CYBER SECURITY

MFA Fatigue: The Sneaky Hacker Trick That's Like a Persistent Fly

Hacker Fly holding an iphone and headset

Hacker Fly, Designed by Author using Midjourney

Picture this: you're chilling out, sipping a cup of coffee, watching Youtube on a sunny Saturday morning. Suddenly, your phone buzzes with a notification. "Great," you mumble, having expected a fun meme or a heartwarming message from a friend.

But alas, it's just another MFA code, staring back at you like an insistent fly that just won't buzz off.

You scratch your head and wonder, "Did I really request this code again?"

You didn’t.

Hackers are hiding behind a digital bush, waiting for you to mindlessly tap "Approve" just to swat the message away and get back to watching Good Mythical Morning. You might think you’re nimble enough to wiggle out of this attack.

You’re not.

Imagine now that it’s the middle of the night. You are sleeping, dreaming about going to the Bahamas with your cat, Gerald. Your phones buzzes. And buzzes. And buzzes. In your best morning voice, you croak out a few curse words and finally pick up your phone, click whatever button looks like it will let you and Gerald drift back off to the Bahamas, and close your eyes.

Even the best of us could fall for that one. Catch any one of us in a weak moment and we could be toast.

MFA (Multi-Factor Authentication) fatigue is a pesky hacker technique that’s main attack is being annoyingly persistent. It's like being stuck in an endless loop of verification pop-ups. Approve, deny, approve, deny – you start to wonder if you're trapped in a digital Groundhog Day. But fear not, there's a simple antidote to MFA fatigue: mindfulness.

Pause, take a breath, and ask yourself if you initiated this request. It's like donning a helmet to protect yourself from that pesky fly buzzing around your head.

For real though, there is a more practical thing you can do so that you don’t have to channel your inner Zen master, and protect your digital kingdom, fighting off an army of authentication messages at midnight:

Tech master made by AI

Switch your accounts to use MFA methods that require a code entry instead of just a verification click. That way, your account will only be accessed by whoever has access to the authentication app or email address or phone number that the code is sent to. In other words, by you.

Also, never ever re-use passwords (that way, if your password is guessed for one platform, they will not immediately have access to anything else).

We want you to enjoy your coffee with Rhett and Link in peace. If you manage a local business and have any questions about cybersecurity, or would like a free quote for our managed services, you are always welcome to reach out using this form.

Cyber Insurance - Does your Fraser Valley Business Need It?

Recently, insurance companies in Abbtosford and across the country have been changing their cyber insurance policy to require that insured companies implement multi-factor authentication (MFA) and have an emergency data breach plan.

They are tightening their requirements to make sure less breaches happen, and that swift and efficient procedure takes place right away when they do.

What does this say to us, as customers, employees, business owners and technology users?

A goal of insurance companies is to not have any claims. The requirements on their policies are designed to limit as many disasters as possible. Claims cost them deeply! This means that their recommendations are based in carefully monitored statistics, so that they can ensure that you truly are as protected as possible. Companies that provide cyber insurance specifically, will typically have excellent testing systems to see if your data breach plan and your security systems are working the way they should. Upon an unsuccessful test, they can provide really helpful feedback on how to strengthen security systems.

Try getting a quote from a local insurance company in Chilliwack or Abbotsford so you can understand your risks, test your security systems and ensure your company’s protection.

We love insurance companies, and highly recommend cyber insurance for all our clients. We’d way rather make our money keeping you secure, instead of putting out lethal security fires.

You are always welcome to contact us for a free quote for your company’s data security, and data breach plans.

How to Protect Yourself Against Identity Theft

We regularly seek to inform you about the dangers of phishing and malware attacks, and how failure to protect against or respond quickly to them could be lethal to your companY.

Our friends over at Terravista Tech wrote an informative article sharing the story of the identity theft of a local business here in Chilliwack. The attackers stole the email addresses of the company, used them to send phishing emails to clients and other companies until Microsoft locked down all of their email for the entire company. Recovering from this attack was a hailstorm.

All the hackers needed to cause this damage was a password, and unfortunately many companies still have very basic password systems such as (company name)(year). Other hackers might only need one small piece of information, such as your birthday, your SIN (social security number), or your dog’s name to gain access to highly sensitive information. Sometimes, a person’s identity might be compromised for years before they notice, if the thief works slowly in order to be undetected. 

Here’s how to make sure this does not happen to you, or your company.

Boost your Security

Hire a professional IT company for your company. They will make sure your software is always up to date with security patches, and that your information security system is best as possible. They will make sure you have managed antivirus software. 

You can make sure to be on top of these things for your personal computer as well. Always install computer updates, use MFA (Multi Factor Authentication) on your accounts, and use legitimate antivirus software. On top of that, you can make sure to never turn off your firewall, and protect your wireless router with a strong password.

Don’t Overshare or Underestimate

It’s tempting to send important information over email or text, but it’s not worth the risks. We have all likely been guilty of sending personal information over apps such as Instagram, Snapchat, or Whatsapp as well! It's easy to think that just once will probably be safe enough, and so we overshare on these platforms, and underestimate the abilities of hackers.

Even on social media, many of us share regular updates of our families (revealing your mother’s maiden name, maid of honour's first name, or dog’s name), celebrations (birthdate, father’s birth year, our high school reunion), and more. This gives hackers the information they need to pass security checks even on the most important accounts such as your CRA login or your bank account, or your company Microsoft account. Oversharing reveals that you underestimate what hackers are capable of. We have seen local businesses shut down, or be forced to navigate hundreds of thousands to even millions of dollars in losses over hacks like this.

If you want to ensure your business is protected from identity theft, call a local IT support company for an assessment of your company’s security, and a consultation on how to potentially improve it.

We offer initial consultations free of charge, so feel free to contact us if you are a local company looking for support in this way!

Your Data is More At Risk During The Holiday Season in The Fraser Valley

Holidays are a time of joy and celebration for most, but for hackers and cybercriminals, they present a unique opportunity. As a small IT company in Abbotsford, BC, dedicated to providing IT services and tech support, we want to shed light on why your data is at greater risk during the holiday season.

Unmasking the Cyber Grinch

Hackers and cybercriminals view holidays with a different lens, and it's not because they enjoy festivities. Instead, they see holidays as a potentially easier payday. US authorities, including the FBI and CISA (Cybersecurity & Infrastructure Agency), have issued warnings regarding a concerning trend. They've observed a connection between the holiday season and a surge in serious cyberattack attempts.

In 2021, serious attacks coincided with holidays such as Mother's Day, Memorial Day, and Independence Day. While the timing seemed to revolve around US holidays, these attacks occurred in multiple countries. The reason is quite straightforward: people are often distracted during holidays. Their thoughts are elsewhere, and many offices are either empty or operating with skeleton crews. Companies may let down their guard, inadvertently becoming more vulnerable to cyberattacks.

'Tis the Season for Cyber Threats

As we enter the holiday season, cyber threats become even more prominent. The Cyber Grinch is expected to make an appearance, targeting businesses worldwide. Beyond the digital realm, there is also a surge in "traditional" theft, including burglaries, theft, and vehicle break-ins during this festive period.

So, what proactive steps can you take to protect your business data during this holiday season? Here are some key suggestions:

  1. Disaster Response Plan: Ensure your organization has a robust disaster response plan in place, and make sure everyone within the company is familiar with it.

  2. Staff Training: Train your staff to be extra vigilant when it comes to opening potentially dangerous links or attachments.

  3. Software Updates: Regularly update and patch all software and operating systems to address vulnerabilities.

  4. Anti-Virus Software: Implement reliable anti-virus software and perform regular scans to detect and remove potential threats.

  5. Password Security: Enforce the use of strong passwords and multi-factor authentication to enhance login security.

  6. Device Security: Avoid leaving devices unattended in vehicles, as smartphones and electronics are highly sought-after targets for theft. If necessary, never leave valuables in plain view within your vehicle.

  7. Offline Data Backups: Creating offline backups of your data is a smart practice that every company should adopt. It's not only the most cost-effective way to recover from a ransomware attack but also offers peace of mind.

If you're a business in the BC Fraser Valley seeking comprehensive cybersecurity solutions, we're here to help. Contact us to fortify your defenses and ensure your data remains secure during the holiday season and beyond.

Protecting Your Business in Abbotsford from Password Spraying Attacks

Hackers thrive on exploiting bad user habits. It simplifies their job and opens the door to a rising threat known as Password Spraying. As a small IT company in Abbotsford, BC, specializing in IT services and tech support, we aim to shed light on this cybersecurity issue and how you can safeguard your business.

Unmasking Password Spraying

Password Spraying is a form of brute-force attack employed by cybercriminals. In traditional brute-force attacks, hackers attempt to gain access to a specific account by trying numerous passwords. Some even go a step further by conducting research, scouring users' social media profiles for personal information like family names or pet names—common choices for passwords. It's astonishing how much can be gleaned from a brief online search.

To counter these attacks, many organizations now implement security measures such as locking an account after a certain number of failed login attempts (typically 3 to 5).

However, hackers have adapted. Password spray attacks involve two primary tactics.

Type 1: "Low and Slow"

In this approach, cybercriminals start by compiling a list of usernames to target, which is often straightforward due to the structured email formats used by organizations (e.g., firstinitial.lastname@companyname.com). With a list of employee names, they have a pool of potential login usernames.

Next, they "spray" these usernames with a single common password, like "password" or "123456." Occasionally, they get more cunning by incorporating local references, such as "canucks," for a Vancouver-based company. They continue this process until they find a match.

Hackers particularly favor companies or systems with central administrators or apps that set default passwords for new users. Some users may forget to change their passwords during their first login, creating opportunities for cybercriminals.

Type 2: "Availability and Reuse"

The second type of spray attack relies on compromised login credentials obtained from the dark web. Attackers exploit the widespread habit of using the same passwords across multiple sites.

Protecting Your Business

To avoid falling victim to Password Spraying attacks, consider these protective measures:

  1. Two or Multi-Factor Authentication (2FA or MFA): Implement 2FA or MFA to ensure that passwords are just one part of the login process, adding an extra layer of security.

  2. Strong Password Training: Train and enforce the use of robust, unique passwords among your employees to deter password spraying attempts.

  3. Avoid Default Passwords: Do not use default passwords for first-time users or force password changes during the initial login. Encourage users to create their own unique passwords.

  4. Password Reset Procedures: Ensure that your system administrators have clear procedures in place for users who have been locked out and need password resets.

If you are a business owner in Chilliwack, Abbotsford, Langley, or the surrounding area and require assistance in fortifying your systems against cyber threats, please don't hesitate to get in touch. We are here to help you enhance your cybersecurity defenses.