In the last Privacy and Security Series post, we talked about theimportance of multi-factor authentication (MFA), also known as two-factorauthentication (2FA). Enabling MFA is a giant leap forward when it comes tosecuring your online accounts — Google and Microsoft both say that enabling MFAblocks 99.9% of accounthacks.
If hackers are germs, MFA is the Purell of internet account security.
So, you’ve followed the password best practices we talked about, and you have apassword manager, and you’ve enabled MFA on your accounts. Is there more you cando? Yes, of course!
Last week, Square & Twitter CEO Jack Dorsey had his Twitter accountcompromised by aSIM-swap attack. Long story short, a fraudster was able to convince someoneworking for AT&T to swap Jack’s phone number to the fraudulent SIM, which wasused to send Tweets via SMS.
Why does a SIM-swappingattack matter to you?
Well, if your MFA strategy is to have a one-time-password texted to your phone,you are vulnerable to a SIM-swap. Technically, anyone with a cellular device isvulnerable, but accounts backed by SMS-OTP MFA are vulnerable in particular.
Are there other downsides to SMS one-time-passwords?
Yeah, quite a few actually. As of July 2016, the U.S. National Institute ofStandards and Technology (NIST) said to stop usingthem.I discuss some additional downsides in the previous post.
What’s a better alternative to SMS-OTPs?
Token-based OTPs (time-based OTPs)
Is not vulnerable to the SIM-swapping attack because each one-time-passwordis generated by a seed/token value. So long as
1. the seed is not intercepted (which you can be reasonably sure of, ifyou trust the security of HTTPS/TLS and the root CertificateAuthorities); and 2. your OTP device is secure you are much more secure than with anSMS-based OTP.
U2F / Yubikey / Other smartcard / certificate authentication
Some companies, like Google, are supporting the FIDO/U2F/Yubikey approach,which involves the exchange of public keys to be matched with the privatehalf of the keypair stored on secured hardware devices. So long as
1. As long as no one steals your U2F device; and 2. the encryption isn’t cracked
you are even more secure than with Token-based OTPs, as the token seed isessentially the private key transmitted over the wire. The U2F approachkeeps the private keys private.
Even after we’ve done the hard work of changing all our passwords and enablingmulti-factor authentication on a bunch of services, there are still things youshould do on a semi-frequent basis.
For one, you should scrutinize the list of apps/services that are “connected” toyour accounts. Maybe you’ve used Boomerang for Gmail, or have apps that usefiles on Google Drive. When was the last time you checked out that list?
Below is a screenshot of some services that were connected to my Dropbox. I’mnot proud of it. Look at how many entries have “full read/write access to anyfile”.
Scrutinize this list and make sure you know every app and service that isconnected. If you don’t recognize an app, remove it and change your password. Dothis frequently for your highest-risk accounts, like your email provider.Google, Microsoft, Facebook, and Twitter all provide app connections, so checkthem often.
Similarly, remove unknown or unused devices from your accounts. For example,your Google account may still have a phone registered and offer to sendauthentication push notifications to it. If you have any reason to believe adevice is compromised, remove it.
Finally, review recent security events if possible. Some companies let you lookat recent login attempts, app connections, etc. At this point, you should bereviewing any activity information you have about your account by default.
Google offers all of these features in an easy-to-use portal called “SecurityCheckup”.
And yeah, my account does not get an A+ in security, because I have an unsignedthird-party app connected to Google Sheets. The good news: it’s a project I amdeveloping, and I trust myself (mostly).
Of course there’s more. We haven’t even begun to talk about browser extensionswhich can seriously up your privacy game. Until then.