Cybersecurity in the Age of Data
Some have referred to data as the new oil. A valuable resource that can be tapped and sold for tremendous amounts of money. While software companies, credit institutions, etc will happily sell your data to targeted marketing firms, there is also a serious value in being able to access the source of the data in the form of user accounts. High-profile hacks are happening all the time. Many of these attacks are through cracking passwords and or finding out answers to personal information. It isn’t necessarily hard to find personal information to crack security either. Places like social media offer a simple way to research an individual and correctly answer security questions. From sophisticated cyber attacks that leak the credentials of millions of users to simple password cracks, cybercrime is increasing, and the tools are becoming more sophisticated and efficient.
The value for a cybercriminal in stealing passwords and gaining access to user accounts is undeniable. There is a range of motivations and utilities from gaining credentials. It could be something like stealing someone you don’t like’s Facebook account and posting something that would make them look bad. It could maybe be taking that same person’s account and selling it back to them for a price. It could even be as sophisticated as hacking into a company’s internal database or corporate emails to gain trade secrets.
It isn’t that hard for an actor with malicious intent and enough know-how to hack a password. Part of the blame however isn’t just the bad actor but standard recommendations for password security. For the longest time, people only knew a few suggestions like:
· Don’t use easy to find personal info in a password (like your dog’s name or address).
· Don’t use the same password twice.
· Use a long password
But with sophisticated technology that can snoop on unencrypted passwords over open networks like airports or coffee shops as well as password testers, scrapers, and dictionaries, these suggestions just don’t work anymore. Passwords remain a valuable tool but there needs to be another layer of security. This leads to the introduction of 2FA.
Introducing Two-Factor
Two-factor authentication, also known as 2FA, and multi-factor authentication is the practice of using two forms of authentication in order to access critical data. The concept of two-factor goes all the way back to the old idea of simply having 2 forms of ID to validate that you are the legitimate owner of something. Two-factor has taken this approach and applied it to the modern internet. So for example, just like the DMV might require bringing a social security card and a piece of mail to prove you are who you say you are, two factor makes you put in a password and follow up with another piece of information only you should know. This proves the person accessing the account is the legitimate owner.
Two-factor was introduced originally for institutions that handle sensitive data and are under regulation. Financial institutions like banks are a perfect example.
Two-factor also didn’t start with the sophisticated apps we use today but through a variety of other methods. An example of OTP (One time password) is S/key which takes a password and uses a server or offline device (like a thumb drive) to deliver extra characters to the password which can only be used once before the password is disposed of. More modern forms of two-factor started with basic additions of text like emailing a code or answering extra security questions. But these methods provide their own cybersecurity challenges.
For starters, basic plain text answers can be snooped on over public networks like airports. So if I am sent a plain text email that has a number in it, unless I am using a VPN or other method of encryption I am potentially allowing a bad actor to see that number along with potentially already knowing my password.
For basic two-factor like security questions, companies tend to prompt simple answers like “What is your dog’s name?” or “What town is your sibling from?”. These are questions, that if answered honestly by the user, can be easily tracked through mediums like social media. It is still better than just having a password however as they will potentially need to know your identity to look that information up.
This has led to modern methods of two-factor such as using an extra hardware layer.
Common Modern Two-Factor Methods.
Two-factor authentication has largely moved into three methods which are One-time passwords (OTP) delivered over an authenticator app, phone calls, and text messages. Although these methods all have their own vulnerability concerns, they are a drastic improvement over emailing a plain text email code or having the user answer a few easy to find out questions.
The reason they are such a big improvement is that they rely on the user having a device like a phone with them. If a user is accessing social media or banking information on their laptop, it will require they have access to a second device (which the hacker will not have access to).
Out of the three methods performed on a phone, the best is using a One Time Password (OTP). This is because it is handled through an App that can be set up to require an extra password so that even if someone gets ahold of your phone it’s another step to go through. Also, OTPs cannot be snooped on as easily as a call or text.
The second-best method is a phone call because nothing is sent over plain text. Spying on a phone call would require more sophisticated hacking and effort due to having to listen in in real-time.
The worst by far is SMS (text). The reason is that a code is sent over plain text and if a hacker has gotten as far as to hack a public network it doesn’t take much more for them to also snoop on a cellular network. If a hacker is able to infiltrate the network and see your SMS code, they can simply input it into their system and hack into your account before you can access it. SMS is quickly being phased out as a two-factor method as users are encouraged to instead use OTP apps or phone calls.
Here is a list of the common methods you will likely be asked to use at some point:
· OTP authenticator app (like LastPass or Google Authenticator)
· Text message
· Phone call
· Push notification (must click a notification on your phone)
· Email code
· Security Questions
· Biometric (fingerprint, or face scan)
Common Authentication Apps:
Because of the convenience and the ability to use them as a hub for all two-factor applications, OTP applications are becoming the norm. What they do is similar in concept to S/key which is that once you’ve entered the correct password, you will be prompted to add an additional set of numbers. These numbers expire after a couple of minutes and must be used within a certain period of time before they are reshuffled. This makes it so that unless the bad actor has the app itself, it is unlikely they will enter a user account. Below are several of the most popular OTP authenticator apps.
· Google Authenticator
· Twilio
· Duo Mobile
· Microsoft Authenticator
· LastPass Authenticator
All these apps do pretty much the same thing described above. It is just a matter of preference or if you have an employer that required one app over the other. For example, A University may require you to use Duo so you must enter a code that only works with Duo to access two-factor.
Two Factor Tips
While two-factor is more secure than only using a password, just like passwords there are best practices to keep yourself safe. Here are a few tips to maximize security with two-factor.
· Don’t use plain text methods: Methods like text messages and emails are considered to be some of the least secure methods of two-factor because it is easier to scrape the code if sent over an open network. While not every service will give you a choice, if you can use a different method it is recommended.
· Keep your authentication app the same: By sticking to one OTP authentication app, it can make your life easy by providing a hub for all your two-factor codes. This may even help you get in the habit of using two-factor more.
· If using a phone, have biometric security: If you are using a phone, having your device password or two-factor app password protected by a face scan or fingerprint will lead to greater security by providing your presence to active the app.
· Lie on answer two-factor questions: Let’s face it, questions are still one of the most common two-factor methods. But you can make this better by lying to the question. So, when a site tells you to write your answer to your hometown, say you live on Mars or something.
The Cloud Industry as a Case Study to the Importance of Two-Factor
Industries such as the cloud handle critical data and thus require two-factor. As a cloud provider, we access several services that could have legal repercussions if mismanaged or hacked. Examples include servers hosting client data, domain registrars, SSL registration, and more. It is incredibly important that we mitigate any chance of these becoming compromised.
Every account our team members have access to is protected by OTP. Employees must use a device with an authentication app in order to access the accounts they need to perform their job.
But the cloud industry is only an example of many industries where the practice of using two-factor has become the norm. We encourage everyone reading this to consider the importance of their data and activate two-factor for platforms and accounts that handle that critical data.