Management Assistance Program

Two-Factor Authentication is Critical Today

By Jim Calloway

Technology tools for lawyers is a regular topic in this Law Practice Tips column.

Any advice columnist knows the readers will often treat their column like a buffet, taking what they like and ignoring some items that may be good for them, but don’t strike their fancy today.

Password managers are like that. Most people who read about password managers appreciate that using them would be a good thing, but it takes quite an investment of time to select and set up the password manager and then reset the passwords for all the services and sites you frequent. Like the kale flakes or quinoa on the buffet, one may recognize the benefit, but it may not strike your fancy that day.

Two-factor authentication is relatively quick and easy to set up – but it adds a few seconds to the time it takes to log into the services and sites you use.

Using two-factor authentication is such a critical tool to protect yourself and others, so understanding how it works is an important part of lawyer technological competency. Not only should you be using it, but you should be advising your clients and others you care about to be using it as well.

The widespread adoption of Office 365 makes this even more important.

Our inspiration today comes from a blog post earlier this year by Russell Gilmore on the International Legal Technology Association (ILTA) blog titled “Two-Factor Authentication: A Resolution That Works.” (If you have never heard of ILTA, it is probably because its members tend to work for very large law firms and other organizations, but I can assure the group has serious credibility.)

Gilmore notes he has investigated several wire fraud transactions over the past year relating to unauthorized access to Office365 Outlook Webmail accounts.

He outlines the typical scenario:

It starts when the victim receives a simple email with an attachment. The attachment will be an invoice, a legal document, or a letter from a distant relative. Because it appears to come from a trusted source, the victim opens the email. To open the attachment, usually a Word document, the victim will be instructed to click on a link and enter their Microsoft OneDrive user ID and password.

This phishing email tricks the victim into providing their login credentials to a criminal enterprise. This criminal enterprise may sell the credential or use them to access the victim’s account.

Once the criminal has the login credentials, they log into the Office 365 account and access the victim’s Outlook account. Now they sit and wait, monitoring all activity in the account. That’s right; they monitor ALL email being received and sent. They also search all emails for words like deposit, wire transfer, or account information. Then they wait.

They wait for the victim to send an email with wiring instructions. Once this occurs, the criminal manipulates the Outlook account so the criminal intercepts the email. Finally, the criminal sends a new email with new, fraudulent, wiring instructions.

Having some criminal monitoring and searching all your emails should be a chilling thought for anyone, but especially for a lawyer.

This shouldn’t be thought of as a particular Office 365 weakness. We are going to be doing lots of education on Office 365 this year at the OBA Solo & Small Firm Conference. Lawyers will be using this for its many benefits. This is just a different version of a phishing scam, empowered by the fact that new Office 365 users are getting used to seeing Office 365 login screens, while most of us have learned about other types of common phishing schemes.

Compromising your email account also allows the criminal to use your email address to attack your family, friends and clients. Gilmore adds, “What is often overlooked is that the phishing email you receive most likely will come from the legitimate account of a coworker, contractor, business associate, friend, or family member whose email account was compromised. Therefore, you received the phishing email from someone you currently work with or know, not a stranger. So these phishing attempts are often not blocked by email protection systems and software.”

All of this can be prevented by activating two-factor authentication on the account.

The most common way people use two-factor authentication is receiving a code on their phone via text message after logging into an account. You must enter the code to log into the account. So as long as the criminal doesn’t have access to your mobile phone, they cannot receive the code to complete the login to your account. You win.

Certainly, this is one more thing to do and adds a few seconds to every login, so maybe you are not willing to do this for every account you use.

I have a retirement account that has online access. I do not access it frequently enough for two-factor authentication to be a bother. Yet every time I log in, it helpfully suggests that I can tell the account to trust this computer, which would bypass two-factor authentication. Every time I tell it “No.” If you have not set up two-factor authentication on your retirement account, your stock brokerage account or your checking accounts, I would strongly suggest you do it today.

For your Office 365 account or any other account that holds confidential client information, the same rule would apply. Right?


Mr. Calloway is OBA Management Assistance Program director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8060, jimc@okbar.org. It’s a free member benefit!

Originally published in the Oklahoma Bar Journal — March., 2019 — Vol. 90, No. 3