806152_48409889

What is two-factor authentication and why should I care?

806152_48409889The password is a really old way to protect computer systems, yet many systems we use rely solely on them when authenticating users. A simple password might have been a good idea when we used only a handful of systems, but times are changing. Today we need accounts for all the social media we are on, the mail accounts, accounts for on-line shops, the bank, the workplace, you name it… Frankly speaking, I have no idea how many on-line accounts I have. And I can make one confession. I use the same password on some of them, even if the important ones naturally have strong unique passwords.

And here we are at the core problem with passwords. They should be complex enough to withstand brute force and dictionary attacks (that is when hackers systematically try a large number of passwords in hope of finding the right one) and they should be different on all systems you use (to limit the damage if one account is compromised). Many complex passwords and limited brain capacity, that doesn’t work. There are systems to create and remember many complex passwords, but many people aren’t motivated enough to use them. That’s one reason why two-factor authentication is spreading fast.

Another reason to raise the security is that hackers may target a particular system. They may break into it to steal passwords or use phishing techniques to trick you into revealing your password to them. Or plant a keylogger in your system. They may get the password, but still fail to get access to your account if you use two-factor authentication.

But what is two-factor authentication? Let’s start with some theory. An authentication mechanism can use several factors like what you know (a password you remember), what you have (a smartcard or a mechanical key) or what you are (biometrics, retina or fingerprint scans for example). A two-factor or multi-factor authentication system uses at least two of these factors. The best known example is an ATM-card that you have combined with a PIN-code that you know.

The most common way to utilize this for an on-line service is to rely on your mobile phone. You start by entering your user ID and password normally. After that the system sends a unique one-time code to your phone. You type the code and get access to the system. Your phone is the “what you have” -item as the message is directed to that particular device and can’t be read by others. This requires two things; that you have registered your phone number with the service and that you have turned on two-factor authentication. Some services do promote this option actively and ask if you want to use it.

So should I turn it on? Yes, if the service is important to you. You gain a lot of security for a quite small extra effort. You may have noticed several news reports lately about hacked Twitter-accounts. One of the incidents did even impact the stock market. Twitter happens to be one of the major on-line services that doesn’t support two-factor authentication yet. Many of these incidents could have been avoided if they had support for it. Needless to say, if you tweet for a global news agency you really need more security than just a password. But most ordinary people have services that also are important enough to justify this extra security.

Nothing is perfect so what are the downsides with two-factor authentication? The extra effort to type the code after login is of course obvious. But many systems mitigate this by remembering your device and only requiring the code when using a new device. You also must have your phone with you when you log in, which you probably have anyway. Except if you have lost it, which could prevent you from accessing your accounts. Some configuration settings in your browser may also prevent two-factor authentication from working or force you to authenticate every time you log in, even on the same device. Apps that access your account may require some extra attention. They need an extra application specific password that you can create under security settings in the account’s web interface. And last but not least. The service provider must know your phone number, which normally is linked directly to your true identity. This is usually OK, but becomes a problem if you want to be truly anonymous on the site, or have other reasons to not trust them with your number.

And remember that two-factor authentication improves security a lot, but there is no such thing as perfect security. The skimming attacks against ATMs is a classic example. The malware Perkele targets Android devices and works together with desktop malware to defeat on-line banks. Perkele proves that on-line services’ two-factor authentication can be attacked, but this is not a major threat yet.

So the verdict is that two-factor authentication is good. Turn it on if you can. Here’s some examples of where to look for these settings:

Facebook: Security settings / Login approvals.
Google: Accounts / Security / 2-step verification.
MS Hotmail/Live: Micosoft Account / Security info / Two-step verification.
WordPress: Settings / Security / Two Step Authentication.
Twitter: Not supported yet. :(

Safe surfing,
Micke

UPDATE: Twitter got their act together just hours after posting this article. Now they also provide two-factor authentication. Great! :)

UPDATE2: Seems like Twitter was in a rush to get two-factor authentication out. The implementation is still far from perfect. But it’s a step in the right direction. I’m sure they will get things right, let’s hope it doesn’t take too long.

More posts from this topic

MB

In what color would you like your new Mercedes?

A new Mercedes. Nice. Or maybe an Audi R8? That would be cool. But hold it! Don’t sell your old car yet! Liking and sharing that giveaway campaign on Facebook will NOT give you a new car. Those prizes doesn’t even exist. They are just hoaxes. Internet and Facebook is full of crap, junk, rubbish, nonsense and gibberish. Nobody knows how many chain letters there are spreading some kind of unbelievable story. False celebrity news, bogus first-aid advice, phony charity campaigns and this kind of giveaways. We tend to think about these chain letters as hoaxes, pretty harmless jokes that doesn’t hurt us. But that’s not the full story. A hoax can be harmful, like the outright dangerous first aid advice that some people keep spreading. But a car giveaway is probably a harmless and safe prank, even if it’s false? No, not really. These chain letters are actually not traditional hoaxes, they are like-farming scams. There’s no free lunch, you don’t pay for Facebook with money but with your private data. The like-farming scams work in the same currency. You will not lose any money even if you like the page and share it. Instead you will participate in building a page with a lot of supporters, which is valuable and can be sold later. Needless to say, you will not get any of that money. Here’s how it works. Any business has a problem when starting on Facebook. An empty page without likes isn’t trustworthy. So the scammers set up a page containing anything that can go viral. A promise to get a luxury car works well. They just have to tell everyone to like the page and to share it as much as possible, to keep the chain reaction going and get even more likes. The scammers wait until there’s enough likes before they clean out the content, rename it and start looking for a buyer. The price is in “$ per k”, meaning dollars per 1000 likes. A page with 100 000 likes could sell for over $1000. So sharing the page can make quite a lot of money for the scammers if you have a lot of gullible friends, who in turn have a lot of gullible friends, and so on … The downside for you is that the likes stick even if the page is redesigned for some totally different purpose. Your face will be an evangelist for the page’s new owners and show up next to their brand. And you have no idea about what you will be promoting. I have friends who are anti-fur activists. You can probably imagine what one of them would feel when discovering that she likes a fur-coat designer! And finally some concrete advice. Review your list of old likes regularly. Remove everything except those things you truly like and want to support. When you encounter a giveaway post like this, check the involved brand’s main page in Facebook by searching for the brand name. You will in most cases notice that the giveaway is a totally different page that just is named similarly. That’s a strong scam indicator. Use common sense. From the above you get an idea about what likes in Facebook are worth. Does it make sense to give away luxury cars for this? Don’t participate in scams like this. It might feel tempting, but remember that your chance to win is exactly zero. Spread knowledge every time you see a scam of this kind. Comment with a link to this post or the appropriate description on Hoax-Slayer or Snopes.   Those sites are by the way fun and educating reading. I recommend spending some time there getting familiar with other types of hoaxes too. Read at least these two articles: Facebook car giveaway on Snopes and Facebook like-farming scams on Hoax-Slayer .   Safe surfing, Micke  

Dec 16, 2014
BY 
crime scene

Help! I lost my wallet, phone and everything! I need 1000 €!

“Sorry for the inconvenience, I'm in Limassol, Cyprus. I am here for a week and I just lost my bag containing all my important items, phone and money at the bus station. I need some help from you. Thanks” Many of you have seen these messages and some of you already know what the name of the game is. Yes, it’s another type of Internet scam, an imposter scam variant. I got this message last week from a photo club acquaintance. Or to be precise, the message was in bad Swedish from Google translate. Here’s what happened. First I got the mail. Needless to say, I never suspected that he was in trouble in Limassol. Instead I called him to check if he was aware of the scam. He was, I wasn’t the first to react. Several others had contacted him before me and some were posting warnings to his friends on Facebook. These scams start by someone breaking in to the victim’s web mail, which was Gmail in this case. This can happen because of a bad password, a phishing attack, malware in the computer or a breach in some other system. Then the scammer checks the settings and correspondence to find out what language the victim is using. The next step is to send a message like the above to all the victim’s contacts. The victim had reacted correctly and changed the Gmail password ASAP. But I wanted to verify and replied to the scam mail anyway, asking what I can do to help. One hour later I got this: “Thanks, I need to borrow about 1000 euros, will pay you back as soon as I get home. Western Union Money Transfer is the fastest option to wire funds to me. All you need to do is find the nearest Western Union shop and the money will be sent in minutes. See details needed WU transfer below. Name: (Redacted) Address: Limassol, Cyprus you must email me the reference number provided on the payment slip as soon as you make the transfer so I can receive money here. Thank you,” Now it should be obvious for everyone how this kind of scam works. Once the scammers get the reference number they just go to Western Union to cash in. Most recipients will not fall for this, but the scammers will get a nice profit if even one or two contacts send money. But wait. To pull this off, the scammers need to retain control over the mail account. They need to send the second mail and receive the reference number. How can this work if the victim had changed his password? This works by utilizing human’s inability to notice tiny details. The scammers will register a new mail account with an address that is almost identical to the victim’s. The first mail comes from the victim’s account, but directs replies to the new account. So the conversation can continue with the new account that people believe belongs to the victim. The new address may have a misspelled name or use a different separator between the first and last names. Or be in a different domain that is almost the same as the real one. The two addresses are totally different for computers, but a human need to pay close attention to notice the difference. How many of you would notice if a mail address changes from say Bill.Gates@gmail.com to BiII_Gates@mail.com? (How many differences do you notice, right answer at the end?) To be honest, I was sloppy too in this case and didn’t at first see the tiny difference. In theory it is also possible that webmail servers may leave active sessions open and let the scammers keep using the hacked account for a while after the password has been changed. I just tested this on Gmail. They close old sessions automatically pretty quickly, but it is anyway a good idea to use the security settings and manually terminate any connection the scammers may have open. I exchanged a couple of mails with this person the day after. He told that the scammers had changed the webmail user interface to Arabic, which probably is a hint about where they are from. I was just about to press send when I remembered to check the mail address. Bummer, the scammer’s address was still there so my reply would not have reached him unless I had typed the address manually. The account’s reply-to was still set to the scammer’s fake account. OK, let’s collect a checklist that helps identifying these scams. If someone asks for urgent help by mail, assume it’s a scam. These scams are a far more common than real requests for help. We are of course all ready to help friends, but are YOU really the one that the victim would contact in this situation? Are you close enough? How likely is it that you are close enough, but still had no clue he was travelling in Cyprus? Creating urgency is a very basic tool for scammers. Something must be done NOW so that people haven't got time to think or talk to others. The scammers may or may not be able to write correct English, but other languages are most likely hilarious Google-translations. Bad grammar is a strong warning sign. Requesting money using Western Union is another red flag. Wire transfer of money provides pretty much zero security for the sender, and scammers like that. Many scammers in this category try to fake an embarrassing situation and ask the recipient to not tell anyone else, to reduce the risk that someone else sees through it. These messages often state that the phone is lost to prevent the recipient from calling to check. But that is exactly what you should do anyway. Next checklist, how to deal with a situation where your account has been hijacked and used for scams. Act promptly. Change the mail account’s passwords. Check the webmail settings and especially the reply-to address. Correct any changed settings. Check for a function in the web mail that terminates open sessions from other devices. Gmail has a “Secure your account” -wizard under the account’s security settings. It’s a good idea to go through it. Inform your friends. A fast Facebook update may reach them before they see the scammer’s mail and prevent someone from falling for it. It also helps raising awareness. And finally, how to not be a victim in the first place. This is really about account security basics. Make sure you use a decent password. It’s easier to maintain good password habits with a password manager. Activate two-factor authentication on your important accounts. I think anyone’s main mail account is important enough for it. Learn to recognize phishing scams as they are a very common way to break into accounts. Maintain proper malware protection on all your devices. Spyware is a common way to steal account passwords. The last checklist is primarily about protecting your account. But that’s not the full picture. Imagine one of your friends falls for the scam and loses 1000 € when your account is hacked. It is kind of nice that someone cares that much about you, but losing money for it is not nice. Yes, the criminal scammer is naturally the primarily responsible. And yes, people who fall for the scam can to some extent blame themselves. But the one with the hacked account carries a piece of responsibility too. He or she could have avoided the whole incident with the tools described above. Caring about your account security is caring about your friends too! And last but not least. Knowledge is as usual the strongest weapon against scams. They work only as long as there are people who don’t recognize the scam pattern. Help fighting scam by spreading the word!   Safe surfing, Micke   PS. The two mail addresses above have 3 significant differences. 1. The name separator has changed from a dot to an underscore. 2. The domain name is mail.com instead of gmail.com. 3. The two lower case Ls in Bill has been replaced with capital I. Each of these changes is enough to make it a totally separate mail address.   Image by Yumi Kimura

Dec 8, 2014
BY 
Facbook terms

Facebook’s new terms, is the sky falling?

You have seen them if you are on Facebook, and perhaps even posted one yourself. I’m talking about the statements that aim to defuse Facebook’s new terms of service, which are claimed to take away copyright to stuff you post. To summarize it shortly, the virally spreading disclaimer is meaningless from legal point of view and contains several fundamental errors. But I think it is very good that people are getting aware of their intellectual rights and that new terms may be a threat. Terms of service? That stuff in legalese that most people just click away when starting to use a new service or app. What is it really about and could it be important? Let’s list some basic points about them. The terms of service or EULA (End User License Agreement) is a legally binding agreement between the service provider and the user. It’s basically a contract. Users typically agree to the contract by clicking a button or simply by using the service. These terms are dictated by the provider of the service and not negotiable. This is quite natural for services with a large number of users, negotiating individual contracts would not be feasible. Terms of service is a defensive tool for companies. One of their primary goals is to protect against lawsuits. These terms are dictated by one part and almost never read by the other part. Needless to say, this may result in terms that are quite unfavorable for us users. This was demonstrated in London a while ago. No, we have not collected any children yet. Another bad thing for us users is the lack of competition. There are many social networks, but only one Facebook. Opting out of the terms means quitting, and going to another service is not really an option if all your friends are on Facebook. Social media is by its nature monopolizing. The upside is that terms of service can’t change the law. The legislation provides a framework of consumer and privacy protection that can’t be broken with an agreement. Unreasonable terms, like paying with your firstborn child, are moot. But be aware that the law of your own country may not be applicable if the service is run from another country. Also be aware that these terms only affect your relationship to the provider of the service. Intelligence performed by authorities is a totally different thing and may break privacy promises given by the company, especially for services located in the US. The terms usually include a clause that grant the provider a license to do certain things with stuff the users upload. There’s a legitimate reason for this as the provider need to copy the data between servers and publish it in the agreed way. This Facebook debacle is really about the extent of these clauses. Ok, so what about Facebook’s new terms of service? Facebook claim they want to clarify the terms and make them easier to understand, which really isn't the full story. They have all the time been pretty intrusive regarding both privacy and intellectual property rights to your content, and the latest change is just one step on that path. Most of the recent stir is about people fearing that their photos etc. will be sold or utilized commercially in some other way. This is no doubt a valid concern with the new terms. Let’s first take a look at the importance of user content for Facebook. Many services, like newspapers, rely on user-provided content to an increasing extent. But Facebook is probably the ultimate example. All the content you see in Facebook is provided either by the users or by advertisers. None by Facebook itself. And their revenue is almost 8 billion US$ without creating any content themselves. Needless to say, the rights to use our content is important for them. What Facebook is doing now is ensuring that they have a solid legal base to build current and future business models on. But another thing of paramount importance to Facebook is the users' trust. This trust would be severely damaged if private photos start appearing in public advertisements. It would cause a significant change in peoples relationship with Facebook and decrease the volume of shared stuff, which is what Facebook lives on. This is why I am ready to believe Facebook when they promise to honor our privacy settings when utilizing user data. Let’s debunk two myths that are spread in the disclaimer. Facebook is *not* taking away the copyright to your stuff. Copyright is like ownership. What they do, and have done previously too, is to create a license that grant them rights to do certain things with your stuff. But you still own your data. The other myth is that a statement posted by users would have some kind of legal significance. No, it doesn’t. The terms of service are designed to be approved by using the service, anyone can opt to stop using Facebook and thus not be bound by the terms anymore. But the viral statements are just one-sided declarations that are in conflict with the mutually agreed contact. I’m not going to dig deeper into the changes as it would make this post long and boring. Instead I just link to an article with more info. But let’s share some numbers underlining why it is futile for ordinary mortals to even try to keep up with the terms. I browsed through Facebook’s set of terms just to find 10 different documents containing some kind of terms. And that’s just the stuff for ordinary users, I left out terms for advertisers, developers etc. Transferring the text from all these into MS Word gave 41 pages with a 10pt font, almost 18 000 words and about 108 000 characters. Quite a read! But the worst of all is that there’s no indication of which parts have changed. Anyone who still is surprised by the fact that users don’t read the terms? So it’s obvious that ordinary user really can’t keep up with terms like this. The most feasible way to deal with Facebook’s terms of service is to consider these 3 strategies and pick the one that suits you best. Keep using Facebook and don’t worry about how they make money with your data. Keep using Facebook but be mindful about what you upload. Use other services for content that might be valuable, like good photos or very private info. Quit Facebook. That’s really the only way to decline their terms of service. By the way, my strategy is number 2 in the above list, as I have explained in a previous post. That’s like ignoring the terms, expecting the worst possible treatment of your data and posting selectively with that in mind. One can always put valuable stuff on some other service and post a link in Facebook. So posting the viral disclaimer is futile, but I disagree with those who say it’s bad and it shouldn’t be done. It lacks legal significance but is an excellent way to raise awareness. Part of the problem with unbalanced terms is that nobody cares about them. A higher level of awareness will make people think before posting, put some pressure on providers to make the terms more balanced, and make the legislators more active, thus improving the legal framework that control these services. The legislation is by the way our most important defense line as it is created by a more neutral part. The legislator should, at least in theory, balance the companies’ and end users’ interests in a fair way.   Safe surfing, Micke   Image: Screenshot from facebook.com

Dec 3, 2014
BY