Posts

Is Two Factor Authentication a Good Thing to Use?

“TechWorld” has some interesting information, such as a story on a report from the National Institute of Standards and Technology. And while you may not see this as being “fun”, it is at a minimum interesting. I’m here to break it down for you.

two factor authenticationIn this report, the public was advised to stop using two factor authentication. However, other people suggest that this is the very best way to prevent identity theft. So, which is it? Let’s take a look.

When you get a message from someone, you surely want to make sure that they are who they say they are. In fact, many of us rely on tools like Caller ID. However, you might want to stop doing that, as caller ID can be faked. As hackers start using this more, they are finding ways to also fake SMS, too, which means technically, they could be faking two-factor or two step authorization/verification which heavily relies on text messaging. So, it is very important to stay vigilant about protecting your information and being careful about what you respond to via text

Why Authorization is Important

When it comes to the importance of authorization in transactions, it’s imperative that you are confident that you can access your info. We now know that it is very easy for a criminal, if they know what they are doing, to get into your accounts by using your password and username. But just a username and a password isn’t enough.

How Two-Factor Authentication Works

When you choose to use two-factor authentication, after entering your password online, you will receive an SMS, one-time use code, which you then use to fully log into your account. For this to work, the following must occur:

  • You must have a mobile device
  • You must know how to access the device (PIN or biometrics)
  • You must have a username and password to an online account
  • You must have the one-time use code, which will be sent to the device

Unless all four of these things are present, the account cannot be accessed. So, even if a hacker has your username and password, if you have two-factor authentication set up, they would also need your device to access the account. This makes it much more difficult to illegally access an account and helps your account to be much safer.

How Hackers are Being Smarter than Two-Factor Authentication

Though it is more difficult for a hacker to get into your account that has two-factor authentication, it is not impossible. Here are some ways that hackers are able to get around it:

Man in the Middle Attack:

  • The hacker gets access to your username and password
  • The hacker tries to login and is denied because you have two-factor authentication set up.
  • The hacker contacts you via social media, email, or phone with some type of trick to get your one-time code.

Phone Cloning:

  • The hacker will go into a brick and mortar cell phone carrier store and pretend they are you. They get a new phone with your number.

Changing the Number

  • The hacker creates a fake website, and you enter your number into it. They then take your number and change it, and then they keep your original number. This sounds more complicated than it is.

There is a Lot of Confidence About SMS Two-Factor Authentication

When you use SMS two-factor authentication, you don’t’ have to worry or have concern if your password gets into the wrong hands. Remember, the criminal who has your password still needs your one-time code…and unless they have your phone, they can’t access it.

Companies that offer two-factor authentication give their customers more confidence, and there is an increased interest in the company’s products and services because transactions are more secure.

So, should you be nervous about SMS two-factor authentication? No, you don’t need to. You really do have an extra level of protection, but remember, it isn’t totally fool proof. There are still ways that a hacker can access your accounts, though it is quite difficult.

You can have confidence in two things – First, that banks continue to come up with easy and friendly way to keep all of us safe with an alternative to two-factor authentication, and second, that you are already a step ahead of hackers thanks to your new-found knowledge from reading this article.

One simple way to engage and activate two factor authentication for all critical websites is to simply do a Google search for “two factor” and then the name of the site. And example would be “two factor Amazon. ”You’ll definitely find plenty of options to enable to factor authentication on every critical website your visit.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

Keeping Your Zoom Event Secure and Private

There are many public forums out there, and wherever you are or whatever you are using, anyone with some smarts can disrupt an event that is meant for bringing people together. Here are some tips on keeping your next Zoom meeting secure and private:

You definitely don’t want anyone taking control of your screen or sharing information with the group. Thankfully, you can restrict this by controlling screen sharing. Preventing participants in your meeting from sharing is done by using the host controls before starting the meeting.

You also might want to familiarize yourself with the features and settings available from Zoom. The Waiting Room, for instance, has a number of controls available, and is a setting you should always be using. It essentially allows you to control who comes in. As a host, you can customize all of these settings, and even create a message for people waiting for the meeting to start, such as meeting rules.

You shouldn’t use your PMI, or Personal Meeting ID for hosting public events. You also only want to allow users who are signed in to join your meeting. You can also lock the Zoom meeting. This means that no new participants can join, even if they have the meeting ID and the password.

Another thing you can do is set up your own version of two-factor authentication. With this, you can generate a random Meeting ID, and then share that with participants, but then only send the password via a direct message.

If there are disruptive or unwanted participants in your meeting, you can also remove them via the Participants menu. Is a removed participant wants to rejoin, you can also do that by toggling the settings that you did in the first place. This is helpful if you remove the wrong person.

You can also put anyone in the Zoom meeting on hold. This means that the video and audio connections of the attendees are disables. To do this, you can click on a video thumbnail and select “Start Attendee On Hold.” Totally disabling the video is also possible. This will allow you, as the host, to turn off someone’s video. You can also block things like inappropriate gestures or distracting behavior.

Muting participants is also a possibility during a Zoom meeting. This allows you to stop the sounds of barking dogs and crying kids during these meetings. If you have a large meeting, you can also choose to mute everyone by choosing Mute Upon Entry.

File transfers are a possibility during Zoom meetings, but you might not want to allow this. In this case, you can turn off the file transfer capabilities before starting the meeting. Additionally, you can turn off annotation, which allows people to markup shared documents or doodle. Finally, you can also disable private chat. This will stop people in the meeting form talking to each other, which helps to cut back on any distractions that they might have during the course of the meeting.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

What is Two-Factor Authentication and How Does it Work?

There are a number of ways that you can protect yourself online, and one of the things you can do is to start using two-factor authentication.

You probably have seen two-factor authentication even if you aren’t sure what it is. For instance, if you do online banking, your bank might text a code to your phone or email when you try to change the password. This is two-factor authentication. It’s basically just an extra step that confirms that you are the account owner. This makes it more difficult for hackers to get into your account, too. Not only do they need a password, they also need access to your smart phone or email account.

These Critical Websites need Two Step Authentication

Most large websites have the option for two-factor authentication. Each company name is linked to their specific instruction.  Here’s how to set it up:

Apple ID

You can use two-factor authentication on your iCloud, iPhone or iPad:

  • Click on “Settings,” “Security,” and then “Turn on two-factor authentication.”
  • Enter a phone number
  • Look at your text, enter the code, and you are good to go

Facebook

  • Log into your Facebook account. Click on “Settings,” “Security and Login.”
  • Choose “Use two-factor authentication,” and then click “edit.”
  • Select the method. There are several options including texts, apps, and code generators.
  • Follow the instructions shown on the screen.
  • Click “Enable.”

Gmail

You can set up two-factor authentication for Gmail and Google accounts.

  • Navigate to the Google page for two-step authentication.
  • Click “Get started.”
  • Follow on-screen instructions to turn the feature on.

Yahoo

  • Sign into your account
  • Click “Account security.”
  • Look for “two-step verification,” and make sure it’s “on.”
  • Enter your phone number, and choose text message or phone call
  • Enter the code, and then click on “Verify.”

Instagram

If you use Instagram, you can also set up two-factor authentication:

  • Log into your account on Instagram.
  • Navigate to your profile and choose your operating system.
  • Scroll down until you see “two-factor authentication.”
  • Click on “require security code.”
  • Enter a phone number if one is not there. Click “Next.”
  • You will get a code to your phone. Enter it, and then click “Next.”

Twitter

If you use Twitter, you can also set up two-factor authentication. However, there are different steps to take depending on how you access the site, either from a laptop or PC, an iPhone, or an Android. You can learn about setting two-factor authentication up by visiting the Help Center.

Here are a few more important sites that require a more in-depth explanation:

Linkedin

Paypal

Ebay

Amazon

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Do Not take that Stupid Facebook Quiz

Where should you live in the world? What Game of Thrones family are you in? What is the food that best describes your personality? All of these answers are given and found by doing quizzes on Facebook. You have surely seen them if you use Facebook, and have may have taken these quizzes, but you definitely might want to consider stopping. If you have ever used one of these quizzes, you have probably given these third-party apps permission to access some of your personal data. Not only does this affect you, it might also affect the people on your friends list. How does it affect you? These answers can sometimes crack password reset questions,

Here are some tips that you can use to protect yourself:

Use Two-Factor Authentication – Almost all social media sites offer two-factor authentication. This allows you to further lockdown your accounts, as you won’t be able to sign in with only a password. Instead, you need a password and a code, which is often sent to you via text message. So, no one can log into your account even if they have your password, unless they also have access to your phone and texts.

Stop Taking Quizzes – The best thing you can do to protect yourself is to stop taking those quizzes. Though they look innocent enough, every click gives the company information on you. It’s true that not all companies collect your personal info, but you really have to do some digging in the terms of service to see if they do or not.

Check Your Privacy Settings – When is the last time you reviewed your privacy settings on Facebook? If you are like most of us, it’s probably been awhile. So, take some time to log in and do this. If you need a tip, choose to only share with yourself by clicking “Only Me” on all of the settings. That’s the safest, but after all, this is SOCIAL media, so you might want to pick and choose.

Look at What You Share – You should also look in your app security to find out what you are sharing with third-parties. You might be surprised at what you see.

Delete Old Accounts – Finally, make sure that you take a look at, and delete, any old social media accounts. If you don’t want to delete it, at a minimum, change your password. Also, Google yourself and see what accounts come up. If you can find it, you can bet that a hacker can.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

You need Two-Factor Verification for your Amazon Account

If you have a strong password for your Amazon account, you may still want to consider beefing up the security with two-factor verification (or authentication), which will prevent a thief from accessing your account (which is possible if he gets ahold of your password and username somehow).

2D

  • Log onto your Amazon account.
  • Have your mobile phone with you.
  • Click “Your Account.”
  • Scroll down where it says “Settings—Password, Prime & E-mail.”
  • Click “Login & Security Settings.”
  • Go to “Change Account Settings” and at the bottom is “Advanced Security Settings.” Hit “Edit” there.
  • You are now on the page for setting up two-step verification. Hit “Get Started.”
  • You will see two options. For ease of setting up the two-factor, choose the text message option.
  • Follow the instructions and wait for the texted code.
  • Enter the code and click the “continue” button.
  • You will now be on a page for adding a backup number—which is required.
  • You cannot use the same phone number you just did for your initial setup. If you do not have a landline for the backup number, and your only phone is a “dumbphone,” you will not be able to use the two-factor service from Amazon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Phishing attacks Two-Factor Authentication

Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

13DHow a hacker circumvents two-factor authentication:

  • First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
  • Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
  • The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
  • This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
  • The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
  • Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
  • The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
  • The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests  to look out for:

Pay Attention!

  • You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
  • If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
  • Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.