your medical records and use the data there to steal your identity.
  • What I'm reading is they had accounts with MFA in place that still got hacked.

    With 99.9% didnt have MFA, no numbers of how many MFA to non MFA for all accounts, but their subset of enterprise only 11% of them have MFA. So the ratio of safety using MFA looks liek to many accounts with MFA are being hacked (while ~10x safer)

  • did not have current strong passwords. And I am guessing ;) Who do you trust more?

    Just my 2 cents ;)
  • by nasor ( 690345 ) on Friday March 06, 2020 @08:30PM (#59805246)
    Without knowing what percentage of all accounts have 2FA, this statistic is useless.
    • It's worse than useless because the stat is being used in a downright deceptive manner. It's implying that 2FA is helpful to account safety because only 0.1% of hacked accounts used it. That may very well be true. But it's premature to reach that conclusion.
      • If, say, 0.5% of accounts used 2FA, then that would mean an account with 2FA is 5x more likely to be hacked than an account without it. Which would imply that 2FA makes security worse than no 2FA. e.g. Maybe owners of accounts who use 2FA use easier
  • Nice try, MS! (Score:4, Insightful)

    by BAReFO0t ( 6240524 ) on Friday March 06, 2020 @08:30PM (#59805248)

    Call us, when you got an actual second factor, that actually can improve security.

    No, my phone isn't one. It's just the first factor again.
    Biometrics? Don't make me laugh, our computer club faked the biometric passport of the politician who pushed them into legislation, from a glass in a cafe and a photo, more than a decade ago.

    An actual serious second factor would be e.g. an USB drive with a key, encrypted with a password.

    But frankly, I've tried that, and with all the security holes in websites, OSes, software, websites (so bad they have to be listed twice) and even CPUs, it's only annoying security theater.

    The simplest solution is to keep your data offline, in your locked home, update your software, and make sure the actual base (CPU, NIC, firmware, drivers, software, networking stack, applications that go online) is secure, before focusing on adding military-grade security features.

    But that would go against pusher Microsoft's dream of getting everyone on the "cloud" needle, now would it!

    • Gotta say it does seem that the push for two factor authentication is little more a veiled attempt at data mining.

      I mean, less than convenient, but it would make more sense to have the person decide what the second authentication method is. Some one using their cell as ID when that wasn't the approved method is an obvious read flag. Or even pull a Frank Abagnale approach and as ID is first established, discard all other identifying information and two passcodes.

      Have the Swiss had problems with identity thef

      • Yep - the reason I don't use SMS for 2FA is not because I'm afraid of SS7 spoofing. I just don't want all these providers having my phone number as yet another data point in their monitoring and aggregating arsenal.

  • Seems low (Score:4, Interesting)

    by ubergeek65536 ( 862868 ) on Friday March 06, 2020 @09:32PM (#59805334)

    99.99% of accounts don't use 2FA.

  • Interesting that 2FA doesn't fix everything. How about regional blocking? I'm not going to Russia (or China or ...); why is it that there is no viable means of regional blocking in place? Not only for MS accounts, but banking accounts as well.
  • by Vegan Cyclist ( 1650427 ) on Saturday March 07, 2020 @12:38AM (#59805564) Homepage

    Why not disallow that? Especially if it's from an unfamiliar IP for the given account? 3-5 attempts and move to some other system that requires more comprehensive user verification that would be difficult for a bot?

    Seems like a lot more could be done server-side to protect the account.

  • We would like to force you give us your phone number. Our data mining records are not good enough.

  • A friend of mine who isn't computer illiterate once told me he wanted to create a local windows account for his kids, but he couldn't because windows demanded he made a Microsoft account. It turns out you could, but the "button" to choose the account to be local is very well hidden. Even i couldn't see it at first. So people create these accounts because they felt forced to create them. They don't actually care about them so they choose not to secure them with 2FA.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...