{"id":18167,"date":"2022-02-02T12:30:22","date_gmt":"2022-02-02T20:30:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11900\/"},"modified":"2022-02-02T12:30:22","modified_gmt":"2022-02-02T20:30:22","slug":"news-11900","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11900\/","title":{"rendered":"Why Apple\u2019s improved 2FA protection matters to business"},"content":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Tue, 01 Feb 2022 06:01:00 -0800<\/strong><\/p>\n

Apple has introduced a new layer of protection to its existing two-factor authentication<\/a> (2FA) system, making it a little harder for phishing attacks to successfully steal valuable authentication credentials.<\/p>\n

Given that Apple, PayPal, and Amazon were the top three brands used for successful phishing attacks last year, according to a recent Jamf report<\/a>, this matters.<\/p>\n

Phishing is a huge problem. The scale of these attacks shot up during the pandemic. The FBI Internet Crime Report 2020<\/a> revealed that phishing attacks affected 241,342 victims in 2020, up from 114,702 in 2019, with adjusted losses of more than $54 billion. Verizon\u2019s 2021 Data Breach Investigations Report<\/a> confirmed that 36% of data breaches that year involved phishing.<\/p>\n

That\u00a0Jamf report confirmed threat actors to be targeting work-focused cloud services such as Office 365 or Google Workplace to penetrate overall enterprise security.\u00a0No surprise that Apple users are targets, given that Apple is on course to becoming the most widely deployed enterprise tech hardware<\/a>.<\/p>\n

It\u2019s easy to dismiss phishing attacks based on the utterly unconvincing attacks most people frequently find in their in-box. That\u2019s unwise.\u00a0While some attempts may be stupid, the ones that succeed most are smart enough to exploit existing security protections.<\/p>\n

Some are highly targeted, socially engineered attacks aimed at individuals or people from a certain firm. Using a combination of target research and convincing fake communications, criminals seek to undermine the security of their targets.<\/p>\n

To help secure its users, Apple has provided a two-factor authentication (2FA) system in which a user attempting to access a service on an unfamiliar device is required to enter their ID information and make use of another known device to provide an additional authorization code.<\/p>\n

The company relatively recently improved its 2FA system with a feature which would automatically recognize a 2FA code and enter it into the relevant approval field (autofill). This made 2FA much more user friendly and means many now use this protection regularly. (It also now offers a built-in 2FA code creation tool<\/a>.)<\/p>\n

The problem is that some phishing exploits have sought to exploit autofill to steal logins and 2FA codes.\u00a0Apple\u2019s latest response is a system under which the 2FA code will also include the URL of the website it is intended to be used for. If the site you are on is different from the site the 2FA code recognizes, autofill will not work.<\/p>\n

This typically happens if you click a link in an email to take you to a site that purports to be a trusted site and try to login to your account. What happens is that, armed with your account details and the 2FA code, criminals may also be able to jump inside your data. That\u2019s a slight simplification, but it shows the risk.<\/p>\n

Here\u2019s what is different about Apple\u2019s new 2FA messages, which should appear with macOS Monterey, iOS 15, and iPadOS 15.<\/p>\n

You can be certain some very smart people will already be figuring out how to undermine this protection, but it helps.\u00a0Fooling some of the people some of the time is the lifeblood for attacks of this kind.<\/p>\n

Another recent Jamf security report<\/a> told us that 29% of organizations had at least one user fall for a phishing attack in 2021. It also said one in 10 users fall victim to phishing attacks on remote devices.<\/p>\n

So, what should your company do if its security is breached? Michael Covington, vice president for portfolio strategy at Jamf, shared a response plan:<\/p>\n

\u201cIf you fall victim to an attack such as phishing, the first thing you should do is assess\u00a0the damage. Take note of the PII that was handed over as part of the attack. The second step is to fix what is within your control – this might mean changing passwords, cancelling impacted bank\u00a0cards, and\u00a0calling the\u00a0credit bureau.\u00a0The final step is to share\u00a0your experience.\u00a0Don\u2019t be ashamed.\u201d<\/p>\n

Covington advises businesses to adopt a no-blame culture in their response to attacks:<\/p>\n

\u201cIf you are in the IT or security team and an employee reports an incident to you, do not ridicule or shame those who fall victim, this will only discourage others from bringing forward important information that can help mitigate further damage.\u201d<\/p>\n

It isn\u2019t always obvious when you or your systems have been attacked. \u201cAttackers are good at covering their tracks,\u201d he said. \u201cSome examples of things to look out for are: Device crashes, mystery apps, links or attachments in emails or messages,\u00a0missing text, or\u00a0apps that don\u2019t work right. These are often the first clues that something is going awry.\u201d<\/p>\n

Education is always critical, of course: Don\u2019t click links in emails to access secure sites \u2014 enter addresses in the browser manually. And, most importantly, if your Apple device doesn\u2019t let you use autofill to enter your 2FA code, don\u2019t override it, as you may be under attack.<\/p>\n

Please follow me on\u00a0Twitter<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0Apple Discussions<\/a>\u00a0groups on MeWe.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Jonny Evans| Date: Tue, 01 Feb 2022 06:01:00 -0800<\/strong><\/p>\n

\n
\n

Apple has introduced a new layer of protection to its existing two-factor authentication<\/a> (2FA) system, making it a little harder for phishing attacks to successfully steal valuable authentication credentials.<\/p>\n

Given that Apple, PayPal, and Amazon were the top three brands used for successful phishing attacks last year, according to a recent Jamf report<\/a>, this matters.<\/p>\n

Phishing costs billions and is bad for business<\/strong><\/h2>\n

Phishing is a huge problem. The scale of these attacks shot up during the pandemic. The FBI Internet Crime Report 2020<\/a> revealed that phishing attacks affected 241,342 victims in 2020, up from 114,702 in 2019, with adjusted losses of more than $54 billion. Verizon\u2019s 2021 Data Breach Investigations Report<\/a> confirmed that 36% of data breaches that year involved phishing.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[2211,10480,10403,10554,714,24580],"class_list":["post-18167","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple","tag-ios","tag-macos","tag-mobile","tag-security","tag-small-and-medium-business"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18167"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18167\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18167"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}