Security Saturday!
Two-faced authentication - false security by design.
Online accounts are becoming more important and more prevalent every day. And despite the attempt to unify account management (log in with Google, log in with Facebook, etc...) the amount of accounts that need to be mannaged by one person increases incesasntly. Some of these accounts are forced upon us. Like the Dutch Digid, used for tax, and other government interactions. Others become necessary by proxy, like email accounts and social media accounts which we use for their history of communications.
Regardless of the opinion one has on these accounts, it is undeniable that for many people these accounts have become paramount. Some of these accounts are in fact so important that having them compromised would immediately result in compromises of other important accounts and services (for example, if your online mail is compromised) or it directly opens you to identity theft (Digid) or fraud (banking, credit card).
In recent years people have been experimenting with multi-factor authentication (or the subset of two-factor authentication). This is the notion that besides your usual login information (typically username and password) you have another way of proving that you are you. Other factors include the posession of devices (mobile phone, USB device, smartcard), biometrics (iris, fingerprint, face recognition) and probably some less common ones.
The most prevalent type is mobile phone authentication by means of text message. Ideally what happens when you login with your username and password is that you get a text message with a one-time password (some short sequence like 234 652). This code is what you enter into a second step in the login procedure and then you are finally logged in. Of course there are some services that allow you to not alway require this second step, but remember the positive result for a week.
The text message form of multi-factor authentication is, however, not only the most prevalent one. It is also very much the least safe one. Several cases can be found on the internet about number transfer fraud. The first one that I heard about was, funny enough, one related to runescape (an online game I used to frequent). In the case of a number change fraud, a criminal buys a new phone SIM and initiates a number transfer. Instead of transferring his own number, he transfers the number of his target. This effectively knocks the target out of phone service (likely rendering them unable to respond adequately) and gives the criminal the ability to recieve text messages intended for the previous owner.
Of course, that includes the multi-factor text messages used during login.
In order for the criminal to do crimes, he is required to also have the actual username and password of the target. But with text message as a second factor essentially eliminated, we are back at the starting problem we tried to solve.
So what can you do instead?
- Use an authenticator app is your service is compatible, these apps are on your phone and independent of SIM/Phone number. (Microsoft, Google and some others offer these. They internally work the same. Just get one that you like.)
- Get a dual-SIM setup so that you always have a second phone number that you can use to immediately contact relevant parties when something goes wrong.
- The real fancy serives allow you to use a Yubikey, a USB device that fits on your keyring and acts like a digital key (link below).
- Ask your phone company to put an alert on your number, so that it cannot be transfered easily.
- Use a password manager to increase the strength of your password, so that the second factor does less of the heavy lifting.
Of course there are more things you can do. Other people in this and other locals communities have their own views and methods as well. Also, if you DO have text message authentication set up for some account, leave it there. It makes you less likely to be a target, as long as there are also targets without a second factor or if the criminals are lazy.
As always, stay safe out there.
https://www.nbcnews.com/business/consumer/how-hackers-are-hijacking-your-cell-phone-account-n859986
https://www.yubico.com/
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
