Ben Dickson is a software engineer and freelance writer. He writes regularly on business, technology and politics. The fact that plain passwords are no longer safe to protect our digital identities is no secret. For years, the use of two-factor authentication (2FA) and multi-factor authentication (MFA) as a means to ensure online account security and prevent fraud has been a hot topic of discussion. Technological advances, especially in the mobile industry, have created new possibilities, and manufacturers and vendors are offering various multi-factor solutions in the domain of biometrics, physical tokens, software tokens and mobile codes.
The vulnerability affects the way Microsoft applications use OAuth for authentication, these applications trust certain third-party domains and sub-domains that are not registered by Microsoft. Experts from Cyberark discovered the following three vulnerable Microsoft applications that trust these unregistered domains Portfolios, O365 Secure Score, Microsoft Service Trust. "This vulnerability's attack surface is very wide and its impact can be very powerful." In the OAuth authorization flow implemented by Microsoft, a Microsoft application user can request access from a whitelisted URL approved by Microsoft to login. The owner of the third-party website or application will receive a token with specific permissions that allows it to act on behalf of the owner of the token.
What would happen if you tried to withdraw money from your savings account, only to discover that the balance had mysteriously dropped from several thousand to only a few dollars? You would be shocked -- and bank managers would be perplexed because the transaction was made with the correct account number, password and personal identification number. Unfortunately, illegal account takeovers are a highly prevalent type of identity fraud. In 2018, over USD 8.3 billion was lost through account takeovers in the US alone. Scammers use stolen account numbers, passwords and Social Security numbers to hijack checking, savings and credit card accounts.
Editor's note: Naples Daily News columnist and professional organizer Marla Ottenstein has been through a harrowing, expensive and life-changing experience since she was "hacked" last summer. She first wrote about her experience in November. Now she shares some of her insights and the lessons she's learned. You never realize how many online accounts you have until you have to shut down an email account you've had for 20 years. Think about it: If you need to change your password, you click "forgot password" and a reset link is sent to your email.
The number of bank accounts hijacked by criminals soared by almost half last year, figures published today reveal. As firms bolster their IT defences against hackers, fraudsters are reverting to old fashioned tactics by directly targeting customers. In its annual Fraudscape report, the fraud prevention service Cifas gathered data from 387 firms, including some of the UK's most well-known companies. It found that'facility takeovers' – when a customer's bank account, investment or pension is hijacked by a fraudster and funds taken out jumped by 45 per cent from 15,497 in 2015 to 22,525 last year. More than half of these cases were perpetrated over the phone, typically with the criminal phoning the bank's call centre and pretending to be the customer.