Living with 2FA

Two-factor authentication has become a necessary part of life for access to critical websites, such as those that deal with your banking and your health. For those of us who are getting older or have parents who are getting older, access to some of those websites could be a life-and-death matter in extreme cases. You may have access to an account or have given someone access to it. But the 2FA is likely still tied to a cell phone, presenting an authentication issue. Workarounds are not easy.

Increasingly, 2FA is a requirement, not an option. If you opt not to use 2FA, you run a security risk. If 2FA is required, many people choose to have a code sent to their cell phone as a text message. The idea behind that is that the user has the device in their hand and is the only one who can see the code. It’s a safe choice. (OK, there’s a chance that someone might be able to intercept the text or that you might be in a kidnap situation. For most of us, the probability is practically nil.)

Fortunately, a cell phone number is not the only method of authentication. Most sites that require 2FA ask you to have an email address on file, too, and you can have that code sent there. If you or someone acting on your behalf has access to that email account, it’s easy to get the code and complete the authentication step.

Those are the easy situations.

Unfortunately, we’re asked to help reactivating and accessing old email addresses and old financial websites. The reasons are varied; helping an elderly parent or spouse or family member is most common. Sometimes, you need access because someone has died. Sometimes, you need access to close up accounts that you forgot about and are no longer using. We find the biggest culprits there are when you open an account somewhere to take advantage of free stuff. You use it for a single transaction and forget about it. Then, all of a sudden, you run into trouble because somebody got into your long-forgotten account. Remember, there’s no such thing as free stuff.

The obvious step to prevent all such problems, of course, is to write down all the login info for all accounts you need for yourself or someone else – even those godforsaken freebies. Equally obvious, close all online accounts or email addresses that you no longer use.

If we need to gain access, it’s a tedious and risky process. We can try to follow all sorts of breadcrumbs from old texts and emails (“to” and “from” addresses, subject lines, dates) to see if there are clues to an access point. We need to be careful at every step along the way because just like in a computer game, one mistake can knock you out. Microsoft, for example, has an automated system that monitors access tries. When the system sees something it doesn’t like, it rejects any future tries. There’s no human intervention involved.

Sometimes, we can help our clients reset a Gmail password; sometimes we can’t.

The key to all this electronic poking around is that you need to know where the pitfalls are in each site’s process for resetting a password. Making the wrong move can strengthen the lockdown. You need to know when you’re jeopardizing the entire reset process.

If you need to deal with resetting login credentials, give us a call – 973-433-6676 – or email us to discuss the problem, process and risks. We want you to be able to make an informed decision on how we can help.

Why Can’t We Vote Online?

We file our tax returns online. Our Social Security system is online. Businesses and financial institutions transfer billions of dollars online every day. Why can’t we vote online?

I know this is a politically charged issue, but we need to look at online voting to make our elections more accessible and more efficient. I say this as we wait for six states to reach a result, including Georgia, where my in-laws live, and neighboring Pennsylvania. We’re not complaining about the time-consuming, labor-intensive process required to count every vote, but it has given us time to think about how we can make the process better.

I’m casting a vote for online voting, and I am highly confident the many disciplines that make up our technology industry can make it happen. I know that fraud is a major concern, and while some may have overblown concerns, fraud is a valid worry. However, the industry does a good job of minimizing it.

On the personal level, we’ve already mentioned that we file our tax returns online – federal and state. Those who are part of Medicare and receive Social Security benefits can complete all transactions online, including paying their premiums and receiving their benefits by direct deposit. We can file for unemployment benefits online, access our medical records online and even re-enter the country using apps such as Global Entry, which relies on biometrics, and Mobile Pass, which relies on info accessed from a smart phone.

Businesses use all sorts of online systems to transfer money safely and securely. While government elections are sacred – as well they should be – there’s a lot of money at stake when companies and banks send billions of dollars through millions of transactions every day. When breakdowns occur, they can generally be traced back to the exploitation of someone’s sloppiness or ignorance. We know that one country’s government can have an interest in affecting another country’s government, but there’s a far larger universe of hackers looking for ways to get their hands on someone else’s money. There are more ways for them to access and monetize someone’s sensitive health information.

Therefore, if we focus just on elections, I believe we should be able to make those systems safe and secure. We have the tools in place; we just need to refine them and make them stronger. We constantly refine and strengthen tools as a general practice, so it’s not like we’re looking for something completely new.

We can also make better, more extensive use of two-factor authentication – as well as increased biometrics and other forms of password-replacement technology that can make our entire internet experience more secure.

Artificial intelligence (AI) and signature verification software has been used for years. We have systems for providing electronic signatures for financial transactions great and small. Why not apply this technology to elections? Technology can be used to verify or update many a person’s residence. We have driver’s license information and utility bills online, for example. When we change addresses, that information changes – and is recorded. In many states, we are automatically registered to vote or can register to vote when we get or renew driver’s licenses.

We have the technology to coordinate all this information. What we need now is the will to do it. Our COVID crisis has forced us to take long, hard looks at new ways of doing things we’ve always done. New processes and procedures are likely to stay as we emerge from the pandemic (we will at some point), and voting is one of them. States expanded early voting and mail-in or absentee voting to avoid larger lines and longer waits in crowded places. The overwhelming response likely means we’re not going back on that.

Going forward with online voting will require governments at all levels to change laws and requirements, and that won’t be easy. There’s a lot of passion and fears when it comes to politics and elections. The technology industry, too, will need to prove it can – beyond any doubt – provide a secure platform to hold elections.

But we, too, as individuals, will need to step up our game. We’ll need to make sure that our individual systems are secure by keeping our network and device firewalls, antivirus and malware software up to date and installed. We’ll need to make sure we have the latest operating systems – with security patches – installed, and the same goes for all the apps we use.

Online voting may not be the right option for everyone. We just think it’s time to add it to the other options already available.

And regardless of whether we have online voting, you should still take all the steps that are needed to keep your networks and devices safe and secure. If you have any questions, we can help. Call us – 973-433-6676 – or email us to discuss your online security needs – and talk about how we can promote effective online voting.

Strengthen Your Security

We’re probably as normal as we’re going to get with working at home, and that will put more pressure on businesses and employees to step up security. Virtual Private Networks (VPNs) have been around for a while, but we’ve never been completely sold on them. They can give you a false sense of security.

As we see it, they depend on too many people (and organizations) doing the right thing to work effectively. Essentially, they take you across somebody else’s network, and unless you’re the one who vetted the provider and set it up, you have no way of knowing if it’s safe. If you use a computer, cell phone or tablet on a compromised VPN, you’re providing multiple access points for anyone who’s hacked the VPN. It only takes one weak link to compromise a network, and it could take months before a security breach is found. That could be too late to prevent any damage, such as an intrusion of sensitive files or identity theft.

We’re OK with using a VPN while traveling. It’s generally good for a short period of time, and it’s likely to be used by a small group of people in your traveling party on known devices. Whether VPNs are reliably secure in certain communications environments is a debatable point. Given all that is going on today, we believe it’s better to err on the side of caution and use them in limited situations to meet specific needs.

There are much better steps to take, such as two-factor authentication and using mobile apps that store your password.

We’ve discussed two-factor authentication before. While it can take many forms, it generally works by sending a 6-digit code in a text message to a designated mobile device. You then need to enter that code on whatever device you’re using to log onto a website. The problem is that if you are near a cell tower that has been compromised, the communication involving your text message could be intercepted and redirected. It’s not likely in the United States right now; it was more of a problem with older towers. Still, it’s yet another reminder to keep your guard up at all times.

The authentication apps that save your passwords are run through Microsoft and Google, two behemoths that have an equally large stake in your security. The key factor here is that the password is stored in your device, not in the cloud. Anyone who steals your password this way must physically have your device, and they must know your username and password. That minimizes the chance you’ll be compromised – even with a lost or stolen phone.

We’re available to answer any questions you have about security on all your devices and across all networks. Call us – 973-433-6676 – or email us to talk about who uses various devices within your business organization or family and where they use them. We’ll help you develop a plan or policy, if necessary, to strengthen your weakest links and maximize security.

Who’s Your Office 365 Partner?

As an Office 365 administrative partner for almost all of our clients, we have extraordinary access to your systems – and a huge responsibility. You depend on our honesty and competency to keep your systems running and protect you from breaches. Some of our colleagues are not as good about this. Microsoft finally provided some tools to strengthen security.

We’re shocked it took Microsoft so long to do this, but they finally are requiring outside administrators, such as Sterling Rose, to keep two-factor authentication turned on at all times. We instituted this control years ago on all of our administrative accounts.

What brought the issue to a head? When Microsoft Office 365 went mainstream by making the subscription service available to individual users, families and small home-office businesses, it created a lot more accounts for us to service for our clients. It also created a password nightmare.

As administrators, we can go into accounts to see what’s needed to make sure you and anyone included in your subscription can do what’s needed. In most cases, we go in when called on to solve a problem. We are scrupulous about signing out properly, effectively shutting the door to your account on our end, and we have been scrupulous about two-factor authentication to protect access from our end.

In our opinion, the two-factor authentication covers the laziness or carelessness of some IT providers – and it also protects Microsoft from being responsible for any losses of data not connected to a Microsoft meltdown.

That puts the data-protection ball back in our court. We want to make sure you have your side of the court covered, and here are some things you can do. The big thing, of course is to have all of your files backed up. Microsoft OneDrive does this, but we don’t recommend it to be your only storage location. Azure, another Microsoft product, has backup and restoration capabilities, and there are other providers.

On our side of the court, we have two-factor authentication and other tools that fall under the label of cyber resiliency. Through the Information Technology Laboratory of the US Department of Commerce, a three-level approach to cybersecurity is being developed and refined. The first level, of course, is to resist penetration by cybercriminals. It’s an approach that’s been around, but we’ve learned that no defense can be entirely impervious.

Thus, we have two additional layers. One layer seeks to limit lateral movement within a system once it’s been penetrated. The strategies include barriers to gaining permissions to move laterally within a system, a technique that hackers use to get to other systems. Defenses can include time limits to lock out an intruder or limit the amount of data that can be exported from a system under attack. Another defense is to provide misinformation. Another layer of security will allow a system to operate while under attack so that business won’t be disrupted.

This gets us back to why it’s so important that Microsoft hardened its defenses for Office 365. It provides one more defense against penetration. At the same time, it provides another reason for your IT providers to have access to your system.

We have access to some of the tools needed to limit lateral movement within a system, many of them customized to your needs. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs and implement a plan.

The Azure Workaround

When Azure, Microsoft’s storage cloud, was hit with a problem that rolled around the world, it affected some of our clients who use it for storing and accessing data and apps, especially with remote access such a key need. Microsoft hasn’t been the only cloud provider hit, and this won’t be the last problem. But nothing needs to shut you down.

The Azure problem essentially locked people and businesses out of their data and apps. In the most basic terms, any Azure customer using Dev Ops and Office 365 who depended on two-factor authorization to protect their Azure accounts couldn’t log in. We were affected as a customer of both services.

At the time we were affected, we were doing a setup at a client and needed to get a big file, which we store through Azure. When I logged in to get it, I got no access; I just got a message they would send a text. I had an external hard drive with an old version of the file, and that was not suitable. Transferring the file remotely from my office computer would have taken too long. We solved the immediate problem by transferring the file from my computer to my Dropbox account and then downloading it from there.

We worked around the problem, but we operated in a vacuum. As an IT service provider, we got no information about anything that was happening, and that was frustrating. We later learned – along with the rest of the world – the problem started in Asia and made its way westward as organizations in Europe, Africa and the Americas began their workdays.

It took a few days for explanations and suggestions to reach everyone, and it didn’t take long (in the grand scheme of things) to return to normal operations. The problem centered around a breakdown in the two-factor authentication process. We and our client were fortunate that I had the capability – files stored on a computer I could access and Dropbox – to initiate a solution. But not every user has the resources I had.

Two-factor authentication is one of the key ways we can protect our data and app security, and the technology is evolving as we move toward password-less access to cloud servers and other websites that house highly sensitive info, such as banks, shopping sites and healthcare organizations. As hackers get better, our industry needs to stay ahead of them.

We don’t believe that shutting off two-factor authentication is a good solution to a random-access problem, but when it comes to your Microsoft accounts, you can turn it on and off as needed. That might be an effective workaround.

Microsoft’s website has step-by-step instructions for all who have a Microsoft account.

  1. Login to https://account.live.com/
  2. On the home page, click “Security & Privacy”.
  3. On the “Security & Privacy” Page, click on “Manage advanced security” link.
  4. Look for a page where you will find a link to “Set up two-step verification” or “Turn Off” Two-step verification

If you have any questions about the process or need a walkthrough, contact us by phone – 973-433-6676 – or email. We can also help you with two-factor authentication with other systems and help you with other solutions to maximize your data and app access and security.

By the way, this is not a Microsoft-specific issue. Other cloud services, including Google and Amazon, have had access problems. Service outages will happen again because we will continue to use cloud-based services and because…stuff happens. Looking at big picture, the cloud has too many advantages, such as access from any internet connection and the best possible security measures available, to pull everything back to individual computers and servers

Protection in the Third-Party World

The reliance on third-party providers for so many data servers continues to grow. That increases your dependence on other people’s diligence, and it increases your responsibility to be more vigilant.

“NJ Biz” recently devoted a series of articles to many aspects of online safety and protection, and one of them focused on issues we’ve been discussing: verifying the integrity of third-party providers and two-factor authentication. Third-party providers are being used more and more by businesses of all types because they can scale up faster and more economically to handle any number of users from any number of locations.

However, you need to rely on those providers to protect your data, and according to Jonathan Dambrot, CEO and co-founder of Prevalent, a Warren-based IT security, compliance and third-party risk management service provider, the security environment is far from ideal. In one of the “NJ Biz” articles, he says: “Depending on who you talk to, between 40 to 80 percent of all data breaches are happening at third-party vendors, because that is where most of the data is. People are focusing on third-party data security risks because criminals are going after the data where it resides.”

If a provider has weak security, it can be more vulnerable to an attack by hackers. But government and industry leaders are getting together to help you. Last December, Congress passed The Cybersecurity Act of 2015 to encourage companies to share with the government and each other technical details of hacking threats. This regulation reflects a growing acceptance of collaboration as a way to access data security threat intelligence and enforce vendor compliance.

It’s the latest of several early steps in a fluid regulatory process.

“Regulators have put controls in place over the last two-and-a-half to three years, and there is a combination of reasons why third-party or downstream risk has become really important to people as they look at their cybersecurity,” Dambrot said. “Third-party vendor and business associate risk has really changed as vendor services have changed. Years ago, people weren’t talking about cloud usage as much as they are today, and so, regulators will continue to change the wording to match the way data is handled.”

This collaborative effort, however, doesn’t get you off the hook. On the contrary, you need to do more. Two other articles we recently came across expand on two security matters we discussed last month: two-factor authentication and asking the right questions of any data-services provider.

Rather than re-explain some of the more effective ways to use two-factor authorization (2FA), we can refer you to a recent post by Ed Bott on ZDNet. There are many options available, including apps you can download to your mobile devices.

As he asks, “How much are your private communications worth? How about your reputation? Your bank account? Your identity?”

We know they are priceless to us but have great value on the black market. With 2FA enabled for a cloud service, any attempt to sign in on an unrecognized device might require you to enter a secret code that’s either received as a text message or generated by an authenticator app on your previously registered smartphone.

“Depending on the service, entering a code might automatically establish the current device as trusted, or you might be given the option to trust the current device,” he writes. “If this is your new computer or tablet (or a new browser), and you have this option you should say yes. When you’re signing in on a device you don’t control, you shouldn’t allow it on your trusted list. One way to make sure that the device isn’t marked as trusted is to use a browser in private mode (aka incognito in Chrome). If a bad guy manages to steal your credentials for an account that’s protected by 2FA, he’s unable to do any damage. Because he is signing in on an unrecognized device, he’s required to provide a second form of authentication. Without access to your trusted device, he can’t authenticate himself and can’t go any further.”

There are many variations on that theme, and we can help you find one or two 2FA programs that can best meet your needs and comfort level with your devices. But you need to be sure the data center that houses your information has all the right policies and procedures in place, too.

Services provider vXchange, which estimates some 78 percent of work-related data will be on the cloud by 2018, has a list of 10 questions you should ask your next data center manager, and we suggest you read them to get an idea of what’s at stake. They’re questions we ask of ourselves and our provider to minimize your risk and ours.

While you don’t get total control of your data, you will have a much better grasp of the possible risks and the steps you can take to maximize your protection.

As your trusted IT service provider and advocate, we have 2FA techniques we prefer and providers with which we have established relationships. We can answer your questions and address your specific concerns in selecting and installing 2FA programs, and we can help you select and vet data centers. Call us – 973-433-6676 – or email us to set up an appointment to discuss your specifics.