By John B. Folkerts, CISSP, Information Security Manager, Canandaigua National Bank & Trust
Movies are filled with depictions of computer hackers obtaining quick access to their target systems by guessing or cracking a password. In reality, it’s even easier: often the cyber attacker simply needs to send an email or text requesting a password. Anyone can fall for a trick like that if they are caught off-guard. This is known as “phishing,” and it is the number one way for today’s modern cyber security defenses to crumble.
33% of internet users 65 years and older are using MFA to protect their private information, financial accounts, or email accounts.
So what can be done to protect yourself? Enter MFA. Multi-factor Authentication, or MFA, is frequently an option for your most important online accounts, yet not everyone uses it. According to security provider Duo, 53% of the internet population have multi-factor authentication enabled. And while adoption of MFA is higher for the younger population, 33% of internet users 65 years and older are using MFA to protect their private information, financial accounts, and email accounts. This leaves a sizeable portion of Internet users exposed.
33% of internet users 65 years and older are using MFA to protect their private information, financial accounts, or email accounts.
Multi-factor Authentication is a logon process which relies on more than one factor to authenticate you to an online system. Typically, MFA options include at least two of the following:
- What you know (e.g. password)
- What you have (e.g. mobile device, security token)
- Who you are (e.g. fingerprint)
So if you have signed up for a website with both a password and a SMS text to your mobile phone, that would be MFA selections from both #1 and #2 (what you know and what you have).
Yes, MFA works! After deploying MFA tokens to all of their 85,000 employees in 2018, Google announced that their phishing problem had practically disappeared. Even a mistaken disclosure of a password was not sufficient to give an attacker access. Additionally, in 2020, security research team IBM X-Force documented that some threat actors “immediately abandoned operations after encountering an MFA prompt.” MFA is too much trouble to hack.
Thoughtlessly re-using a password even once could put your private data in jeopardy.
Maybe you’ve been counting on your password alone to do the work of protecting your online account. And maybe you don’t consider phishing to be a serious threat to you personally. However, how will you protect your password once you’ve shared it with any given website on the Internet? Website breaches are common. One Internet security website has documented over 11 billion accounts and passwords exposed in public Internet breaches. Those breached passwords are continually tested by attackers, so thoughtlessly re-using a password even once could put your private data in jeopardy.
Thoughtlessly re-using a password even once could put your private data in jeopardy.
Make a list of important websites that you use: financial, healthcare, and don’t forget email and telecom providers (since these are often used for password resets). Check the security options in your user profile that can be enabled for MFA or “two-factor.” To prevent lockout, make sure you have appropriate backup options turned on (e.g. a spouse’s mobile phone, a backup token, or backup codes).
You may hear debate on which MFA option is most secure, but do not let that dissuade you from picking one of your MFA options. Any MFA is better than no MFA. Do your part to lock down your online accounts. Sign up now!