Posts

Two-Factor Authentication: What is It and How Does it Work?

There are many ways that you can protect yourself on the internet, and one of the things you can do is begin using two-factor authentication.

two-factor authentication

You have likely seen two-factor authentication even if you don’t totally know what it is. For example, if you do your banking online, your bank might send a code to you via text or email. Or when you try to change your password you might receive some form of a confirmation to make sure it’s you. This is exactly what two-factor authentication is…it’s an extra step you take that confirms you own the account. This makes it harder for a criminal hacker to get into your account. Not only does a hacker need a password to get into the account, but with two-factor authentication, they also need access to your email account, a keyfob or your smart phone.

Sites That Have Two-Factor Authentication

Most major websites offer two-factor authentication. You can find help setting these up, below:

Apple ID

You can set up two-factor authentication on your iPhone, iCloud, or iPad:

  • Click “Settings,” “Security,” and finally choose “Turn on two-factor authentication.”
  • Enter your phone number
  • Check your texts, and then enter the code. That’s it.

Facebook

  • Log into your Facebook account and then click “Settings” before clicking “Security and Login.”
  • Click on “Use two-factor authentication,” and then click on “edit.”
  • Choose the method. There are a number of options including apps, texts, and code generators.
  • Instructions will appear on screens
  • Click on “Enable.”

Gmail

You can also set up two-factor authentication for Google accounts, including Gmail.

  • Navigate to Google. Here, you can find two-factor authentication.
  • Click on “Get started.”
  • Follow the instructions that appear on screen to turn the feature on.

Yahoo

  • Sign into your Yahoo account
  • Click on “Account security.”
  • Check to make sure “two-step verification” is clicked to “On.”
  • Type in your phone number and choose phone call or text message
  • Input the code, and then click “Verify.”

Instagram

If you have an Instagram account, you can also set up two-factor authentication:

  • Log into your Instagram account.
  • Go to your profile and click on the operating system you use.
  • Scroll down until the “two-factor authentication” option appears.
  • Click “Require security code.”
  • Insert your phone number, and then click “Next.”
  • A code will be sent to your phone. Put it into Instagram, and then click “Next.”

Twitter

If you have Twitter, you can use two-factor authentication, too, but there are different steps to take depending on how you get onto your account. For instance, it’s different on a laptop when compared to an iPhone. You can check out the Help Center to learn more about seeing up two-factor authentication.

Here are some more sites that allow two-factor authentication. Click on the links for more information:

Amazon

Ebay

Linkedin

Paypal

With billions of records stolen, it is likely a criminal not only has your username for various accounts, which is often a simple email address, but they also might have your pass code for various accounts. Currently, the only real and true way to keep them out is with two factor authentication. And while some will debate that two factor authentication is far from full proof, it really is the best option that is easy to use and offers a comprehensive layer of defense.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Is Two Factor Authentication a Good Thing to Use?

“TechWorld” has some interesting information, such as a story on a report from the National Institute of Standards and Technology. And while you may not see this as being “fun”, it is at a minimum interesting. I’m here to break it down for you.

two factor authenticationIn this report, the public was advised to stop using two factor authentication. However, other people suggest that this is the very best way to prevent identity theft. So, which is it? Let’s take a look.

When you get a message from someone, you surely want to make sure that they are who they say they are. In fact, many of us rely on tools like Caller ID. However, you might want to stop doing that, as caller ID can be faked. As hackers start using this more, they are finding ways to also fake SMS, too, which means technically, they could be faking two-factor or two step authorization/verification which heavily relies on text messaging. So, it is very important to stay vigilant about protecting your information and being careful about what you respond to via text

Why Authorization is Important

When it comes to the importance of authorization in transactions, it’s imperative that you are confident that you can access your info. We now know that it is very easy for a criminal, if they know what they are doing, to get into your accounts by using your password and username. But just a username and a password isn’t enough.

How Two-Factor Authentication Works

When you choose to use two-factor authentication, after entering your password online, you will receive an SMS, one-time use code, which you then use to fully log into your account. For this to work, the following must occur:

  • You must have a mobile device
  • You must know how to access the device (PIN or biometrics)
  • You must have a username and password to an online account
  • You must have the one-time use code, which will be sent to the device

Unless all four of these things are present, the account cannot be accessed. So, even if a hacker has your username and password, if you have two-factor authentication set up, they would also need your device to access the account. This makes it much more difficult to illegally access an account and helps your account to be much safer.

How Hackers are Being Smarter than Two-Factor Authentication

Though it is more difficult for a hacker to get into your account that has two-factor authentication, it is not impossible. Here are some ways that hackers are able to get around it:

Man in the Middle Attack:

  • The hacker gets access to your username and password
  • The hacker tries to login and is denied because you have two-factor authentication set up.
  • The hacker contacts you via social media, email, or phone with some type of trick to get your one-time code.

Phone Cloning:

  • The hacker will go into a brick and mortar cell phone carrier store and pretend they are you. They get a new phone with your number.

Changing the Number

  • The hacker creates a fake website, and you enter your number into it. They then take your number and change it, and then they keep your original number. This sounds more complicated than it is.

There is a Lot of Confidence About SMS Two-Factor Authentication

When you use SMS two-factor authentication, you don’t’ have to worry or have concern if your password gets into the wrong hands. Remember, the criminal who has your password still needs your one-time code…and unless they have your phone, they can’t access it.

Companies that offer two-factor authentication give their customers more confidence, and there is an increased interest in the company’s products and services because transactions are more secure.

So, should you be nervous about SMS two-factor authentication? No, you don’t need to. You really do have an extra level of protection, but remember, it isn’t totally fool proof. There are still ways that a hacker can access your accounts, though it is quite difficult.

You can have confidence in two things – First, that banks continue to come up with easy and friendly way to keep all of us safe with an alternative to two-factor authentication, and second, that you are already a step ahead of hackers thanks to your new-found knowledge from reading this article.

One simple way to engage and activate two factor authentication for all critical websites is to simply do a Google search for “two factor” and then the name of the site. And example would be “two factor Amazon. ”You’ll definitely find plenty of options to enable to factor authentication on every critical website your visit.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

What is Two-Factor Authentication and How Does it Work?

There are a number of ways that you can protect yourself online, and one of the things you can do is to start using two-factor authentication.

You probably have seen two-factor authentication even if you aren’t sure what it is. For instance, if you do online banking, your bank might text a code to your phone or email when you try to change the password. This is two-factor authentication. It’s basically just an extra step that confirms that you are the account owner. This makes it more difficult for hackers to get into your account, too. Not only do they need a password, they also need access to your smart phone or email account.

These Critical Websites need Two Step Authentication

Most large websites have the option for two-factor authentication. Each company name is linked to their specific instruction.  Here’s how to set it up:

Apple ID

You can use two-factor authentication on your iCloud, iPhone or iPad:

  • Click on “Settings,” “Security,” and then “Turn on two-factor authentication.”
  • Enter a phone number
  • Look at your text, enter the code, and you are good to go

Facebook

  • Log into your Facebook account. Click on “Settings,” “Security and Login.”
  • Choose “Use two-factor authentication,” and then click “edit.”
  • Select the method. There are several options including texts, apps, and code generators.
  • Follow the instructions shown on the screen.
  • Click “Enable.”

Gmail

You can set up two-factor authentication for Gmail and Google accounts.

  • Navigate to the Google page for two-step authentication.
  • Click “Get started.”
  • Follow on-screen instructions to turn the feature on.

Yahoo

  • Sign into your account
  • Click “Account security.”
  • Look for “two-step verification,” and make sure it’s “on.”
  • Enter your phone number, and choose text message or phone call
  • Enter the code, and then click on “Verify.”

Instagram

If you use Instagram, you can also set up two-factor authentication:

  • Log into your account on Instagram.
  • Navigate to your profile and choose your operating system.
  • Scroll down until you see “two-factor authentication.”
  • Click on “require security code.”
  • Enter a phone number if one is not there. Click “Next.”
  • You will get a code to your phone. Enter it, and then click “Next.”

Twitter

If you use Twitter, you can also set up two-factor authentication. However, there are different steps to take depending on how you access the site, either from a laptop or PC, an iPhone, or an Android. You can learn about setting two-factor authentication up by visiting the Help Center.

Here are a few more important sites that require a more in-depth explanation:

Linkedin

Paypal

Ebay

Amazon

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Be aware of all these Confidence Crimes

Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:

Do Not Take the Bait of These Phishermen

  • A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
  • Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
  • Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
  • Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
  • Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
  • If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.

Be thoughtful about security:

  • Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
  • Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
  • Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
  • Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
  • All money transfers should require not one, but two signatures.
  • Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
  • Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
  • Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.

I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.

A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

10 ways to beef up Digital Security

#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Don’t. Always update at the time these appear.

2D#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the user’s phone or via e-mail that must be entered in the login field.

#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you don’t use. Too many extensions can slow down your computer.

#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes can’t read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.

#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, you’re protected if you have a password. Otherwise you are screwed.

In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.

#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.

#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your “favorite pet’s name”? Who might know this information? Well, if it’s on your Facebook page, anyone who can view it. How much of your personal information is actually online?  Many accounts allow a “secondary password” Ask them.

#8. Simple but powerful layers of protection.

  • Don’t have login information written down on hardcopy.
  • Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).

#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.

#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

You need Two-Factor Verification for your Amazon Account

If you have a strong password for your Amazon account, you may still want to consider beefing up the security with two-factor verification (or authentication), which will prevent a thief from accessing your account (which is possible if he gets ahold of your password and username somehow).

2D

  • Log onto your Amazon account.
  • Have your mobile phone with you.
  • Click “Your Account.”
  • Scroll down where it says “Settings—Password, Prime & E-mail.”
  • Click “Login & Security Settings.”
  • Go to “Change Account Settings” and at the bottom is “Advanced Security Settings.” Hit “Edit” there.
  • You are now on the page for setting up two-step verification. Hit “Get Started.”
  • You will see two options. For ease of setting up the two-factor, choose the text message option.
  • Follow the instructions and wait for the texted code.
  • Enter the code and click the “continue” button.
  • You will now be on a page for adding a backup number—which is required.
  • You cannot use the same phone number you just did for your initial setup. If you do not have a landline for the backup number, and your only phone is a “dumbphone,” you will not be able to use the two-factor service from Amazon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Phishing attacks Two-Factor Authentication

Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

13DHow a hacker circumvents two-factor authentication:

  • First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
  • Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
  • The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
  • This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
  • The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
  • Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
  • The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
  • The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests  to look out for:

Pay Attention!

  • You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
  • If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
  • Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to use two-factor authentication for critical accounts

Have a small business? Great. Have two-factor authentication for your accounts? If you’re not sure of the answer to that question, you could be in trouble. October is National Cyber Security Awareness Month, the perfect time to learn more about cyber security. As a small business owner, you certainly have thought about data breaches. They don’t just happen to giants like Target and Sony. The common thread in many data breaches is that the hackers got the password.

5DOnce a hacker has a password, they often can get into the account, even if a username or other information is required. But suppose the hacker, mouth drooling as he’s about to break into your business accounts with your password and username, types in this login information and then sees he’s blocked unless he enters a one-time passcode? That’s a form of two-factor authentication. Game over for Joe Hacker.

Two-factor authentication may mean a different login, every time you login, even on the same day, and only YOU have it. It’s sent to your e-mail or phone. Setting up two-factor authentication differs from one platform to the next. See the following:

PayPal

  • Click “Security and Protection” in the upper right.
  • At bottom of next page, click “PayPal Security Key.”
  • Next page, click “Go to register your mobile phone” at the bottom. Your phone should have unlimited texting.
  • Enter your phone number; the code will be texted.

Google

  • At google.com/2step click the blue button “Get Started.” Take it from there. You can choose phone call or text.

Microsoft

  • Go to login.live.com. Click “Security Info.”
  • Click “Set Up Two-Step Verification” and then “Next.” Take it from there.

LinkedIn

  • At LinkedIn.com, trigger the drop-down menu by hovering over your picture.
  • Click “Privacy and Settings.”
  • Click “Account” and then “Security Settings.”
  • Click “Turn On” at “Two-Step Verification for Sign-In.”
  • To get the passcode enter your phone number.

Facebook

  • In the blue menu bar click the down-arrow.
  • Click “Settings.”
  • Click the gold badge “Security.”
  • Look for “Login Approvals” and check “Require a security code.”

Apple

  • Go to appleid.apple.com and click “Manage Your Apple ID.”
  • Log in and click “Passwords and Security.”
  • Answer the security questions to get to “Manage Your Security Settings.”
  • Click “Get Started.” Then enter phone number to get the texted code.

Yahoo

  • Hover over your photo for the drop-down menu.
  • Click “Account Settings.”
  • Click “Account Info.”
  • Go to “Sign-In and Security” and hit “Set up your second sign-in verification.”

Type in your phone number to get the texted code. If you have no phone you can get receive security questions via e-mail.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use.

Being cyber aware also includes backing up your data to a secure offsite location. Back it up with Carbonite, and receive 2 free bonus months with purchase of any subscription through the end of October by entering code “CYBERAWARE” at checkout.

Robert Siciliano is a personal privacy, security  and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

Go Two-Factor or go Home

Logins that require only a password are not secure. What if someone gets your password? They can log in, and the site won’t know it’s not you.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Think nobody could guess your 15-character password of mumbo-jumbo? It’s still possible: A keylogger or visual hacker could obtain it while you’re sitting there sipping your 700-calorie latte as you use your laptop. Or, you can be tricked—via a phishing e-mail—into giving out your super strong password. The simple username/password combination is extremely vulnerable to a litany of attacks.

What a crook can’t possibly do, however, is log into one of your accounts using YOUR phone (unless he steals it, of course). And why would he need your phone? Because your account requires two-factor authentication: your password and then verification of a one-time passcode that the site sends to your phone.

Two-factor authentication also prevents someone from getting into your account from a device other than the one that you’ve set up the two-factor with.

You may already have accounts that enable two-factor authentication; just activate it and you’ve just beefed up your account security.

Facebook

  • Its two-factor is called login approvals; enable it in the security section.
  • You can use a smartphone application to create authentication codes offline.

Apple

  • Its two-factor works only with SMS and Find my iPhone; activate it in the password and security section.
  • Apple’s two-factor is available only in the U.S., Australia, New Zealand and the U.K.

Twitter

  • Twitter’s two-factor is called login verification.
  • Enabling it is easy.
  • Requires a dependable phone

Google

  • Google’s two-factor is called 2-step verification.
  • It can be configured for multiple Google accounts.

Dropbox

  • Activating two-factor here is easy; go to the security section.
  • SMS authentication plus other authentication apps are supported.

Microsoft

  • Enable it in the security info section
  • Works with other authentication apps.

Additionally, check to see if any other accounts you have offer two-factor, such as your bank (though most banks still do not offer this as described above, but do provide a variation of two factor).

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Strengthen Your Digital Defenses with the 5 Habits of Practically Unhackable People

At the start of the year, we all made our resolutions for 2015. Now it’s March—how are you doing on your resolutions? If you’ve already broken a few, no worries; New Year’s doesn’t have the monopoly on making goals to better yourself. This is especially true with digital safety. At a time when there are so many security breaches, it’s important to commit to strengthening your digital defenses year-round.

1DWhen making goals, it’s important to emulate people who have already mastered what you’re trying to learn. So in this case, what do super secure people do to stay safe online? Intel Security has the answer—here are the 5 habits of practically unhackable people:

  1. Think before they click. We click hundreds of times a day, but do we really pay attention to what we click on? According to the Cyber Security Intelligence Index, 95% of hacks in 2013 were the result of users clicking on a bad link. Avoid unnecessary digital drama, check the URL before you click and don’t click on links from people you don’t know.
  2. Use HTTPS where it matters. Make sure that sites use “https” rather than “http” if you’re entering any personal information on the site. What’s the difference? The extra “S” means that the site is encrypted to protect your information. This is critical when you are entering usernames and passwords or financial information.
  3. Manage passwords. Practically unhackable people use long, strong passwords that are a combination of upper and lower case letters, numbers, and symbols. Yet, unhackable people don’t always memorize their passwords; instead, they use a password manager. A password manager remembers your passwords and enters them for you. Convenient, right? Check out True Key™ by Intel Security, the password manager that uses biometrics to unlock your digital life. With True Key, you are the password.
  4. Use 2-factor authentication (2FA) all day, every day. When it comes to authentication, two is always better than one. 2FA adds another layer of security to your accounts to protect it from the bad guys so if you have the option to use 2FA, choose it. In fact Intel Security True Key uses multiple factors of authentication.
  5. Know when to VPN. A VPN, or virtual private network, encrypts your information, which is especially important when using public Wi-Fi. Practically unhackable people know that they don’t always need a VPN, but know when to use one.

To learn more about the 5 habits of practically unhackable people, go here. Like what you see? Share the five habits on Twitter for a chance to win one of five prize packs including a $100 gift card to Cotopaxi or Hotels.com.*

You don’t need to wait for another New Year to resolve to become a digital safety rock star – start today!

*Sweepstakes is valid in the U.S. only and ends May 16, 2015. For more information see the terms and conditions at intel.com/5habits.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.