Cybersecurity Blog

How to prevent a two factor authentication compromise – 03/04/20

 

 

This week I posted an article telling the horrific tale of a Mount Royal employee who had their phone number ported to another carrier and their email compromised even though they had two factor authentication enabled on their email account.

How was this possible? The authentication method that they had used was an SMS message sent to their phone.  With this method, who ever has control over the phone number receives the authentication codes. The bad news is, if someone impersonates you and either asks for a new SIM card or moves your number to a different carrier they can get access to your email account.  The good news is, there is a way to stop this.

Instead of using a text message sent to your phone as your second step, use an authenticator app or authenticator key. An authenticator app generates an authentication code using wifi, while an authenticator key must be plugged in or waved near a device for you to login.  In both cases you have to be in physical possession of the second factor to get access to your account. Of course if your phone is stolen or your key is lost, you are locked out.  However you can print off backup codes and have an extra key available in case that happens.

 

Identity theft in 2020: Everyone is a target (a MRU employee tells their story) – 03/04/20

 

 

As coordinator of the cybersecurity awareness program here at MRU, I often have colleagues call me with their own personal tales of horror. One of the more recent ones involved a Port-out-scam. Here is a their tale, written in their own words…

 

Until recently, identity theft was definitely something that we never thought could happen to us. It’s something that we warned our grandparents, our parents and even our security-relaxed friends about. But we were totally safe, or so we thought.

Through this experience our lives have definitely changed forever. We have learned a great deal and are now more aware, and will be more vigilant. It was shocking to discover how easy it might be to lose everything. 

Upon landing at the airport in Calgary at 2 AM  following a holiday early in January, my boyfriend (for privacy we will call him James) turned his phone on to discover that he had no carrier service. We didn’t think it would be anything serious and joked about something being wrong with his last payment. 

The next morning James called Telus and a Customer Service Agent informed him that he had ported his number out to Bell on Tuesday, to which he quickly replied that he had been out of the country, so that was impossible. After some convincing that this action was not taken by James, Telus quickly, and easily, ported the number back from Bell. We knew at this point that something was very wrong. He was also unable to get into his Microsoft Outlook email account; his password was denied.

Once James had his number back, he was able to use his phone (with SMS two-step authentication) to reset his password and get into his email accounts, where we quickly realized the horrifying truth that his identity was compromised. Someone had accessed his email account with his phone number, changed the password, and taken over.  James’s email account is connected to everything: PayPal, Amazon, personal & joint banking, investments, taxes, etcetera. I am sure you can imagine the anxiety James and I felt in that moment of realization.

You’re probably thinking that James did something to be a target. He must have been lenient with his security questions, or displayed some weakness with online purchases or social media. We have gone over everything meticulously to try to figure this out, and with the help of many people, our conclusion is that he actually did nothing wrong. All the hackers needed to access his email was his phone number. He is not a prominent person and does not hold a prominent position, so not your typical target according to experts. Further, he is very private and careful, with the strongest security settings on his social media accounts where he is also conscious about everything he posts, and any business he does online shopping with.

Next came the long process of regaining control…. cancelling credit cards, bank accounts, informing all business and friends of the identity theft…setting up security watches on James’ Social Insurance Number through various government services…..hours of waiting on hold, explaining the situation and the frustrating experience of having to convince people of the seriousness of the situation.

We talked to Calgary Police Service (CPS), and while they made some good suggestions of things to change, credit checks to put in place, it was also frustrating that there was nothing they could do. Because no physical property was actually taken there will not be an investigation. We were also informed that we should maintain a close eye on all of James’ accounts for at least six to eight years as we don’t truly know what information the hackers obtained and they may resurface at a later date. 

Microsoft Outlook support was useless because the same security measures that should help in this situation caused serious issues. The hackers were able to change the security settings in the account before James got it back. They added their own email addresses and phone numbers as new two-factor authentication security. It is part of the Microsoft Outlook security plan that when changes are made there is a 30-day freeze before further changes can occur. Despite hours speaking with Microsoft Outlook staff at all levels, they refused to close the accounts before the 30-day freeze.

Through all of this we learned that this is called a Port-out Scam. In this case, Telus confirmed to James that his account number was provided to Bell in the port. There was an incredible lack of due-diligence to verify one’s identity in this case. This type of scam has been known to play on the emotions of customer service agents at telecommunications companies and the lack of security measures in place to protect customers. 

How does it work? The hacker would have acquired James’s name and phone number from somewhere to start – not difficult given the world we live in. Next they might have called Telus, pretending to be James, claiming they want to make a payment on their account, but they are not at home and didn’t have their account number – can they have it? The customer service agent should refuse, or ask detailed security questions only James can answer, but instead they provide the number. (CPS told us that hackers can also get addresses, email addresses and more this way) Next, armed with everything they need, they simply call another company (Bell in this case) and pretend to be James, saying they want to port their number over from Telus. Just like that the hacker owns your number and now they can get into anything your number is tied to for two-step authentication. 

James called Bell to inform them of the theft and that they were used in the process of the theft, and, surprisingly, they brushed him off. Told him it was not their problem. Wanting to understand how this could possibly happen, I called Bell to casually inquire about moving over from my existing carrier and told the customer service agent I wanted to keep my phone number. She was more than happy to assure me it was no problem to keep my number – all I needed was my number, and to ensure my account with my previous carrier was in ‘good standing.’ It was way too easy. 

The comical part in this experience is that while it was so easy for the hacker to steal James’s number, in order to cancel his phone number (once he got it back) the Telus Customer Service Agent’s protocol was to hang up and call James back to verify that it was his number, as well as asking for detailed account information and his driver’s licence number. This means that there is protocol that exists, but no assurance that it is followed regularly.

We are sharing this story as we hope that others will learn from this. We want telecommunications companies to start  taking security seriously and we want you to be vigilant. Instead of assuming you are taking precautions and you are safe from identity theft, in 2020 it is safer to assume you are a target and take precautions for the day you will be attacked. 

Mystery Blogger
(MRU Employee)

 

Is there a way to use 2FA that will provide security even if you are a victim of a port-out or SiM swap scam? Yes there is. Read How to prevent a two factor authentication  compromise to find out.

 

Authenticator apps, the good, the bad and the ugly 04/03/19

 

 

With compromised passwords floating around the dark web like masses of lemmings, two-factor authentication is moving from  nice-to-have to a must. Unfortunately, the most commonly used second factor is a SMS text message. Although this method is easy for account providers to implement, it can also be compromised.

Fortunately, more and more account providers are recognizing this and they are integrating with authenticator apps. An authenticator app is a phone app that either generates an authorization code for you or provides the user with a prompt they can respond to. As the phone number is not used to deliver the code, the 2FA cannot be bypassed by a SIM swap.

There are several well known authenticator apps on the market. The top ones are Google Authenticator, Microsoft Authenticator, 1PasswordLastPass Authenticator and Authy. All are free to try out. For the most part, they work pretty much the same way. You set them up by either scaning a QR code or entering a key to register your account with the app. When you go to login, the code appears in the app with a count down showing you how long it is valid for. You enter the code and shazam, you are in!

What sets them apart are the added features. Lets start with Google Authenticator. As it is free, simple to use. As it is by Google it is often highly rated by reviewers. However, the devil is in the details and one huge detail is you cannot backup your authenticator keys. This is a big problem if you get a new phone. It is also the reason why it is so poorly rated on the Apple Store. No one wants to spend days re-authenticating dozens of sites. This puts it squarely in the category of ugly.

Next up is Microsoft Authenticator. It works pretty much like the Google one for non Microsoft accounts. However, with Microsoft accounts you can use your phone’s biometrics or PIN to login instead of entering a password. This is a slick feature if you use a lot of Microsoft products and its free. Unlike Google Authenticator you can backup your authorization keys, but you must have a Microsoft account to do it. I put this one in the good category for Microsoft users and in the bad category for everyone else.

On to 1Password. This app is actually a password manager with an authenticator built in. If you are looking for a full feature password solution, this would be your tool. It is free to try, but you have to purchase it once your trial is over. Like the Microsoft app you can backup your keys and it generates authentication codes for its second factor. This one is also rated good.

We finally arrive at my favorite, LastPass Authenticator. The free version functions on its own like the Microsoft and Google products. However, if you purchase the LastPass password manager you can backup your keys plus you get this nice little feature that lets you respond to a prompt instead of entering in a code. Winner, winner chicken dinner!! No more entering codes puts this one at the top of my list. Not only is it a full feature password solution, but it makes securing your accounts way less work.

Lastly, is Authy. This little app is free to use, does the job and you can backup your codes. It is a solid solution that is always highly rated. if you don’t want to pay for an authenticator, this is your app. It definitely falls on the good side.

As determining which app is better for you can largely depend on your personal likes and dislikes I recommend you try them out before you commit long term.

On a final note, although authenticator apps may be more secure they still use your phone for the authentication process. If you lose your phone or forget it, you won’t be able to get into your account. Therefore before you enable any type of phone based two-factor authentication, make sure you can print off backup codes and store them in your wallet or purse. If you lose or forget your phone, you can use the the codes to get into your account.  Not all accounts have backup codes, the LastPass password manager is one of them, so do your homework before you enable 2FA.

 

How to enable two-factor authentication on Instagram 04/3/19

 

 

Two-factor authentication (2FA) keeps criminals out even when your password is compromised. With passwords regularly being stolen in data breaches, more and more account providers are offering this feature. Instagram is one of them.

They allow you to use an authenticator app or a text message for your second factor. However, removing an authenticator app is not very user friendly (it took 24 hours) so I suggest sticking with the text messaging until this improves.

Worth noting is that Instagram does not remember your devices. So every time you login, you have to enter a confirmation code. This may make 2FA a no go if you access it on your computer and log in and out of your account frequently. If you just use it on your phone, then 2FA is a good option. Otherwise you may want to wait until they upgrade it.

To enable two-factor authentication on Instagram:
  1. Login into your Instagram account.
  2. Click the person icon in the upper right hand corner. Your profile appears.
  3. Click the cog next to the Edit Profile button. A menu drops down.
  4. Select Privacy and Security. The Privacy and Security settings appear.
  5. Select  Edit Two-Factor Authentication Setting. You may have to scroll down to find it.  The  2FA settings appear.
  6. Select Use Text Message.  The Phone number text box appears.
  7. Enter your phone number.
  8. Click the Next button. A code is texted to your phone and a Confirmation Code text box appears.
  9. Enter the code texted to your phone into the Confirmation Code text box.
  10. Click the Done button. A list of Backup Codes appear.
  11. Print off the Backup Codes for use in case you loose your phone or it gets stolen.

Another shortfall of 2FA in Instagram is if you turn it off and then wish to turn it on again, you will have to logout of your account and then login again before you will be given the option to re enable it.

 

 

How to enable 2FA on LinkedIn – 03/25/19

 

 

Two-factor authentication keeps criminals out even when your password is compromised. LinkedIn offers its user this feature.  It calls it two-step verification (2SV) and it is easy to enable.

Funny enough LinkedIn requires two steps to enable 2SV. First you have to add a cell phone number to your account, then you enable 2SV.

Step 1 – add a phone number to your LinkedIn account:
  1. Open LinkedIn.
  2. Click on your profile pic. A menu appears.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Select Login and security from the menu on the left.
  6. Select Phone numbers. The section expands.
  7. Select Canada from the country field.
  8. Enter your cell phone number in the New phone number field.
  9. Click the Send code button. A password dialog box appears.
  10. Enter your password and click Done. A code is texted to your phone.
  11. Enter the code in the text box.
  12. Click the Verify button.
Step 2 – enable two-factor authentication on LinkedIn:

If you have just added your phone number and you are still looking at the Login and security section, go to step number six. Otherwise start with step one.

  1. Open LinkedIn.
  2. Click on your profile pic. A menu appears.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Select Login and security from the menu on the left.
  6. Select Two-step verification. The section expands.
  7. Click Turn on. The Password dialog box appears.
  8. Enter your password and click Done. A verification code is texted to your phone.
  9. Enter the code in the text box.
  10. Click the Verify button.

How to enable two-factor authentication on your Facebook account – 03/26/19

 

 

With the latest news of Facebook storing unhashed passwords in clear view of their employees, now is a great time to enable two-factor authentication. Doing so will keep your Facebook account secure even if one of their employees decide to have a little fun at your expense.  As with the two-step verification that Google uses, you are only required to enter the security code if you are logging into an unknown device.

To enable two-factor authentication on your Facebook account:
  1. Login to Facebook.
  2. Click the down arrow on the menu bar. A list drops down.
  3. Select Settings. The General Account Settings appear.
  4. From the menu on the left, select Security and Login. The Security and Login page appears.
  5. Click Use two-factor authentication. The Two-Factor Authentication page appears.
  6. Click the Get Started button. A dialog box appears.
  7. Select how you want authenticate your login, with a text message or an authenticator app.
  8. Click the Next button. You will either be asked to enter a phone number or set up the authenticator app.
  9. Click the Next button. A code is texted to your phone or a prompt appears on your phone.
  10. Enter the code into the text box or tap on the prompt on your phone.
  11. Click the Next button. A notification dialog box appears.
  12. Click Finish.

Once it is enabled, it is a good idea to print off recovery codes or select another backup option in case you loose your phone or it is stolen.

 

Don’t want to rely on a phone for 2FA? Use a security key – 03/11/19

 

 

A security key is a small plastic fob that you carry with you or leave plugged into your computer. It replaces your phone as the second factor in  two factor authentication (2FA).  The keys can be used with most accounts that offer 2FA and some can be used to login to your Mac or PC.  Each key has it’s own advantages and disadvantages however the most popular keys available in Canada are made by Yubico.  While there are other manufacturers out there, their keys work with more accounts than any other.

They offer a variety of models, each one with its own set of features. Some stay plugged into your computer. Others you carry on your key chain. Some you can use with mobile devices while others are just for computer use.  It can get a bit confusing trying to determine which key is the best fit for you, however their website does have a quick quiz that can help.

Their most popular and least expensive model is the Security Key. At only $20 US it does everything the average home user needs a security key to do. The only thing it is missing is NFC capability. In fact it is so popular it is currently out of stock.  The good news is they have decided to offer their upgraded key with NFC capability for the same low price.

The key is super easy to set up. Just login to your account and find the 2FA settings. Select security key as your second factor, insert the key and push the button. Voila, the key is setup for the account. When you want to login, you insert your key into your USB port and push the button or tap the key to the back of your NFC enabled phone.

No fussing with verification codes or phone prompts. You do however, have to keep your key with you. As with any other 2FA method. It is a good idea to have a backup plan should something happen to the key. It is recommended that you purchase a second one in case the first one is lost.  The good news is buying two will only set you back $36 US.

The key is water proof and super durable so it will survive being tossed around on your key chain. It is also nice and flat so it hangs easily with your other keys.  Here are just some of the accounts that it works with.

  • 1Password
  • Blogger
  • Dashlane
  • Digidentiy
  • Docusign
  • Dropbox
  • EA
  • Epic Games
  • Eve Online
  • Facebook
  • Google
  • Instagram
  • KeePass
  • Kickstarter
  • LastPass
  • LogonBox
  • MailChimp
  • macOS
  • Microsoft
  • Nintendo
  • PassPack
  • Reddit
  • Trello
  • Twitter
  • WordPRess
  • YouTube

For a complete list of accounts that use Yubicon’s Security Key, visit their website.  If you are serious about using 2FA and don’t want to use your phone, a security key is really the only way to go.

 

 

 

Enabling 2FA on LinkedIn – 03/07/19

 

 

Two-factor authentication (2FA) and it’s cousin two-step verification (2SV) ensure that your account stays secure even if your password is compromised.  Not all account providers offer 2FA or 2SV, however LinkedIn does.

To enable 2SV on your LinkedIn account you must first add your phone number to your LinkedIn profile. To add your phone number to LinkedIn:

  1. Login to LinkedIn.
  2. Click your photo. A menu drops down.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Under Login and security, select Phone numbers.
  6. Select Add phone number.
  7. Select Canada from the drop down list.
  8. Enter your phone number into the text box.
  9. Click Send code. A dialog box appears asking for your password.
  10. Enter your password.
  11. Press ENTER on your keyboard. The verification code is sent to your phone.
  12. Enter the verification code into the text box on your computer.
  13. Click Verify.

To enable two-step verification on LinkedIn:

  1. Login to LinkedIn.
  2. Click your photo. A menu drops down.
  3. Select Settings & Privacy.
  4. Click the Account tab.
  5. Select Two-step verification. You may have to scroll down to find it.
  6. Click Turn on. A dialog box appears asking for your password.
  7. Enter your password.
  8. Press ENTER on your keyboard. The verification code is sent to your phone.
  9. Enter the verification code into the text box on your computer.
  10. Click Verify.

Please note that although I have provided step by step instructions, account providers are constantly changing their privacy settings, features and procedures. They like to keep us on our toes. They certainly don’t want us to start feeling comfortable using their tool.  That might lead us to believing  we are in control of our own privacy and security, that would never do.  Am I sounding bitter? So sorry, that won’t do either. Let’s reset. Please check LinkedIn’s help files for the most accurate and up to date instructions on how to enable 2SV as these instructions may become obsolete before they are even published. Sorry, I tried to reset. I couldn’t do it. Happy enabling!

 

Why enabling two-factor authentication is more important now than ever – 02/28/19

 

 

Two-factor authentication (2FA) and it’s cousin, two-step verification is available on a variety of accounts such as Google, Facebook, LinkedIn, Yahoo, Twitter and Instagram. When it is enabled, after you successfully enter your password on a strange computer you are asked to respond to a prompt or enter a verification code sent to your phone.  This ensures that even if your password is compromised, your account will stay secure. That is unless the criminal has your phone as well.

If that is the case, you are having one heck of a day and require support that is outside the scope of this article. I hope your phone is password protected and I wish you good luck. I digress. Back to why enabling 2 FA has become so important.

Last month we saw enormous lists of login credentials popup on the dark web. While previously miscreants had to purchase this valuable information, these large collections of usernames and passwords are now available for free. Aspiring Kevin Mitniks the world over can now try their hand at cybercrime, no upfront credential purchase needed.

As a result we have seen a big jump in credential stuffing attacks. Some of them on home security cameras with terrifying results.  Ideally you should have a unique password for each account. However if this particular habit has not yet been entrenched, two-factor authentication will save your bacon

Although registering your email on Have I Been Pwned, will let you know if your password has been compromised, it takes time before a data breach shows up on their radar. With 2FA as soon as you receive a verification code or prompt on your phone,  you know someone has stolen your password. This early warning system allows you to change the passwords on your accounts that don’t have 2FA before any damage is done.

Hopefully I have convinced you that two-factor authentication is no longer something that is nice to have, but is essential to securing your data. The next question is, “How do I start using it?”. Thankfully, there is this really great quick reference guide that walks you through the steps on how to enable 2FA on your Mount Royal email account. And yes, I wrote it…that’s why it’s really great. If you have any questions or need some help with the process, please feel free to contact me.

You can also come down to Main Street on March 13, April 10 or May 7. I will be there with my prize wheel. If you talk to me about two-factor authentication, you can spin and win.

 

Hackers thwart two step verification with phishing emails – 01/02/19

Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts.  They are using fake alerts to lure their victims into giving up verification codes.

The scam works like this.  First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity.  However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code.  All of this seems perfectly normal as the pages look just like the real thing.

Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password.  Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.

How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.