WEBVTT 00:00:00.000 --> 00:00:02.087 We see those type of things. 00:00:02.087 --> 00:00:04.770 Two-factor authentication or multi-factor authentication has 00:00:04.770 --> 00:00:07.703 helped clean up a lot of those attacks, 00:00:07.703 --> 00:00:11.703 but it does have to be implemented correctly. 00:00:11.703 --> 00:00:15.967 It also needs to be two-channel, is what I call it, 00:00:15.967 --> 00:00:20.882 where you're not getting your code to get in on the 00:00:20.882 --> 00:00:23.631 same device that you sent the request. 00:00:23.631 --> 00:00:24.023 Oh yeah. 00:00:24.023 --> 00:00:26.270 Because I've seen where you get this multi-factor authentication, 00:00:26.271 --> 00:00:29.491 so that's the username and a password, and now I need a separate code. 00:00:29.492 --> 00:00:32.783 And the separate code's sent to the computer I'm logging in from. 00:00:32.783 --> 00:00:34.641 So I then copy and paste, which is really easy, 00:00:34.641 --> 00:00:36.975 but the bad guy's on this computer, yeah? 00:00:36.976 --> 00:00:37.352 Yeah. 00:00:37.352 --> 00:00:39.983 We saw a merchant that got breached. 00:00:39.984 --> 00:00:42.393 They set up multi-factor authentication, 00:00:42.393 --> 00:00:48.222 but they allowed their employees to have the option of sending the code, 00:00:48.223 --> 00:00:52.192 the access code, to either their phone or to their email account. 00:00:52.193 --> 00:00:54.589 Well if they checked the email account on the same 00:00:54.589 --> 00:00:58.631 computer that the attacker has, the attacker has --- Has the code. 00:00:58.631 --> 00:00:59.426 --- that code. 00:00:59.426 --> 00:01:03.993 We've also seen a recent phenomenon with code replay 00:01:03.993 --> 00:01:07.674 attacks where the attacker knows that two-factor or 00:01:07.674 --> 00:01:10.476 multi-factor authentication is in place, 00:01:10.477 --> 00:01:17.081 and so they'll wait for the legitimate employee to send a remote access request, 00:01:17.082 --> 00:01:20.523 and then they'll send another one immediately right behind them. 00:01:20.523 --> 00:01:24.049 And the person gets theirs and approves it, and then sees another one. 00:01:24.050 --> 00:01:25.291 It's like, ah, I thought I approved that. 00:01:25.292 --> 00:01:29.412 Click, and they do it again not realizing that that second one, 00:01:29.412 --> 00:01:30.998 they didn't send it. 00:01:30.998 --> 00:01:33.613 That was the attacker sending it. 00:01:33.613 --> 00:01:36.929 And so that's kind a social engineering way that hackers are 00:01:36.929 --> 00:01:40.611 getting passed even multi-factor authentication. 00:01:40.611 --> 00:01:44.193 And that's the way attacks work, but we found defenses. 00:01:44.193 --> 00:01:48.141 PCI DSS put a requirement for all remote access to 00:01:48.141 --> 00:01:49.930 have multi-factor authentication, the last version, 00:01:49.930 --> 00:01:53.114 and now the bad guys are trying to work out ways around that. 00:01:53.114 --> 00:01:55.510 It's a cat-and-mouse game. 00:01:55.510 --> 00:01:56.643 They're always adapting. 00:01:56.643 --> 00:01:58.224 It's move, countermove. 00:01:58.224 --> 00:02:02.175 Have you seen them doing SIM swapping for multi-factor authentication breaking, 00:02:02.175 --> 00:02:04.303 because we've seen some of that in Europe now? 00:02:04.304 --> 00:02:08.542 Not as much here, though we do see it from time to time. 00:02:08.542 --> 00:02:12.244 So, while I'm going to through this, I'm trying to think in my head, 00:02:12.244 --> 00:02:14.748 if I could sit in front, if we could sit in front, 00:02:14.748 --> 00:02:17.353 in fact, we are sitting in front of lots of merchants today. 00:02:17.353 --> 00:02:20.063 They're all watching us at different times. 00:02:20.063 --> 00:02:23.642 The piece of advice I've got here is about secure your remote access. 00:02:23.643 --> 00:02:25.196 This is the first lesson, yeah? 00:02:25.196 --> 00:02:25.768 Yes. 00:02:25.768 --> 00:02:27.105 Secure your remote access. 00:02:27.105 --> 00:02:29.567 If you've got an ISO with a remote access, 00:02:29.567 --> 00:02:32.515 convince yourself that they're doing it properly. 00:02:32.515 --> 00:02:34.531 Not only convince, validate. 00:02:34.531 --> 00:02:36.640 Okay, how would they do that? 00:02:36.641 --> 00:02:41.784 They can get a third party that is skilled in that area or 00:02:41.784 --> 00:02:44.214 they can have their IT do basic tests. 00:02:44.214 --> 00:02:46.446 If you're doing multi-factor authentication, 00:02:46.446 --> 00:02:50.792 test it and make sure that that code is going to the 00:02:50.792 --> 00:02:54.284 person who it's supposed to go to. 00:02:54.284 --> 00:02:56.223 So not taking the ISOs word, basically. 00:02:56.223 --> 00:02:56.797 Yeah. 00:02:56.797 --> 00:02:59.797 Okay, that's good.