01.14.14

Don’t have double protection yet?

After hearing about too many attempts of password stealing, maybe it’s time to take your account security a step further and define two-phase authentication that ensures you always have access to your e-mail, PayPal and other services with less fear.

Friday morning. An e-mail message appears in my Inbox . The message is from a friend of mine who shared an online document with me. I expected to receive that, so I clicked on the link in the message. To my surprise I got to a site asking me to type in my e-mail password to view the document. Of course it doesn’t make any sense, so I looked at the URL of the link and I saw that he had nothing to do with the document. After more thorough examination I realized it was a classic phishing (attempt to steal sensitive information by masquerading). What confused me in this whole story was that the message actually came from my friend’s mailbox.

I called my friend and told him about the message and recommended him to check if his e-mail account is compromised. He thanked me and went to check. A few minutes later called me back and said that someone else complained he had received a message of this kind from him, and that he discovered that indeed those messages were sent from him as they appear in his e-mail Outbox folder. He also received a message from the e-mail administrator indicating suspicious activity in his account. I recommended that he immediately change his password and indeed the phenomenon has not returned since.

The scenario of someone breaking into our e-mail, Facebook or bank account is similar to the scenario of someone breaking into our house, physically. The thought that someone picked our private email messages is as bad as the thought that someone picked our bedside drawers.

Virtual breaking damage can be even more dangerous than physical burglary. Reputational damage through loss of funds to identity theft. While it is not that easy to hack our accounts, there are enough courses of action that hackers can use. One option is a leak of sensitive information due to a fault at our service provider, such as the breach to ‘Snapchat’ at the beginning of the year revealing information on 4.6 million of users.

The problem of breaking a specific service does not only affect the account with that same service. Most people use the same password for several service providers, and so can the hacker just try to use the same password in another services.

Another option is to use various phishing techniques created to take advantage of the ignorance and innocence of people. One method is to send an urgent email that appears to be from the bank and ask the user to login on the “bank website” (which is actually a hacker’s fictitious) and enter username and password to fix any problem in mind. Hackers then use the information to access the bank account through the official website.

There is also technologies like “listening” while people surf on insecure networks, or even attempt to guess passwords, so eventually the password security method is a method that you can and in fact is overridden.
So what’s the solution? How can you make it harder for bad guys? As in the real world, the way it is to add another lock. Not a simple lock but a more sophisticated one. A lock that is not based on information but on something you have. That something can be your mobile phone.

The mechanism is called “Two-Phase Authentication” and the idea is to verify access not only by using user and password, but also by authenticating the device used for the access, which can be your PC or tablet. This is done by receiving a unique code to your mobile phone from the service provider on each first use of a device, then type the code as a second authentication phase. Once approved, the device can be used to access the service indefinitely without the need to re-approve it.

Now, if hackers try to access the service, they too will be requested to enter the unique code since their device is not approved yet. The code is sent to … your mobile phone, and that way the hackers could not know it, plus you can know someone is trying to access your account.

The “Two-Phase Authentication” is already provided by large enterprises like G-mail, PayPal, Facebook and Twitter, so it is recommended to make use of it. I do.