This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Hey everyone. I'm Drex and this is the two minute drill where I cover some of the hottest security stories in healthcare, all part of the 2 29 project, cyber and risk community here at this week. Health, it's great to see you today. Here's some stuff you might wanna know about. There's a story making waves this week called Payroll Pirate and.
Attackers have been sneaking into payroll systems like Workday and literally rerouting people's paychecks. And here's how it happens. Someone in your health system gets an email that looks totally legitimate, and the logo, the tone, everything is right, and it says your direct deposit needs to be verified before the next payroll runs.
So the employee clicks on the link and types in their username and password. Maybe even approves the MFA prompt on their phone. And just like that, the bad guys log into the rural payroll system and they change the employee's bank info so that the next check lands in their account and not the employees.
And here's the kicker. Many or most of the victims already had multifactor authentication installed, so-called MFA, it was turned on. The crooks just learned how to trick it. They build fake websites that look identical to the real login page so that when you type in your info and approve that pop-up, you're giving them everything they need.
They just reuse your login session before it expires. So even that extra MFA security step doesn't really save you. Now we've seen these same patterns with a bunch of other organizations like MGM Resorts and Okta, and even Microsoft's internal systems. They call one of these moves, MFA fatigue, and that's when an attacker blasts your phone with endless approved sign-in, approved sign-in, approved sign-in alerts until you finally hit yes, just to make it stop somewhere.
Somewhere along the way they've gotten your username and password and that one yes is the only other thing they need. So what do we do? Well, I think we prioritize systems and users and we upgrade because the kind of MFA, that depends on text messages or app prompts. Uh. Is officially old school, and I realize it's not that old, but the bad guys have gotten really good.
The next generation of MFA is something called phishing resistant authentication, and it goes by names like Fido, two keys or pass keys, but don't let the jargon throw you off. It's basically a digital badge that lives safely on your phone or laptop. So when you log in, your device quietly proves that it's really you.
There's no password to type and nothing the bad guys can steal like on a fake site. And if you've ever used your fingerprint or face ID to unlock something, you've already done it. You've already used that kind of technology. It's the same idea. It's just stronger. CISA and NIST have both been loud about this problem telling organizations to move to these newer fisher fishing resistant systems.
As fast as possible. And the punchline is that these systems are for the most part, faster for users and safer for the organizations. And one of the best ways to stop paycheck, pirates or anyone else from sneaking in. So if your MFA still depends on text codes or push alerts. It's probably time to think about modernizing, start planning the move now before your next paycheck or your patient's data sales off it into the sunset with those pirates.
And I know that was a bad dad joke, but it was just sitting right there. I had to do it. More on this story and all the latest tech and security news at this week, health.com/news. Please the link in the comments that'll take you directly to Spotify or Apple so that you can sign up for my UNH hacked podcast channel two.
That's where all these shows live. And that's it for today's two minute drill. Thanks for being here. Stay a little paranoid and I will see you around campus.