The scenario: After clicking on a well-crafted phishing email, a target is taken to a page that looks identical to a legitimate sign-in page. They enter their username and password and then are presented with a screen that asks for the OTP. At the same time, the attacker is retrieving the stolen credentials and trying to log in as the target on the service’s real login page. When the target receives the OTP, they enter it into the web form, which is also transmitted to the attacker, who then uses it to log in and register their own devices to also receive the OTP. The solution: Almost everyone clicks a phishing link at some point in their lives. Using a password manager is a great way to avoid accidentally entering credentials to be stolen since a good password manager will only autofill the password if the URL in the address bar matches the legitimate website. And a password you don’t know is a password you can’t unintentionally give out. SIM Swap This one is a low likelihood, so I saved it for last, but it’s still worth mentioning as it’s a high-impact attack. The scenario: An attacker obtains a good amount of information about a high-value target, including their username, password, and phone number. Using social engineering techniques, they contact the target’s mobile phone provider and ask to port the phone number to a new SIM card since they “lost their phone.” Security checks are bypassed and the target’s phone stops working as the criminals gain access to their phone number. They log in using the stolen credentials, intercept the text message with the OTP, and compromise the account. The solution: For critical accounts, use an authenticator app or FIDO token, not a text message code. Check with your cell phone provider and set an authorization code with them before they will allow your number to be ported to another SIM card. Chris is the Vice President of Information Security for CivITas Bank Solutions, which exists to help community banks with IT and Information Security needs. You can email info@acivitas.com for more information. Multifactor authentication, or MFA, is widely regarded by security professionals as one of the best tools you can use to keep your accounts safe. WE MAKE IT EASY LET OUR TEAM HELP YOU SECURE THE DEAL AND LOWER YOUR RISK • UP TO 90% OVERALL FINANCING • UP TO 25 YEAR TERM • FIXED-RATE PREFERREDLENDINGPARTNERS.COM | 303.861.4100 Leveraged financing and refinancing of owner occupied real estate and long-term equipment. Most for-profit small businesses eligible. SBA defines businesses with net profit after tax <$5.0 Million and tangible net worth <$15.0 Million as small. March • April 2023 9
RkJQdWJsaXNoZXIy ODQxMjUw