Saturday, February 27, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Microsoft: Using multi-factor authentication blocks 99.9% of account hacks

August 27, 2019
in Internet Security
Microsoft: Using multi-factor authentication blocks 99.9% of account hacks
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

German banks say “nein” to SMS one-time passcodes
New EU legislation might help kill SMS 2FA / 2SV / OTP.

Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

You might also like

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

Oxford University lab with COVID-19 research links targeted by hackers

Fastest VPN in 2021 | ZDNet

The recommendation stands not only for Microsoft accounts but also for any other profile, on any other website or online service.

If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it’s something as simple as SMS-based one-time passwords, or advanced biometrics solutions.

“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Passwords don’t matter anymore

Weinert said that old advice like “never use a password that has ever been seen in a breach” or “use really long passwords” doesn’t really help.

He should know. Weinert was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft’s Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was leaked in a previous data breach were told to change their credentials.

But Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts in the following years.

He attributed this to the fact that passwords or their complexity don’t really matter anymore. Nowadays, hackers have different methods at their disposal to get their hands on users’ credentials, and in most cases, the password doesn’t matter.

Attack

Also known as . . .

Frequency      

Difficulty: Mechanism

User assists attacker by . . .

Does your password matter?

Credential Stuffing

Breach replay, list cleaning

Very high – 20+M accounts probed daily in MSFT ID systems

Very easy: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems. List cleaning tools are readily available.

Being human. Passwords are hard to think up. 62% of users admit reuse.

No – attacker has exact password.

Phishing

Man-in-the-middle, credential interception

Very high. 0.5% of all inbound mails.

Easy: Send emails that promise entertainment or threaten, and link user to doppelganger site for sign-in. Capture creds. Use Modlishka or similar tools to make this very easy.

Being human. People are curious or worried and ignore warning signs.

No – user gives the password to the attacker

Keystroke logging

Malware, sniffing

Low.

Medium: Malware records and transmits usernames and passwords entered, but usually everything else too, so attackers have to parse things.

Clicking links, running as administrator, not scanning for malware.

No – malware intercepts exactly what is typed.

Local discovery

Dumpster diving, physical recon, network scanning.

Low.

Difficult: Search user’s office or journal for written passwords. Scan network for open shares. Scan for creds in code or maintenance scripts.

Writing passwords down (driven by complexity or lack of SSO); using passwords for non-attended accounts

No – exact password discovered.

Extortion

Blackmail, Insider threat

Very low. Cool in movies though.

Difficult: Threaten to harm or embarrass human account holder if credentials aren’t provided.

Being human.

No – exact password disclosed

Password spray

Guessing, hammering, low-and-slow

Very high – accounts for at least 16% of attacks. Sometimes 100s of thousands broken per day. Millions probed daily.

Trivial: Use easily acquired user lists, attempt the same password over a very large number of usernames. Regulate speed and distributed across many IPs to avoid detection. Tools are readily and cheaply available. See below.

Being human.

Using common passwords such as qwerty123 or Summer2018!

No, unless it is in the handful of top passwords attackers are trying.

Brute force

Database extraction, cracking

Very low.

Varies: Penetrate network to extract files. Can be easy if target organization is weakly defended (e.g. password only admin accounts), more difficult if appropriate defenses of database, including physical and operation security, are in place. Perform hash cracking on password. Difficulty varies with encryption used. See below.

None.

No, unless you are using an unusable password (and therefore, a password manager) or a really creative passphrase. See below.

With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.

The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still very rare when compared to the daily hum of credential stuffing botnets.

Google said the same thing in May

Microsoft’s boast that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn’t the first of its kind.

Back in May, Google said that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) were also improving their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

When both Google and Microsoft are recommending the same thing, it’s probably a good time to start following their advice.

Credit: Zdnet

Previous Post

Eddie Murphy’s SNL Gig Doesn’t Mean He’s Still Got It

Next Post

Customer Segmentation Using K Means Clustering

Related Posts

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers
Internet Security

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

February 27, 2021
Oxford University lab with COVID-19 research links targeted by hackers
Internet Security

Oxford University lab with COVID-19 research links targeted by hackers

February 27, 2021
Fastest VPN in 2021 | ZDNet
Internet Security

Fastest VPN in 2021 | ZDNet

February 27, 2021
Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid
Internet Security

Berlin resident jailed for threatening to bomb NHS hospital unless Bitcoin ransom was paid

February 27, 2021
Chrome will soon try HTTPS first when you type an incomplete URL
Internet Security

Chrome will soon try HTTPS first when you type an incomplete URL

February 27, 2021
Next Post
Customer Segmentation Using K Means Clustering

Customer Segmentation Using K Means Clustering

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

AI & ML Are Not Same. Here's Why – Analytics India Magazine
Machine Learning

AI & ML Are Not Same. Here's Why – Analytics India Magazine

February 27, 2021
Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers
Internet Security

Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers

February 27, 2021
Is Wattpad and its machine learning tool the future of TV? — Quartz
Machine Learning

Is Wattpad and its machine learning tool the future of TV? — Quartz

February 27, 2021
Oxford University lab with COVID-19 research links targeted by hackers
Internet Security

Oxford University lab with COVID-19 research links targeted by hackers

February 27, 2021
The Education Industrial Complex: The Hammer We Have
Data Science

The Education Industrial Complex: The Hammer We Have

February 27, 2021
New AI Machine Learning Reduces Mental Health Misdiagnosis
Machine Learning

New AI Machine Learning Reduces Mental Health Misdiagnosis

February 27, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • AI & ML Are Not Same. Here's Why – Analytics India Magazine February 27, 2021
  • Microsoft: We’ve open-sourced this tool we used to hunt for code by SolarWinds hackers February 27, 2021
  • Is Wattpad and its machine learning tool the future of TV? — Quartz February 27, 2021
  • Oxford University lab with COVID-19 research links targeted by hackers February 27, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates