The Second Factor

Or: How to prevent your online accounts from getting hacked.

Every now and them I get an e-mail from someone know, with no message but a cryptic link. That’s right, someone’s e-mail account has been hacked, hijacked or compromised in some way. It is almost always a Yahoo address.

For those of us who just use e-mail to circulate gossip and cat pictures, this is not a big deal.However, if you do your banking online, a hacked e-mail account is a quick way to have your accounts drained.

The problem is that the standard method for resetting your password is an “e-mail loop”. It works like this: you go your bank’s website, click the “forgot your password” link, and a reset e-mail is sent to… your e-mail address… which has been compromised. Now they have the ability to change your password and lock you out of your account. Next thing you know, your hard-earned money is winging its way off to a parts unknown, never to return.

It’s not just banking. Some years ago, my brother found a bunch of bogus auctions on his eBay account, and he had to get in touch with eBay to have them stopped. A few days earlier, while on a business trip, he had used a hotel’s computer to access his eBay account. Evidently the computer had been compromised with a keylogger, which enabled bad actors (villains, that is – not William Shatner!) to get his username and password, and once in his account they could post bogus auctions on his account. If they can succeed in changing eBay’s email address for his account then they could also make off with the money.

So how to stop this? The banks’ came up with the idea of “secret questions”. We’ve all seen this at some time or other; they ask you to answer questions such as “What was your mother’s maiden name?“, etc. But when you think about it, this is just another “something you know”. In other words, it is effectively another password. And since the “secret questions” and answers are stored in the bank’s databases, they too are vulnerable to the kind of “exfiltration” (a posh word for theft of data) that seems to be happening on a monthly, if not weekly, basis,

The banks love this approach for one simple reason — it’s cheap. With security, as with so many other things, there is “Good” security, and there is “Cheap” security. Guess which one corporations prefer. Guess which one works best.

Remember when Bank of America came up with Credit Cards with your picture on it? Ever wonder why they don’t do that anymore? Because they found out that 1) Putting the pictures on the cards cost more than the losses due to to fraud, and 2) most cashiers don’t look at the picture anyway. Which made it 1) Expensive and 2) Not very effective.

The good news is that many big players on the Internet are finally adopting good security. One approach is to use a code transmitted to a cellphone by voice call or text message. The good news is that this approach requires that you have your phone. The bad news is that… this approach requires that you have your phone. If you lose or misplace it, you are stuck until you have jumped through several hoops. And if your phone is stolen and is not protected by a PIN lock, they may be able to crack a whole bunch of accounts at once – the holy grail of identity theft.

Another approach is to use a code generator; a device that generates a unique code each time it is used. This can be done using a hardware device (like the Paypal “Football ” code generator) or a software-based code generator like Google’s Authenticator, which generates a new code every thirty seconds. The cool thing about this is that if a bad guy steals your password, they still can’t get in. And even if they steal the key as well, and is invalid thirty seconds later. I am not even sure if a key can be re-used, but if you are paranoid about re-use (which I am not), you can just wait until it is just about to expire before you use it. Google uses this to secure their e-mail accounts; I used this. If Mat Honen, senior writer with Wired Magazine, had used this approach, the epic hacking of his Apple account could have been easily avoided.

The best security of all requires the use of a dedicated hardware token, such as a swipe card or a cryptographic key. My weapon of choice is a YubiKey – I’ve been using it for some years and it YubiKey guards access to my PayPal account and my password manager.

So there you have it: If you don’t want to get hacked, Get a YubiKey or some other form of hardware-based second-factor authentication. It’s that simple.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: