Security News

MFA Glitch Leads to 6K+ Coinbase Customers Getting Robbed
2021-10-01 20:08

The accounts of at least 6,000 Coinbase customers were robbed of funds after attackers bypassed the cryptocurrency exchange's multi-factor authentication. The attacker(s) used a flaw in Coinbase's account recovery process to seize the SMS two-factor authentication tokens needed to break into customers' accounts and transfer funds to crypto wallets unassociated with Coinbase.

Hackers rob thousands of Coinbase customers using MFA flaw
2021-10-01 14:32

Crypto exchange Coinbase disclosed that a threat actor stole cryptocurrency from 6,000 customers after using a vulnerability to bypass the company's SMS multi-factor authentication security feature. In a notification sent to affected customers this week, Coinbase explains that between March and May 20th, 2021, a threat actor conducted a hacking campaign to breach Coinbase customer accounts and steal cryptocurrency.

Microsoft 365 MFA outage locks users out of their accounts
2021-09-28 15:19

Microsoft is investigating an ongoing Multi-Factor Authentication issue preventing some customers from logging into their Microsoft 365 accounts. "We're investigating an issue with Multi-Factor Authentication that is preventing some users from accessing Microsoft 365 services. Additional information will be provided in the admin center under MO287933, the company tweeted."

ManageEngine ADSelfService Plus offers MFA for OWA and EAC to increase mailbox security
2021-08-05 01:30

ManageEngine announced that ADSelfService Plus, its integrated Active Directory self-service password management and single sign-on solution, now offers multi-factor authentication for Outlook on the Web and Exchange admin center logins to add an extra layer of security to Exchange environments. "Going beyond passwords has become necessary for organizations of any size given today's cyberattack landscape. Users rarely take their passwords seriously and, as a result, even simple brute-force attacks are highly successful," said Parthiban Paramasivam, director of product management, ADSelfService Plus.

It takes more than MFA to beat human hacking
2021-07-13 06:00

In part, MFA was intended to thwart a range of compromises that include phishing, spear phishing, credential stealing, and man-in-the-middle attacks. Protecting remote workers from sophisticated phishing attacks requires a toolbox that extends beyond MFA and covers several attack vectors.

Microsoft: Scammers bypass Office 365 MFA in BEC attacks
2021-06-14 17:26

Microsoft 365 Defender researchers have disrupted the cloud-based infrastructure used by scammers behind a recent large-scale business email compromise campaign. "The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns," Microsoft 365 Defender Research Team's Stefan Sellmer and Microsoft Threat Intelligence Center security researcher Nick Carr explained.

Can your MFA implementations stymie MFA bypass attacks?
2021-06-09 12:31

Shay Nahari, Head of Red-Team services at CyberArk, says that they've been increasingly asked by customers to probe their multi-factor authentication defenses, which lead them to pinpoint four main attack vectors used by threat actors to circumvent MFA controls, by exploiting: architectural and design flaws, insecure channels, side channel attacks and insufficient attack surface coverage. The cybersecurity industry has been extolling the virtues of MFA use for years.

JumpCloud Protect: One-touch featured mobile MFA app
2021-05-20 00:15

JumpCloud announced JumpCloud Protect, a one-touch multi-factor authentication solution that makes it easy for IT admins to deploy and enforce MFA without adversely impacting end users. JumpCloud Protect is a fully featured mobile MFA app, that allows employees authenticating into protected apps and resources to verify themselves directly from their corporate-issued or BYOD mobile device.

Beyond MFA: Rethinking the Authentication Key
2021-05-13 15:39

Physical security keys introduce a new twist to 2FA. Instead of using a code delivered to your phone, the hardware-based key is a dongle you insert into your company laptop or other registered access device. The private key remains on the device, while the public key is sent to the site with which it is registered.

Yubico YubiKey 5 FIPS Series extends phishing-resistant MFA to additional use cases
2021-05-05 02:30

Yubico announced its next-generation FIPS security keys: the YubiKey 5 FIPS Series. The addition of the YubiKey 5 NFC, YubiKey 5C NFC, and YubiKey 5Ci into the FIPS series lineup significantly expands coverage for mobile-first environments that many organizations have been waiting for.