Riverbank Ruminations:

Observations from the banks of the technology river

Do – Re – Mi – FA – MFA – 2FA

By now you should understand how weak the username and password combination is when it comes to securing your information. There are BILLIONS of records available to bad guys. So what is a person to do?

It is up to you to add security to your accounts. Sadly, the desire for convenience outweighs security concerns and vendors do not make maximum security the default. So what is ‘the best’ security? Here’s what’s available.

MFA – Multi-factor authentication.
Not relying solely on the username and password combination, MFA requires some other piece of information.

Security questions:
This typically applies only to you; Mother’s maiden name, first pet’s name, high school, etc. When breaches expose passwords, often the data for the security questions are exposed as well. Also, many of the answers can be found in public records or on social media.

• Mitigation: If this is the best you are offered, make up bogus answers. There is no validation that your first pet’s name was Artichoke. Change the answers every time you need to provide them. Use a password manager to keep track of them.

Code via email:
When you try to access an account, you are sent a code via email. The assumption being that you are the only one with access to your account. This is a bad assumption. Particularly in the setting of a business email account, it is not uncommon for bad guys to compromise an account and then monitor it for a while to gain insight into the victim.

• Mitigation: Don’t use this method of verification. It is very hard to know if someone is silently monitoring your email. If the account in question will notify you whenever someone logs in from a new location, that will help.

Code via SMS: Sending a code via text is very common. While it is subject to SIM swapping, if you have been victimized by a SIM swap, the evidence manifests itself fairly quickly; your phone stops working.

• Mitigation: It sounds silly to state it, but pay attention to your phone. If you have no activity for more than the usual amount of time verify that you are still connected. If not, contact your provider immediately. Bad guys move quickly after a SIM swap.

Biometrics: If the biometric (fingerprint, voice print, retina scan, etc.) needs to be supplied in real-time, this will be very secure. Unfortunately, when it comes to fingerprint validation on a smartphone, this data may not be securely stored. If this gets stolen from your phone, that is a problem because you can’t change your fingerprint like you can change a password.

• Mitigation: If you rely on biometrics, make sure you understand how that data is stored and whether it can be stolen. At least you have several fingers and can change to a different one for identification.

Authentication via an app:
Apps like Google Authenticator, Authy, and Duo, among others, generate a time-sensitive code on your PC or phone. This is initially synched when you enable it and from then on, your version of the app will provide a unique code for authentication. This is very secure but is subject to a man-in-the-middle attack. This article at https://bit.ly/2FaAttacks describes how.

• Mitigation: The above-mentioned article makes this statement: “Once a victim lands on a phishing site powered by Muraena, the login process works exactly as on the real website.” This means the victim succumbed to a phishing attack. Make sure you are where you think you are. Read URLs carefully before you click and after you land.

Authentication via hardware key:
The CSO article cited above offers this information about hardware keys: “Proxy-based phishing can’t defeat some 2FA implementations, however—those that use USB hardware tokens with support for the Universal 2nd Factor (U2F) standard. That’s because those USB tokens establish a cryptographically verified connection to the legitimate website through the browser, which does not go through the attacker’s reverse-proxy.”

• Mitigation: Right now, hardware keys seem to be the most secure. There are a few drawbacks to them.
• Hardware keys are not free.
• It needs to be physically available for your PC and your phone.
• You need a backup key stored in a secure location.
• Not many popular websites support them

The bottom line is to do whatever you can to secure your data. For the foreseeable future, username/password/security questions will be the default method to authenticate you. Use a password manager and make sure you don’t reuse passwords and security question data. It’s a pain, but nothing like the pain of getting your identity misused.

Contact Ashton Technology Solutions for help implementing proactive security measures for your business and employees.