It’s Time to be Authentic

Getting a text (SMS) code to verify your access to a website is becoming increasingly vulnerable because of SIM swapping. It’s essentially a way for a hacker to “borrow” your mobile phone number without you ever knowing it – until you suffer the consequences. It’s time to use a better authentication method.

One of our clients was victimized by SIM swapping. We suspected a problem when none of their cellular devices worked. They used a family member’s phone to call us about the problem. We told them to get to the Apple Store immediately to buy new devices and bring them directly to us – without opening any boxes. Using special tools, we were able to set up all their devices securely, but the damage had been done.

How does SIM swapping work? It requires a fraudster to convince a mobile carrier to transfer your phone number to a SIM card they control. With your phone number, the attacker can intercept one-time passcodes and two-factor authentication (2FA) codes sent via text message, allowing them to gain access to bank accounts, which they can quickly drain, and social media and other sensitive online services.

The SIM swappers usually get your information through phishing expeditions, which are designed to trick you into revealing details like birthdates, full names, and addresses. Then, they pretend to be the account holder and claim their SIM card is lost or damaged, and they request to have your number “ported” to a new SIM card, which they have in their phone. Conceivably, they can access your bank account if your 2FA is a text message, clean you out, and wipe the SIM from their phone. You’ll only notice it when your phone doesn’t work – at which point you’ll contact your carrier, who will issue you a new SIM card.

You can prevent SIM swapping by not using SMS or text as an authentication method. Our recommendation is to use an authenticator app, such as Microsoft Authenticator or Google Authenticator. If you are signing into a website from your computer, the authenticator will send a code to your phone, and you’ll enter the code from your computer.

This is one area we strongly urge you to avoid shortcuts. There are a lot of authenticator apps available, but Microsoft and Google have a lot at stake in your security. Both have huge customer bases and publish a lot of apps.

An alternative to an authenticator app is a biometric, such as facial recognition (iPhones and other Apple devices) or a thumbprint (Android phones). As with an authenticator app, these measures are device-specific.

We can help you set up both an authenticator app and biometric authentication to replace an SMS message. Call us – 973-433-6676 – or email us to talk about it.

Is LastPass’s Hack the Last Word?

In a word: hardly. LastPass getting breached seems like the equivalent of Fort Knox getting breached; it’s not supposed to happen. So far as we know, none of the gold, which represented the monetary value of US currency in circulation, was ever taken from Fort Knox. But password manager LastPass was breached, and data was taken.

The implications are stunning, to say the least. We’ve put our trust in password manager programs, and LastPass compounded the problem for its customers by being breached twice and not being as quick or transparent about it. From all reports, the latest breach occurred in late August when access was gained to parts of their developer environment through an individual compromised developer account. They said the intruder took some source code and proprietary technical information. In mid-September, they reported that the intruder was in their system for four days, but the incident did not involve any access to customer data or encrypted password vaults.

Just after Thanksgiving, LastPass reported that the knowledge gained from the first breach was used to breach the system again, and that the hacker gained access to certain elements of customer information. Just before Christmas, the hacker got customer account information such as names, billing addresses, email addresses, telephone numbers, and their encrypted vaults. They hastened to add the data was strongly encrypted and required decryption of the customer’s master password.

The bad news is that this was a series of breaches; not good. Over time, the attacker was able to target a separate employee to gain two critical pieces of information: access keys to a cloud environment and decryption keys for that cloud environment. This means the attacker was able to easily download copies of those vaults and the other customer data there.

Although each customer’s vault was encrypted, the vaults contained unencrypted information. The attacker likely downloaded all the available information from each and could the unencrypted info to try to crack the master password by brute force.

LastPass doesn’t have the best track record in the industry, and what happened there can happen to any password manager. But you can take steps to minimize the impact if it happens to your password manager.

We highly recommend that you activate two-factor authentication (2FA) for every web-based account you have. Some will give you the option to verify a specific computer, phone or tablet one time, while others will require verification every time you log in. Most systems work through text messages to cell phones because you’re most likely to have your phone with you. Some 2FA systems will send you an email with a code to enter or a link to click. They’re good if your email is secure.

So, make sure you secure your email accounts. Require 2FA – to your cell phone if possible – to access your email account from the web. List a secondary email address in case there’s a problem. It can be through another email provider, or it can be a person you trust.

2FA works with password managers, and it’s effective if the PW manager hasn’t been hacked. If the data is unencrypted, it could have been stolen (another good reason to set up 2FA for a text).

You can manage your password manager and enhance security by keeping it updated. You can change your master password at any time, and you can use the manager to change your passwords at any time. The programs offer random generation of passwords, and you can take advantage of that. It takes away any excuse you have for using the same password for multiple websites.

You can back up your password manager by downloading your website login info from the manager. Most people download the info to a .csv or .xls spreadsheet file. It’s a good idea to do this periodically and store a hard copy in a safe place. If you decide to change password managers, you can export your file to a new password manager. We suggest you create a new master password if you do that and then create new passwords for each account.

There are ways to download your password list with encryption, but they can be a little complicated. Call us – 973-433-6676 – or email us to set up a time for us to walk you through it. You can also contact us with any questions you have about password managers – selecting one or installing one.