Kevin Surace
2 minute read
When Hawaiian Airlines confirmed a recent cyberattack that disrupted its internal systems, it wasn’t just another headline—it was another red flag.
According to early reports, the threat group Scattered Spider is likely behind the breach. If that name sounds familiar, it should. The group has been linked to multiple high-profile attacks—including the recent Aflac breach—by using the same playbook: real-time phishing through spoofed websites and MFA fatigue tactics to bypass weak authentication.
These aren’t complex, nation-state-level operations. They’re simple relay attacks—and they’re working.
Despite growing awareness, many companies are still relying on outdated MFA: push approvals, TOTP codes, authenticator apps. These methods were once seen as solid security upgrades, but attackers have adapted. They know how to trick users into entering codes or tapping “Approve” on malicious login requests. And because these MFA systems can’t verify where the login is really coming from, they let attackers right in.
“It’s not that these attacks are sophisticated,” said Kevin Surace, Chair of Token. “They’re successful because companies continue trusting MFA tools that weren’t designed for this threat.”
And so, Hawaiian Airlines joins a growing list—insurers, retailers, airlines—all breached through MFA that’s no match for modern phishing.
Here’s how it typically goes:
This kind of flaw isn’t a bug—it’s a limitation in how traditional MFA works.
Token’s products, TokenCore™ Wearable and TokenCore™ Portable, aren’t just another step in the MFA evolution. They’re a leap forward. Here’s what makes them different:
In a scenario like the Hawaiian Airlines breach, the fake website wouldn’t even engage the Token device. No proximity, no biometric verification, no login. It’s that simple.
Unlike passkeys, which can sync to the cloud and be compromised through account takeover, Token stores credentials in tamper-proof hardware—bound to a single domain and device, and unlocked only by a live fingerprint scan.
Just days ago, after the Aflac breach, we warned the industry: phishing-proof MFA isn’t a luxury—it’s a necessity. Now, we’re seeing the same threat actors use the same techniques with the same results.
“How many breaches do we need before we replace security theater with real security?” Surace asked. “Token isn’t an MFA solution at all. It’s phishing-proof, fool-proof, and deployable in a single day.”
Ready to move to phishing-proof MFA? Request a Demo.
The cybersecurity landscape has recently seen a staggering surge in ransomware payments, with a more than 500% increase. Sophos' "State of Ransomware 2024" report indicates that the average ransom payment has skyrocketed from $400,000 in 2023 to $2 million in the past year. RISK & INSURANCE also reported a dramatic rise, with the median ransom demand jumping from $1.4 million in 2022 to $20 million in 2023, and actual payments soaring from $335,000 to $6.5 million. This significant rise in ransom payments reflects the growing sophistication of cyberattacks and the vulnerabilities of outdated security measures. A major factor behind this trend is the continued use of legacy Multifactor Authentication (MFA) systems, which are increasingly ineffective against modern cyber threats. Additionally, the use of Generative AI by cybercriminals to create highly convincing phishing attacks has made detection by even the most vigilant users more difficult. Let's examine the reasons behind the increase in ransomware payments, the limitations of traditional MFA, and the importance of adopting next-generation MFA solutions.
Last week, BleepingComputer reported on a clever new phishing campaign targeting Microsoft users. Instead of pixel-perfect fake sites or smishing lures, attackers are now abusing legitimate Microsoft ADFS redirect endpoints to steal logins.
A single cyberattack can be devastating for any business but even more so for smaller businesses. In 2021, 46% of data breaches impacted small and medium (SMB) businesses. In addition, the average cost of a single breach against SMBs increased from $101K in 2020 to $105K in 2021. In contrast, the average breach cost for larger enterprises fell between 2020 and 2021. It is incredibly difficult for small businesses to recover from a data breach and within a year of a data breach, more than half of small businesses fail.
Subscribe to The Assured Identity Brief for sharp insights on identity security, authentication, and the threats security leaders must stay ahead of.