Cybersecurity Blog

Authenticator apps, the good, the bad and the ugly 04/03/19

 

 

With compromised passwords floating around the dark web like masses of lemmings, two-factor authentication is moving from  nice-to-have to a must. Unfortunately, the most commonly used second factor is a SMS text message. Although this method is easy for account providers to implement, it can also be compromised.

Fortunately, more and more account providers are recognizing this and they are integrating with authenticator apps. An authenticator app is a phone app that either generates an authorization code for you or provides the user with a prompt they can respond to. As the phone number is not used to deliver the code, the 2FA cannot be bypassed by a SIM swap.

There are several well known authenticator apps on the market. The top ones are Google Authenticator, Microsoft Authenticator, 1PasswordLastPass Authenticator and Authy. All are free to try out. For the most part, they work pretty much the same way. You set them up by either scaning a QR code or entering a key to register your account with the app. When you go to login, the code appears in the app with a count down showing you how long it is valid for. You enter the code and shazam, you are in!

What sets them apart are the added features. Lets start with Google Authenticator. As it is free, simple to use. As it is by Google it is often highly rated by reviewers. However, the devil is in the details and one huge detail is you cannot backup your authenticator keys. This is a big problem if you get a new phone. It is also the reason why it is so poorly rated on the Apple Store. No one wants to spend days re-authenticating dozens of sites. This puts it squarely in the category of ugly.

Next up is Microsoft Authenticator. It works pretty much like the Google one for non Microsoft accounts. However, with Microsoft accounts you can use your phone’s biometrics or PIN to login instead of entering a password. This is a slick feature if you use a lot of Microsoft products and its free. Unlike Google Authenticator you can backup your authorization keys, but you must have a Microsoft account to do it. I put this one in the good category for Microsoft users and in the bad category for everyone else.

On to 1Password. This app is actually a password manager with an authenticator built in. If you are looking for a full feature password solution, this would be your tool. It is free to try, but you have to purchase it once your trial is over. Like the Microsoft app you can backup your keys and it generates authentication codes for its second factor. This one is also rated good.

We finally arrive at my favorite, LastPass Authenticator. The free version functions on its own like the Microsoft and Google products. However, if you purchase the LastPass password manager you can backup your keys plus you get this nice little feature that lets you respond to a prompt instead of entering in a code. Winner, winner chicken dinner!! No more entering codes puts this one at the top of my list. Not only is it a full feature password solution, but it makes securing your accounts way less work.

Lastly, is Authy. This little app is free to use, does the job and you can backup your codes. It is a solid solution that is always highly rated. if you don’t want to pay for an authenticator, this is your app. It definitely falls on the good side.

As determining which app is better for you can largely depend on your personal likes and dislikes I recommend you try them out before you commit long term.

On a final note, although authenticator apps may be more secure they still use your phone for the authentication process. If you lose your phone or forget it, you won’t be able to get into your account. Therefore before you enable any type of phone based two-factor authentication, make sure you can print off backup codes and store them in your wallet or purse. If you lose or forget your phone, you can use the the codes to get into your account.  Not all accounts have backup codes, the LastPass password manager is one of them, so do your homework before you enable 2FA.

 

Why enabling two-factor authentication is more important now than ever – 02/28/19

 

 

Two-factor authentication (2FA) and it’s cousin, two-step verification is available on a variety of accounts such as Google, Facebook, LinkedIn, Yahoo, Twitter and Instagram. When it is enabled, after you successfully enter your password on a strange computer you are asked to respond to a prompt or enter a verification code sent to your phone.  This ensures that even if your password is compromised, your account will stay secure. That is unless the criminal has your phone as well.

If that is the case, you are having one heck of a day and require support that is outside the scope of this article. I hope your phone is password protected and I wish you good luck. I digress. Back to why enabling 2 FA has become so important.

Last month we saw enormous lists of login credentials popup on the dark web. While previously miscreants had to purchase this valuable information, these large collections of usernames and passwords are now available for free. Aspiring Kevin Mitniks the world over can now try their hand at cybercrime, no upfront credential purchase needed.

As a result we have seen a big jump in credential stuffing attacks. Some of them on home security cameras with terrifying results.  Ideally you should have a unique password for each account. However if this particular habit has not yet been entrenched, two-factor authentication will save your bacon

Although registering your email on Have I Been Pwned, will let you know if your password has been compromised, it takes time before a data breach shows up on their radar. With 2FA as soon as you receive a verification code or prompt on your phone,  you know someone has stolen your password. This early warning system allows you to change the passwords on your accounts that don’t have 2FA before any damage is done.

Hopefully I have convinced you that two-factor authentication is no longer something that is nice to have, but is essential to securing your data. The next question is, “How do I start using it?”. Thankfully, there is this really great quick reference guide that walks you through the steps on how to enable 2FA on your Mount Royal email account. And yes, I wrote it…that’s why it’s really great. If you have any questions or need some help with the process, please feel free to contact me.

You can also come down to Main Street on March 13, April 10 or May 7. I will be there with my prize wheel. If you talk to me about two-factor authentication, you can spin and win.

 

What is credential stuffing and why should you care? – 02/14/19

 

 

As I predicted, hackers are starting to take advantage of the huge collections of free user credentials floating on the web. This week both Dunkin’ Donuts and OkCupid have had large numbers of their user accounts hacked with credential stuffing.

Credential stuffing is where hackers take a list of usernames and passwords and use them to try and login to a site.  They use computer programs that allows them to test thousands of login credentials in minutes.  If someone is reusing passwords or using common or weak passwords they will have no problem accessing those accounts.

As those Dunkin’ Donuts and OkCupid users found out, it is almost impossible to prevent hackers from accessing accounts this way. They can block most of the login attempts, but there will always be those that get through.  Although Dunkin’ Donuts’ users originally lost access to their Perks accounts  the company replaced them and ensured customers didn’t loose any value they had accumulated. The poor folks at OkCupid not only lost their accounts, but had to worry about criminals having access to private messages. Ouch!

So how do you protect yourself against credential stuffing?

  1. Don’t reuse passwords. I know, I know, I say this all the time, but I am going to say it one more time. I know it is inconvenient and a pain but it really is the only way to protect yourself.
  2. Use a password manager. This takes the sting out of my first recommendation. Password managers not only store your passwords, but make generating them and logging in a breeze.
  3. Use the new Password checkup Chrome extension from Google. This puppy has already saved my bacon once. I had come up with a nice  secure password. Turns out someone else involved in a data breach had come up with the same one. Password checkup let me know so I could change it.
  4. Register with haveibeenpwned.com. If you register your email with them, they will email you when your email address shows up in a data breach. If you are still reusing passwords, this gives you time to change it. Credentials stolen in data breaches often show up on the dark web for sale before the breached company even knows their user’s data has been compromised.
  5. Enable two factor authentication on every account that has is available. Two factor authentication requires you to enter an authentication code or respond to a prompt from an authentication app only when you login to a unknown device.

 

Password reuse results in missile alert terrifying a family – 01/24/19

A Florida family was terrorized by a notification coming from their Nest security camera alerting them of a missile launch by North Korea.  Interestingly enough, until they heard the alert the family didn’t even know the camera had speakers.

 

 

Although the traumatized mom blames Nest for not notifying their users of a data breach, it wasn’t Nest who was breached. The data breached occurred elsewhere. As the family reuses passwords, once one of their accounts was exposed it left all of their accounts vulnerable.

Although it certainly would have been a nice bit of customer service for Nest to notify their account holders that they should change their passwords if they reuse them, it is not their legal responsibility as they were not hacked. The responsibility for notification lies with the breached account provider.  The family didn’t say whether that notification was received.

Regardless of whether Nest should have notified their users or not, this poor mother still had to watch her terrified nine year old son crawl under the carpet in a panicked attempt to protect himself from nuclear missiles.  No mother should have to experience that.

How do you prevent your family from being traumatized by a prankster hacker?

  1. Be familiar with all the features of your  camera before you buy it. Know if it has a microphone or speakers, connects to the internet, whether the default password can be changed, how the firmware is updated and where recorded video is stored.
  2. Change the default password as soon as you set up the camera. Use a unique, effective passphrase.
  3. Update the camera’s firmware as soon as it is installed and keep it up to date. If it has an automatic update feature, enable it.
  4. Disconnect the camera from the internet when you aren’t using it.

Taking these steps will greatly reduce the chances of your camera being hacked. These same steps can be taken to secure any IoT device.

Our world is rapidly changing with technology creeping into all aspects of our lives. It is important that we change with it to ensure our families safety. That means we need to be aware of the risks associated with the devices that we bring into our homes and how to mitigate them. As this Florida family has learned, tech companies aren’t going to do this for us.

 

Buying tech this Christmas? Check out its creepy factor – 11/20/18

 

 

This year, there are tons of cool tech gadgets on the market. Everything from teddy bears that connect to the internet to personal alarms. As neat as all of these devices are, some of them have the potential to leave the users feeling exposed and violated.

Thankfully, the good folks at Mozilla have put together a terrific website that examines the privacy risks of the hottest tech gifts. At privacy not included you can find out what information a device collects, what is done with that data and what kind of security the device has. They also rate customer service. To make it extra fun, consumers can give each item a creepiness rating based on how comfortable they would be having that device in their home.  Check it out.

 

Watch for fake Black Friday offers – 11/19/18

 

It’s that time of year again. Retailers are sending out emails teasing you with their upcoming Black Friday deals that are too incredible to believe. Criminals love to take advantage of this flurry of email activity by sending out their own offers, mimicking legitimate retailers and luring consumers into giving up their login credentials or downloading malware onto their device.

If you receive an email with one of these truly fabulous offers, visit the retailers website directly rather than click links in the email.  The retailer’s offers will be on their website if they are legitimate.  Happy shopping!!

 

Have a D-Link router? It may have a huge security hole. – 10/22/18

 

 

The following models of D-link routers, DWR-116, DWR-140L, DWR-512, DWR-640L, DWR-712, DWR-912, DWR-921, and DWR-111 all contain a significant security flaw.  If you have one of these models, check the D-Link website for updates.  If no update is available, the router has likely reached end of life and no update will be issued.  Unfortunately, that means you will need to buy a new router if you want to secure your network from hackers.

Watch home owners find out their security cameras are being broadcast worldwide – 10/22/18

 

 

With more and more of the devices in our home connecting to the internet, comes more and more ways for criminals to hack your home network. To show just how easy it is, CBC’s Marketplace teamed up with some white hat hackers and hacked into the home networks of several Canadian homes.  When home owners were shown how vulnerable their privacy and their networks were, they were shocked and disturbed.  Watch the episode and see how easy your network can be hacked and what you can do to prevent it.

This week’s Cyber Security Challenge draw entry code is l4lnwsrt. This is the last entry code.  Make sure you get all your codes entered before 4:00 pm Oct 30.

Porn Hoax messages on WhatApp targeting kids – 09/13/18

 

 

There is a disturbing new hoax making the rounds in WhatsApp?  Children are receiving messages in in the app from someone named Olivia who claims to know them, but has a new phone number.  Once they establish contact, they send  the child a link to porn sites. Although this is currently happening in the UK, hoaxes like this can quickly spread.

This would also be a good time to review with your child how to stay safe online, and remind them to not forward hoax messages.

Kids and cell phones, how to keep them safe – 08/08/18

 

 

As parents gleefully start planning for back to school, one question that may come up is ‘Does my child need a cell phone?’. If your answer is yes, there are some things that you can do to help protect them from cyber bullies, predators and scammers.

  1. Enable the password protected screen lock.  Let your child know that the password should not be shared with anyone but Mom or Dad.
  2. Know every app on your child’s phone, every account that is created and what the passwords are.
  3. Check your child’s phone for disturbing content on a regular basis. Their access to a phone should depend on you having access to it as well. You pay the bills, you make the rules.
  4. Check the privacy and security settings on the phone and apps. Be careful with location tracking. If you can find your child, so can someone else.
  5. Keep the apps and phone software up to date.
  6. Have a talk with your kids about online safety. Teach them to:
    • Never respond to calls, texts or emails from people they don’t know.
    • Talk to them about cyber bullying, harassment and predators. Make sure they know they can come to you for help.
    • Be careful about what they post. Too much personal information can make them vulnerable. Posting the wrong photo or making the wrong comment can mess up your life.
    • Only connect to people through social media that they know.
    • Watch for geo-tagging on photos. They don’t want their exact location to be displayed.

Even if you don’t follow all these guidelines, having a frank and honest discussion about phone safety and modeling desired behavior will go a long way to keeping your kids safe.  For more resources on determining when is the right time for a cell phone and how to keep your kids and teens cyber safe, visit Safe Search Kids by Google.