Posts

What is Two-Factor Authentication and How Does it Work?

There are a number of ways that you can protect yourself online, and one of the things you can do is to start using two-factor authentication.

You probably have seen two-factor authentication even if you aren’t sure what it is. For instance, if you do online banking, your bank might text a code to your phone or email when you try to change the password. This is two-factor authentication. It’s basically just an extra step that confirms that you are the account owner. This makes it more difficult for hackers to get into your account, too. Not only do they need a password, they also need access to your smart phone or email account.

These Critical Websites need Two Step Authentication

Most large websites have the option for two-factor authentication. Each company name is linked to their specific instruction.  Here’s how to set it up:

Apple ID

You can use two-factor authentication on your iCloud, iPhone or iPad:

  • Click on “Settings,” “Security,” and then “Turn on two-factor authentication.”
  • Enter a phone number
  • Look at your text, enter the code, and you are good to go

Facebook

  • Log into your Facebook account. Click on “Settings,” “Security and Login.”
  • Choose “Use two-factor authentication,” and then click “edit.”
  • Select the method. There are several options including texts, apps, and code generators.
  • Follow the instructions shown on the screen.
  • Click “Enable.”

Gmail

You can set up two-factor authentication for Gmail and Google accounts.

  • Navigate to the Google page for two-step authentication.
  • Click “Get started.”
  • Follow on-screen instructions to turn the feature on.

Yahoo

  • Sign into your account
  • Click “Account security.”
  • Look for “two-step verification,” and make sure it’s “on.”
  • Enter your phone number, and choose text message or phone call
  • Enter the code, and then click on “Verify.”

Instagram

If you use Instagram, you can also set up two-factor authentication:

  • Log into your account on Instagram.
  • Navigate to your profile and choose your operating system.
  • Scroll down until you see “two-factor authentication.”
  • Click on “require security code.”
  • Enter a phone number if one is not there. Click “Next.”
  • You will get a code to your phone. Enter it, and then click “Next.”

Twitter

If you use Twitter, you can also set up two-factor authentication. However, there are different steps to take depending on how you access the site, either from a laptop or PC, an iPhone, or an Android. You can learn about setting two-factor authentication up by visiting the Help Center.

Here are a few more important sites that require a more in-depth explanation:

Linkedin

Paypal

Ebay

Amazon

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Be aware of all these Confidence Crimes

Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:

Do Not Take the Bait of These Phishermen

  • A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
  • Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
  • Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
  • Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
  • Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
  • If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.

Be thoughtful about security:

  • Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
  • Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
  • Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
  • Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
  • All money transfers should require not one, but two signatures.
  • Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
  • Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
  • Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.

I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.

A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

10 ways to beef up Digital Security

#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Don’t. Always update at the time these appear.

2D#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the user’s phone or via e-mail that must be entered in the login field.

#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you don’t use. Too many extensions can slow down your computer.

#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes can’t read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.

#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, you’re protected if you have a password. Otherwise you are screwed.

In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.

#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.

#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your “favorite pet’s name”? Who might know this information? Well, if it’s on your Facebook page, anyone who can view it. How much of your personal information is actually online?  Many accounts allow a “secondary password” Ask them.

#8. Simple but powerful layers of protection.

  • Don’t have login information written down on hardcopy.
  • Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).

#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.

#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

You need Two-Factor Verification for your Amazon Account

If you have a strong password for your Amazon account, you may still want to consider beefing up the security with two-factor verification (or authentication), which will prevent a thief from accessing your account (which is possible if he gets ahold of your password and username somehow).

2D

  • Log onto your Amazon account.
  • Have your mobile phone with you.
  • Click “Your Account.”
  • Scroll down where it says “Settings—Password, Prime & E-mail.”
  • Click “Login & Security Settings.”
  • Go to “Change Account Settings” and at the bottom is “Advanced Security Settings.” Hit “Edit” there.
  • You are now on the page for setting up two-step verification. Hit “Get Started.”
  • You will see two options. For ease of setting up the two-factor, choose the text message option.
  • Follow the instructions and wait for the texted code.
  • Enter the code and click the “continue” button.
  • You will now be on a page for adding a backup number—which is required.
  • You cannot use the same phone number you just did for your initial setup. If you do not have a landline for the backup number, and your only phone is a “dumbphone,” you will not be able to use the two-factor service from Amazon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Phishing attacks Two-Factor Authentication

Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

13DHow a hacker circumvents two-factor authentication:

  • First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
  • Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
  • The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
  • This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
  • The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
  • Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
  • The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
  • The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests  to look out for:

Pay Attention!

  • You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
  • If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
  • Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to use two-factor authentication for critical accounts

Have a small business? Great. Have two-factor authentication for your accounts? If you’re not sure of the answer to that question, you could be in trouble. October is National Cyber Security Awareness Month, the perfect time to learn more about cyber security. As a small business owner, you certainly have thought about data breaches. They don’t just happen to giants like Target and Sony. The common thread in many data breaches is that the hackers got the password.

5DOnce a hacker has a password, they often can get into the account, even if a username or other information is required. But suppose the hacker, mouth drooling as he’s about to break into your business accounts with your password and username, types in this login information and then sees he’s blocked unless he enters a one-time passcode? That’s a form of two-factor authentication. Game over for Joe Hacker.

Two-factor authentication may mean a different login, every time you login, even on the same day, and only YOU have it. It’s sent to your e-mail or phone. Setting up two-factor authentication differs from one platform to the next. See the following:

PayPal

  • Click “Security and Protection” in the upper right.
  • At bottom of next page, click “PayPal Security Key.”
  • Next page, click “Go to register your mobile phone” at the bottom. Your phone should have unlimited texting.
  • Enter your phone number; the code will be texted.

Google

  • At google.com/2step click the blue button “Get Started.” Take it from there. You can choose phone call or text.

Microsoft

  • Go to login.live.com. Click “Security Info.”
  • Click “Set Up Two-Step Verification” and then “Next.” Take it from there.

LinkedIn

  • At LinkedIn.com, trigger the drop-down menu by hovering over your picture.
  • Click “Privacy and Settings.”
  • Click “Account” and then “Security Settings.”
  • Click “Turn On” at “Two-Step Verification for Sign-In.”
  • To get the passcode enter your phone number.

Facebook

  • In the blue menu bar click the down-arrow.
  • Click “Settings.”
  • Click the gold badge “Security.”
  • Look for “Login Approvals” and check “Require a security code.”

Apple

  • Go to appleid.apple.com and click “Manage Your Apple ID.”
  • Log in and click “Passwords and Security.”
  • Answer the security questions to get to “Manage Your Security Settings.”
  • Click “Get Started.” Then enter phone number to get the texted code.

Yahoo

  • Hover over your photo for the drop-down menu.
  • Click “Account Settings.”
  • Click “Account Info.”
  • Go to “Sign-In and Security” and hit “Set up your second sign-in verification.”

Type in your phone number to get the texted code. If you have no phone you can get receive security questions via e-mail.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use.

Being cyber aware also includes backing up your data to a secure offsite location. Back it up with Carbonite, and receive 2 free bonus months with purchase of any subscription through the end of October by entering code “CYBERAWARE” at checkout.

Robert Siciliano is a personal privacy, security  and identity theft expert to Carbonite discussing identity theft prevention. Disclosures.

Go Two-Factor or go Home

Logins that require only a password are not secure. What if someone gets your password? They can log in, and the site won’t know it’s not you.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294Think nobody could guess your 15-character password of mumbo-jumbo? It’s still possible: A keylogger or visual hacker could obtain it while you’re sitting there sipping your 700-calorie latte as you use your laptop. Or, you can be tricked—via a phishing e-mail—into giving out your super strong password. The simple username/password combination is extremely vulnerable to a litany of attacks.

What a crook can’t possibly do, however, is log into one of your accounts using YOUR phone (unless he steals it, of course). And why would he need your phone? Because your account requires two-factor authentication: your password and then verification of a one-time passcode that the site sends to your phone.

Two-factor authentication also prevents someone from getting into your account from a device other than the one that you’ve set up the two-factor with.

You may already have accounts that enable two-factor authentication; just activate it and you’ve just beefed up your account security.

Facebook

  • Its two-factor is called login approvals; enable it in the security section.
  • You can use a smartphone application to create authentication codes offline.

Apple

  • Its two-factor works only with SMS and Find my iPhone; activate it in the password and security section.
  • Apple’s two-factor is available only in the U.S., Australia, New Zealand and the U.K.

Twitter

  • Twitter’s two-factor is called login verification.
  • Enabling it is easy.
  • Requires a dependable phone

Google

  • Google’s two-factor is called 2-step verification.
  • It can be configured for multiple Google accounts.

Dropbox

  • Activating two-factor here is easy; go to the security section.
  • SMS authentication plus other authentication apps are supported.

Microsoft

  • Enable it in the security info section
  • Works with other authentication apps.

Additionally, check to see if any other accounts you have offer two-factor, such as your bank (though most banks still do not offer this as described above, but do provide a variation of two factor).

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Strengthen Your Digital Defenses with the 5 Habits of Practically Unhackable People

At the start of the year, we all made our resolutions for 2015. Now it’s March—how are you doing on your resolutions? If you’ve already broken a few, no worries; New Year’s doesn’t have the monopoly on making goals to better yourself. This is especially true with digital safety. At a time when there are so many security breaches, it’s important to commit to strengthening your digital defenses year-round.

1DWhen making goals, it’s important to emulate people who have already mastered what you’re trying to learn. So in this case, what do super secure people do to stay safe online? Intel Security has the answer—here are the 5 habits of practically unhackable people:

  1. Think before they click. We click hundreds of times a day, but do we really pay attention to what we click on? According to the Cyber Security Intelligence Index, 95% of hacks in 2013 were the result of users clicking on a bad link. Avoid unnecessary digital drama, check the URL before you click and don’t click on links from people you don’t know.
  2. Use HTTPS where it matters. Make sure that sites use “https” rather than “http” if you’re entering any personal information on the site. What’s the difference? The extra “S” means that the site is encrypted to protect your information. This is critical when you are entering usernames and passwords or financial information.
  3. Manage passwords. Practically unhackable people use long, strong passwords that are a combination of upper and lower case letters, numbers, and symbols. Yet, unhackable people don’t always memorize their passwords; instead, they use a password manager. A password manager remembers your passwords and enters them for you. Convenient, right? Check out True Key™ by Intel Security, the password manager that uses biometrics to unlock your digital life. With True Key, you are the password.
  4. Use 2-factor authentication (2FA) all day, every day. When it comes to authentication, two is always better than one. 2FA adds another layer of security to your accounts to protect it from the bad guys so if you have the option to use 2FA, choose it. In fact Intel Security True Key uses multiple factors of authentication.
  5. Know when to VPN. A VPN, or virtual private network, encrypts your information, which is especially important when using public Wi-Fi. Practically unhackable people know that they don’t always need a VPN, but know when to use one.

To learn more about the 5 habits of practically unhackable people, go here. Like what you see? Share the five habits on Twitter for a chance to win one of five prize packs including a $100 gift card to Cotopaxi or Hotels.com.*

You don’t need to wait for another New Year to resolve to become a digital safety rock star – start today!

*Sweepstakes is valid in the U.S. only and ends May 16, 2015. For more information see the terms and conditions at intel.com/5habits.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Fingerprint hacked by a Photo

You can’t change your fingerprint like you can change your password. But why would you want to change your fingerprint? The thought might cross your mind if your fingerprint gets stolen.

8DHow the heck can this happen? Ask Starbug. He’s a hacker who demonstrated just how this could happen at an annual meeting of hackers called the Chaos Communication Congress, says an article at thegardian.com. His “victim” was defense minister Ursula von der Leyen.

Starbug (real name Jan Krissler) used VeriFinger, a commercial software, with several photos of von der Leyen’s hands taken at close range. One of the photos he took, and the other was from a publication.

And this gets more fun, total and complete James Bond stuff: The conference showed that “corneal keylogging” can happen. Reflections in the user’s eyes occur as they type. Photos of these reflections can be analyzed to figure out what they typed. This is another lovely gateway to getting passwords.

But back to the fingerprint thing. In 2013, says The Guardian article, Starbug took a fingertip smudge from a smartphone, and using a few clever techniques, printed an imposter finger. He used the fake thumb to get into the phone. This shows it’s possible to crack into a mobile device with a stolen fingerprint—obtained without even having to be near the victim.

Biometrics is a groundbreaking advance in security, and it was just a matter of time before hackers would figure a way to weaken it. All is not lost. Hacks like this aren’t easy to accomplish and there’s always multi factor authentication available as another layer of protection.

Biometrics can certainly be a replacement for passwords, but again should include, a second-factor authentication. Passwords are secrets, stored inside people’s heads (ideally, rather than written on hardcopy that someone could get ahold of), but biometric features, such as fingerprints, photos and voice IDs, are out there for all to perceive. Though it’s hard to imagine how a hacker could figure out a way to fool voice recognition software, don’t count this out.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Multifactor Authentication trumps knowledge based Authentication (KBA)

What is knowledge-based authentication? The KBA design asks the user to correctly answer at least one question, a “secret” only the user would know.

8DThere are two types of KBA: 1) Answering a question that the user has pre-selected (static scheme), and 2) Answering a question that’s determined by garnering data in public records (dynamic scheme).

The idea is that if a question is correctly answered, the person’s ID has been verified.

KBA Flaws

Fraudsters can answer “secret” questions—even those that the user must think hard to answer. But how?

Spear-phishing: gaining access to the public data aggregators by tricking their employees and getting into their accounts, getting the “keys” to the data. Knowledge-based authentication is definitely flawed. Additionally, with all our personal information floating out there in social sites, it is becoming much easier to research anyone enough to pass these questions.

KBA is especially unreliable when it applies to people new to the U.S. or who are young, as they don’t have much public data built up.

Though KBA is flawed, it’s also the heavily preferred method for ID because it’s so technically easy. This is why Obamacare will be using it for the new healthcare insurance exchanges.

Attempts at Regulation

A regulation attempt was made by the U.S. banking regulators that involved costliness. That didn’t go over well. Another instance was that in 2006, ChoicePoint was fined by the FTC for a 2004 breach; they were ordered to conduct intense security audits for possibly 20 years.

Solutions

Authentication should be multifactorial. A multidimensional security system might include:

  • Customer history and behavior is considered.
  • Dual customer authorization via varying access devices
  • Transactions verified via out-of-band
  • Debit blocks, positive pay and other methods that appropriately curtail an account’s transactional use
  • More refined controls over account activities, such as number of daily transactions, payment recipients, transaction value thresholds and allowable payment windows
  • Blockage of connection attempts to banking servers from suspicious IP addresses
  • Policies for addressing potentially compromised customer devices
  • Improved control over any changes done by customers to their account
  • Better customer education to increase awareness of security risks, including how customers can mitigate risks

A layered security program should include, at a minimum, the following:

  • Detection of suspicious activity followed by a response. Suspicious activity may be related to logins and verification of customers wanting access to the bank’s electronic system, and also to initiation of electronic transactions that pertain to fund transfer to other parties.
  • Institutions should do away with using simple device ID as the primary control.
  • They should also do away with using basic “secret” questions as a primary control.

An Alternative to KBA

There is now a software-only biometric that can authenticate the user’s identity in a way that’s so unique that no imposter can beat it.

This patented software is referred to as the “Missing Link,” created by Biometric Signature ID (BSI). It’s the strongest form of ID confirmation on the market today, and it doesn’t even require any additional hardware.

How does this biometric work?

It measures how a person moves their mouse,  finger or stylus when they log in using a password created with BioSig-ID™.

Biometrics measured include elements like height, length, speed and direction, angle of each stroke. These all define the user’s unique pattern—that a fraudster cannot replicate. Positive IDs can be done when someone logs in on any device.

In order to access the device, or whatever else (bank account, medical information, online college exam, etc.), the user must be previously authenticated against their original profile. . In seconds and with only 3-4 characters BioSig-ID™ software will establish whether the person who registered for the account is the same person who is attempting access. This SaaS based software is now used in over 60 countries and was recently awarded a grant by the White House to use their solution to validate user identity before online they can access a digital asset.

Robert Siciliano, personal security and identity theft expert and BioSig-ID advisory board member. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.