A large proportion of the e-commerce breaches we investigate here at 3B Data Security involve an attacker gaining access to the administrative pages of a website, typically through the use of stolen credentials. Access to these pages can be a goldmine for attackers, providing the ability to modify the website's settings, potentially allowing malware to be added. Certain platforms also include file management functionality through these pages, providing an attacker with a way to download data from the web server, modify files, or to upload additional malware and further compromise the server.

As such, it is hugely important to prevent this type of unauthorised access. One of the easiest ways to do this is through the use of Multi-Factor Authentication, which makes it much harder for hackers to access an account, even if they already know the username and password.

Multi-factor Authentication (MFA) refers to an authentication method that requires a user to provide two or more verification factors in order to access a resource. For example, a regular password and a time-based, single-use code both need to be entered by a user during the login process. MFA typically consists of a combination of at least two of the following:

  • Something you know (e.g a password or PIN).
  • Something you have (e.g an access card or one-time key).
  • Something you are (e.g biometrics).

Most of the popular e-commerce platforms provide support for MFA. As of version 2.4.X, MFA has been included as a Core Bundled Extension (CBE) within Magento. This can be configured through the standard admin panel, "Stores > Settings > Configuration", and includes support for popular MFA solutions such as Google Authenticator, Duo, and Yubikey.

Likewise, WordPress also provides support for MFA. This can be implemented through numerous free plugins, and also covers the most common MFA solutions.

Multi-factor authentication can also help a business with their PCI compliance. Requirement 8.3 of the PCI DSS mandates that all individual non-console administrative access and all remote access to the Cardholder Data Environment (CDE) is secured using multi-factor authentication. This requirement also applies to web-based portals such as website CMS systems.

Unfortunately, not every MFA solution is perfect, nor a guarantee that your website will never get hacked. One common method for providing multi-factor authentication is through phone-based MFA, with the second factor delivered to a user via an SMS message or by a phone call.

Methods that use phones in this way can be bypassed by an attacker through a SIM-swapping scam. A SIM swap (also known as a "Port out" scam) can result in an attacker gaining control over a user's telephone number, thereby receiving any calls or SMS text messages sent to that user. Other vulnerabilities are present within this delivery method, including a lack of encryption during transmission, leaving messages vulnerable to interception.

As such, Microsoft now recommends that users migrate away from these methods to more secure options.

If you require any assistance with adding multi-factor authentication to your environment to enhance your security, please contact 3B Data Security.