With the first round of the 2017 French presidential election to be held on 23 April, and the British Government recently announcing a general election for June, it’s worth re-examining one of the most controversial events in the run-up to the 2016 U.S. presidential election – the publishing by Wikileaks of several thousand emails related to Hillary Clinton’s election campaign activities. The emails were stolen in March 2016 when the personal Gmail account of John Podesta, chairman of Hillary Clinton’s 2016 U.S. presidential campaign, was hacked following a spear-phishing attack.
As we blogged previously, the impact of the breach on the election’s outcome is uncertain. But it was certainly a damaging breach that made global headlines for several days. And it would probably not have happened at all if Democrat campaign staff had been using two-factor authentication (2FA) or multi-factor authentication to secure access to their various work and personal accounts.
With multi-factor authentication enabled on services such as Gmail, Twitter and others, it adds a second layer of verification after the initial password request, usually by sending a code to the user’s mobile phone. This code is both single use (it only works for that specific login attempt) and difficult to intercept (because it goes directly to the user’s phone, which they will almost always have with them, rather than to an email account which may already have been compromised). As such, it is a far more robust security measure than using a password alone. With it enabled, a hacker would not be able to get into an account such as Gmail, even if they did manage to successfully spear-phish the user’s password.
The attack against John Podesta’s email started with a plausible-looking ‘Google security notification’ with an embedded link, that requested he key in his username and password for verification. His credentials were then stolen by the hackers. If you think that you’d never fall for a scam like that, bear in mind that Verizon’s 2016 Data Breach Investigations Report found that 30% of all phishing emails get opened by users. So it’s easier than you might think to get phished.
Could such a phishing scam affect the outcomes of the upcoming French and British elections? The one thing that we can say with certainty is this: there will be shady organizations that will be probing the cyber-defences of the political parties and groups involved, looking for information that they can steal and use for their own purposes.
So it would be wise to take a security-first approach to accessing critical services – whether those are personal email accounts or corporate applications – and protect accounts with multi-factor authentication.