What the FA is 2FA and do I need it?

Let’s answer the easy question first, “do I need 2FA”? The simple answer is “yes”, you do need Two Factor Authentication (2FA). Now read on to learn more about what it is, how it works and how it can secure your data and online activity

I’ve written in previous posts about passwords, hacking, identity theft and the threat to our privacy, data and businesses from cyber criminals. As you might imagine, the number of attacks is increasing, as is the sophistication.

Why are Cyber Attacks increasing

Simple! The number of websites that we log-in to continues to increase and
many people use one password across many websites. As you can see from the list on the right a lot of people use passwords that are less than ideal. The cyber criminals know this which makes it a gift for them.

Some people think they are safe because they have 3 passwords. A simple one for common sites where they don’t see a threat (posting comments to newspaper websites for example), a medium one that they use for on-line shopping and Cloud storage sites (DropBox for example) and a really complicated one for their “secure” sites, such as bank access etc.

After all, just trying to remember pWa#eeAS7uNggK49 is a challenge but if you have to remember a different one for every single website it becomes a real challenge. You might jot them down in a notebook or diary but what happens if you loose your book, or just leave it on a train. Not only have you been frozen out of your accounts (until you work your way through all those “forgotten password” routines) but your security has been seriously compromised.

Some people, like me for example, use password manager. These apps create a secure password for ever site that you log in to and make it available across desk-tops, lap-tops, phones and tablets and don’t cost very much at all. But even if you use one how secure are you, actually?

chocolate teapot

If a site that you use your super strong password on is penetrated and data stolen, your strong password is about as much use (from a security perspective) as the infamous chocolate teapot. And if you have used this super-strong password on more than one site you are at an even greater risk of becoming a victim of data theft. With more than 6,474m email addresses in the wild for cyber criminals to use and 551m passwords stolen in security hacks the criminals job gets ever easier.

Use the Have I been Pwned website to see whether your passwords have been stolen by cyber criminals or nabbed in a data breach and read more about the risk, and how the criminals use this stolen data in a previous post.

What’s the Solution

It’s actually fairly simple. It’s called two factor authentication [2FA] or multi-factor authentication. This is where another layer of authentication is required, beyond your user name and password.

In the early days of 2FA sites would send you a text with an access code so you could only log-in if you had your phone with you [and had a mobile signal]. This extra layer of security hit the cyber-criminals hard, until they realised that intercepting text messages was not particularly difficult if you were tech-savvy so something else was required.

Image result for hsbc internet banking device

The banks solved this problem by providing you with a device like the one to the right, this one’s from HSBC. At the website you enter your user-name and pass-code as normal, enter a PIN in the device and then enter the displayed number from the device in to your banks website. It may feel like a pain but it really does have a positive effect on the security of your on-line banking. A criminal needs a your user name/password, access to a device as well as your device PIN

Microsoft Authenticator

Having a device for every website is pretty clunky so Microsoft and Google released authentication apps for Android and iPhones. The way they work is they generate a six digit code, as can be seen in the image on the right, and the website that you are looking to access requests this code after you have entered your user-name and password – as demonstrated in this screen-shot of my LastPass password manager.

Two Factor Authentiaction

All I have to do is launch my Authenticator App and enter the six digit password. For additional security, the code changes every 30 seconds or so

Hardware Security

Hardware 2FA security solution

The final security solution is the physical “Key” such as this one from Yubikey. This is a USB device that simply plugs in to a USB port on your computer and allows you access to secured sites – or even your computer itself.

If you are worried by your security, or need any help with your internet activity, from a new website through social media and on to other online marketing opportunities then just send me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020

Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

So, why is it so important to know whether your passwords are available to cyber criminals?

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match. And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”