In 2017, we saw a new influx of spectacular and devastating breaches. Somewhat lost in the chaos was a surprising trend amongst them — a sharp escalation in attackers utilizing stolen, valid credentials as their primary means of gaining a foothold in the organization. This is by no means a new trend. Some of the highest profile breaches in history resulted from a lack of strong access control measures. What’s concerning is that these types of breaches continue to proliferate — a clear sign that we’re not addressing the problem.

The Deloitte Breach

The Deloitte breach, reported in September of 2017, is a prime example of the devastation an organization can face if it fails to implement strong access control. Deloitte — one of the “big four” accounting firms — experienced a breach that resulted in the compromise of its client’s emails, including those of U.S. government agencies and large enterprises. Attackers gained access to the company’s email system through an administrative account — using just a single compromised password. The security industry was quick to point out that the account was not secured by two-factor authentication.

The Yahoo And LinkedIn Breach Sagas Continue

The infamous Yahoo breach was in the spotlight again after the company disclosed new details on the 2013 incident — all three billion of its users’ accounts were impacted, not the one billion that was previously reported. Yahoo, of course, had two-factor authentication in place when it was breached. The same is true of the 2012 LinkedIn breach. Though the company had implemented two-factor authentication, hackers were able to breach the system, compromising the credentials of 167 million users.

When Two-Factor Authentication Fails

As previously mentioned, many argued that Deloitte’s critical misstep was its failure to protect customer data with two-factor authentication. There is growing evidence, however, that even two-factor authentication is not enough to combat these types of failures. Of course, it is probably better than utilizing a simple password. Yet, basic two-factor authentication still leaves organizations highly vulnerable to cybercriminals.

There are numerous examples of high-profile breaches where attackers have defeated an organization’s basic two-factor authentication methods. The Yahoo and LinkedIn breaches highlight the reality that basic methods such as knowledge-based questions and SMS-based one-time passwords can be evaded by attackers using simple phishing attacks and social engineering. Attackers have proven that they can intercept SMS codes or hijack users through social engineering to redirect where the texts are sent.