806152_48409889

What is two-factor authentication and why should I care?

806152_48409889The password is a really old way to protect computer systems, yet many systems we use rely solely on them when authenticating users. A simple password might have been a good idea when we used only a handful of systems, but times are changing. Today we need accounts for all the social media we are on, the mail accounts, accounts for on-line shops, the bank, the workplace, you name it… Frankly speaking, I have no idea how many on-line accounts I have. And I can make one confession. I use the same password on some of them, even if the important ones naturally have strong unique passwords.

And here we are at the core problem with passwords. They should be complex enough to withstand brute force and dictionary attacks (that is when hackers systematically try a large number of passwords in hope of finding the right one) and they should be different on all systems you use (to limit the damage if one account is compromised). Many complex passwords and limited brain capacity, that doesn’t work. There are systems to create and remember many complex passwords, but many people aren’t motivated enough to use them. That’s one reason why two-factor authentication is spreading fast.

Another reason to raise the security is that hackers may target a particular system. They may break into it to steal passwords or use phishing techniques to trick you into revealing your password to them. Or plant a keylogger in your system. They may get the password, but still fail to get access to your account if you use two-factor authentication.

But what is two-factor authentication? Let’s start with some theory. An authentication mechanism can use several factors like what you know (a password you remember), what you have (a smartcard or a mechanical key) or what you are (biometrics, retina or fingerprint scans for example). A two-factor or multi-factor authentication system uses at least two of these factors. The best known example is an ATM-card that you have combined with a PIN-code that you know.

The most common way to utilize this for an on-line service is to rely on your mobile phone. You start by entering your user ID and password normally. After that the system sends a unique one-time code to your phone. You type the code and get access to the system. Your phone is the “what you have” -item as the message is directed to that particular device and can’t be read by others. This requires two things; that you have registered your phone number with the service and that you have turned on two-factor authentication. Some services do promote this option actively and ask if you want to use it.

So should I turn it on? Yes, if the service is important to you. You gain a lot of security for a quite small extra effort. You may have noticed several news reports lately about hacked Twitter-accounts. One of the incidents did even impact the stock market. Twitter happens to be one of the major on-line services that doesn’t support two-factor authentication yet. Many of these incidents could have been avoided if they had support for it. Needless to say, if you tweet for a global news agency you really need more security than just a password. But most ordinary people have services that also are important enough to justify this extra security.

Nothing is perfect so what are the downsides with two-factor authentication? The extra effort to type the code after login is of course obvious. But many systems mitigate this by remembering your device and only requiring the code when using a new device. You also must have your phone with you when you log in, which you probably have anyway. Except if you have lost it, which could prevent you from accessing your accounts. Some configuration settings in your browser may also prevent two-factor authentication from working or force you to authenticate every time you log in, even on the same device. Apps that access your account may require some extra attention. They need an extra application specific password that you can create under security settings in the account’s web interface. And last but not least. The service provider must know your phone number, which normally is linked directly to your true identity. This is usually OK, but becomes a problem if you want to be truly anonymous on the site, or have other reasons to not trust them with your number.

And remember that two-factor authentication improves security a lot, but there is no such thing as perfect security. The skimming attacks against ATMs is a classic example. The malware Perkele targets Android devices and works together with desktop malware to defeat on-line banks. Perkele proves that on-line services’ two-factor authentication can be attacked, but this is not a major threat yet.

So the verdict is that two-factor authentication is good. Turn it on if you can. Here’s some examples of where to look for these settings:

Facebook: Security settings / Login approvals.
Google: Accounts / Security / 2-step verification.
MS Hotmail/Live: Micosoft Account / Security info / Two-step verification.
WordPress: Settings / Security / Two Step Authentication.
Twitter: Not supported yet. :(

Safe surfing,
Micke

UPDATE: Twitter got their act together just hours after posting this article. Now they also provide two-factor authentication. Great! :)

UPDATE2: Seems like Twitter was in a rush to get two-factor authentication out. The implementation is still far from perfect. But it’s a step in the right direction. I’m sure they will get things right, let’s hope it doesn’t take too long.

More posts from this topic

Mikko Hypponen

Mikko Hypponen’s Malware Hall of Fame

Mikko Hypponen is one of the world’s most prominent cyber security experts. Described as a “virus hunter” in a Vanity Fair profile called “The Code Warrior”, Hypponen has spent nearly 25 years with F-Secure protecting people from computer viruses, worms, trojans, and other types of malware. In 2011, Hypponen travelled to Pakistan to meet the men behind the first known PC virus – Brain.A. [youtube https://www.youtube.com/watch?v=lnedOWfPKT0&w=560&h=315] The Brain virus was released in January of 1986, making January 2016 the 30th anniversary of this milestone in malware history. I thought it would be interesting to reach out to Mikko and ask him about other families of malware that standout as being noteworthy. So here’s Mikko’s list of some of the most infamous malware families (including viruses, worms, trojans, etc) that’ve pestered, frustrated, and even extorted computer users over the past few decades. 1990 Form – Form was a common computer virus identified in 1990, and for several years, was arguably the most prominent computer virus in the world. Spread through 3.5” floppy disks, it infected millions of computers throughout the world, and is possibly one of the most widespread viruses in history. 1992 Michelangelo – Michelangelo earns a place on the list for being the first truly global virus scare. It was named after the famous artist because the virus remained dormant until March 6 (the artist’s birthday), when it would awaken and overwrite sections of infected hard disks, thereby making the information inaccessible and the computer unusable. The virus was never particularly prominent compared to some of its contemporaries, but its destructive nature and subtlety helped spread Michelangelo Madness throughout the globe. 1995 Concept – Concept was the very first macro virus – a type of virus that infects applications such as Microsoft Word. It was a very prominent security concern in the mid-nineties, and even though it was successful in propagating itself organically during this time, it hasn’t been seen in over a decade. As the first macro virus, it was notable in that it spread by hiding itself as a Word doc and then infecting computers as those documents were shared. By using Word, it could use both Windows PCs and Macs to spread infections, as the software could run on both platforms. 1999 Melissa – Melissa, supposedly named after an exotic dancer, was a computer virus that sent infected Word documents to contacts in victims’ Outlook address book. While the virus was not designed to be particularly destructive, its rapid proliferation through the Internet wreaked considerable havoc on corporate servers and infrastructure. Some accounts claim that it infected twenty percent of computers globally, and the man eventually convicted of releasing the virus into the wild admitted to causing eighty million dollars in financial losses. 2000 Loveletter – Loveletter, also widely known as ILOVEYOU, was a prominent email worm that was able to spread itself throughout the globe in a matter of hours by promising victims a little bit of love. Disguising itself as a chain, love-themed email to recipients helped it quickly spread from its Filipino origin through Asia, Europe and North America. To this date, it is one of the largest malware outbreaks of all time, and responsible for an estimated 5.5 billion dollars of damage. 2001 Code Red – Code Red was the first fully-automated network worm for Windows. As in users would not have to interact with a machine in order to spread the infection. Code Red’s most infamous day was July 19th, 2001, when it successfully infected 300,000 servers. The worm was programmed to spread itself on certain days, and then execute distributed denial-of-service (DDoS) attacks on others, and was used against several different targets (including The White House). 2003 Slammer, Lovsan, and Sobig – Ok, so there’s three here and not just one. But they all occurred very close together, and unfortunately, all three were worms responsible for massive, global malware outbreaks. Slammer targeted servers so it’s presence wasn’t readily apparent to end users (save some lagging when they were attempting to access an infected server). Lovesan, however was able to infect end users running Windows ME or Windows XP, and use the infected machines in DDoS attacks. Sobig spread itself through email and network drives, and contained a trojan in order to cause more headaches for infected users. However, it appears that the trojan feature did not function as expected. These three worms infected millions of machines, and made headlines all over the world. 2004 Sasser – A computer worm that can be considered as the last large “hobbyist” outbreak. This is significant as it signaled the end of an era when most malware was written by people who were simply curious to see what the malware could do. Nowadays, malware has a more specific, insidious purpose, such as stealing information or making money. 2006 Warezov – A two-year email worm campaign perpetuated by professional criminals, Warezov gained notoriety for downloading new versions of itself from remote servers – sometimes as frequently as every 30 minutes, according to a 2006 interview with Mikko. 2007 Storm Worm (also called Small.dam) – Storm Worm was a trojan that was spread as an attachment to spam emails. But more importantly, it was a combination of complex and advanced virus techniques that criminals were able to use to make money by using infected machines as part of a botnet. 2013 Cryptolocker – A notorious ransomware family, Cryptolocker was spread through malicious email attachments, as well as the infamous Gameover Zeus botnet. Infected victims would find their hard drives suddenly encrypted, essentially locking them out of their devices and data until they paid a ransom to the perpetrators. While the FBI, in cooperation with other law enforcement agencies and security companies (including F-Secure), were able to disrupt the operation, the perpetrators were able to use Cryptolocker to extort about 3 million dollars from victims before being stopped. Other notable mentions include the 2005 Sony rootkit (for being distributed on Sony BMG CD-ROMs on their behalf), the still prominent Downadup worm from 2008 (for infecting millions, including armed forces of several countries and police departments), and the well-known Stuxnet virus from 2010 (for both its sophistication and its apparent state-sponsorship). If you want to know more about the history of computer viruses, you can check out Computer Invaders: The 25 Most Infamous PC Viruses of All Time!

January 29, 2016
BY 
Scam

Yes, it’s OK to play with scammers

This TED talk is so hilarious that I just have to share it with you. Watch it! British comedian James Veitch is engaging in the noble art of scam baiting, or scamming the scammers. The same as this site is dedicated to, or when I almost sold my boat to Mexico. I guess most or all of you already know how to spot an advance payment scam, aka. Nigerian scam. But James has some more to offer here. He’s making two important points, in addition to the excellent entertainment value. People often warns about engaging in any kind of conversation with these scammers. They are after all criminals and it’s safest to steer clear of them. I disagree, just like James. The people behind this kind of scams is not exactly the violent drug mafia. As a matter of fact, anyone who can use e-mail and Google Translate can set up a scam like this. And they are located in some poor remote country, typically in Africa. So it’s extremely unlikely that any of them would start hunting down people who play with them. That would disrupt their everyday business and cut profits, cost money and introduce the risk to get caught. But I do discourage people from engaging in scam baiting under their real identity. Set up a new mail account under a false name and never reveal any real contact info to them. You can reply from a different address than where you got the original spam. They are pumping out millions of spam messages and will not even notice the changed address. This adds an additional layer of security. And more important, it keeps your real inbox free of spam. Use their own tactic. Create a false identity with name, address, profession and country of residence. Stick to that story and make sure not a single bit of it is true. Read more about how to scam bait at 419eater.com. The other point is that scam baiting is a good deed. It keeps the scammers busy and ties up their resources. Resources that otherwise would have been used to scam a real victim and cause real damage. A single scam baiter can’t of course save the world, but they would probably shut down if all of us spent an hour a week scam baiting. And it can be fun so why not? A good scam baiter can be a real pain in the a** for the scammers. Be prepared to get some threats and evil language when they realize what is going on. Consider that as a trophy, a proof that you did it right. Don’t feel bad for them. They did after all contact you with the sole purpose to scam you for money.   Safe scam baiting, Micke   Image: Screenshot from ted.com  

January 28, 2016
BY 
Sean Sullivan

Sean Sullivan says look out for extortion, ad blocking in 2016

This is part of a series of posts about what security experts think will happen in 2016. F-Secure Security Advisor Sean Sullivan spends a lot of his time thinking about how people expose themselves to online risks. Whenever you download an app, click on a link, or open an email, there’s potential security problems that most people never even think about. But not Sean. It’s part of his job to understand how these things actually work, and what people should be doing to keep their devices and data safe from online threats. Here’s a quick look at what security issues Sean thinks people and companies will have to contend with in the upcoming year. “2016 will be remembered as the year of extortion.” Sean’s already predicted that the future of online threats will revolve around extortion. That is, criminals will be investing in scams that see people and businesses paying a “fee” to avoid being victimized by online threats. Ransomware is a well-known example of this trend. It’s malware that locks (either through encryption or other means) people’s devices unless a “ransom” is paid to the perpetrators. “Criminals will continue to figure out ways to extort people and businesses,” said Sean. “The returns we’ve seen extortionists getting on ransomware demonstrates just how profitable the malware sector can be for criminals. Increasing use of social networking tools like Linkedin are also giving online criminals a way to collect data and research potential blackmail targets, and given developments like these, I’m expecting criminal enterprises involving extortion to evolve throughout 2016.” Sean has pointed out in the past that crypto-ransomware, and many other types of online threats, are actually very sophisticated criminal enterprises. They often have a level of service that rivals what legitimate companies offer their customers, making them very profitable for criminals. In fact, the FBI advises ransomware victims to simply pay to have their computers unlocked (but F-Secure Labs has created some useful guidelines that people can follow to remove some police-themed ransomware variants). “We’ll still be talking about ad blocking at this time next year.” Ad blocking became an explosive topic after Apple built content blocking capabilities into iOS 9 earlier in the year. While it seems like a good idea for consumers, ad blocking caused waves after a report pointed out that publishers stand to lose billions due to ad blocking technologies. Publishers that use native advertising, or apps (like Apple News) to push content to their audience, will be largely unaffected. But publications relying on web browsers have become vocal critics of the practice, even though security experts (and even tech journalists) suggest that ad blocking may be in the best interests of consumers. “Ad blocking is going to continue to be an issue because there’s been no real progress on solving the problems that ad blocking is supposed to address,” says Sean. “The problematic connection between online advertising and tracking is still there, so there’s going to be demand for ad blockers until this changes. Plus, malvertising is still a huge security concern that ad blocking can help with, so using these apps is a good way for consumers to minimize online risks and have a better online experience, especially on mobile devices.” “Use of end-to-end encryption will increase in 2016.” Governments have been toying with the idea of asking tech companies to work around encryption to support national security interests. However, many companies and security experts are opposed to this, as encryption allows information to stay safe from criminals and other agents looking to collect information to use for less than altruistic purposes (for example, extortion, discrimination, targeted advertising). End-to-end encryption is one approach to securing digital communications that allows information to be encrypted by the sender and then decrypted by the receiver, which prevents anyone in between those two points (such as the company providing the service or app) from accessing the personal data contained in the messages. Whatsapp and Apple’s Facetime are popular examples of messaging apps that use end-to-end encryption. According to Sean, use of these kinds of apps will increase in 2016, despite pressure for companies to offer weaker encryption to end users. “The security benefits of end-to-end encryption are indisputable, and all the arguments to the contrary are really weak. But the real driver for this will be business, because it’s the best way for companies to provide secure services to users. It’s cheaper and more secure, so it’s a better option for both app developers and users.”

December 18, 2015
BY