Many of you lock the house and/or the car and also have an alarm system for double safety. The two-factor authentication works in a similar way in the cyberspace domain. You have a password to secure your account and a second form of authenticating your identity in order to unlock it completely. This is usually a 6-digit code sent to your phone via SMS, or sent to a secondary email account of your choice.
Why is this a must have today?
Because many passwords are stolen these days, and a stolen password that is paired with a two-factor authentication (2FA) is useless.
A stolen password from an account that you do not care much about has the same value for national security purposes as the stolen password of a bank account (something you really care about – assuming it is loaded. LOL). When a stolen password can be used to access an email account, that email will be used to spread malware into the computers of all of your contacts. You will be surprised how often I get a call from a savvy and educated individual who tells me “Ceci, you will not believe what I did! I got an email saying it was from my friend and wanted to show me a pic, and when I clicked on the link my computer went nuts!”
Who offers 2FA?
Today, most platforms offer two-factor authentication and it is not difficult to set up, with the exception of a few services that have made this more difficult than it should be. One of them is eBay and I will walk you through to set your 2FA there as well.
You can visit this website to find out if the service you have or want to register for offers 2FA: https://twofactorauth.org/
When Apple released its iOS 9, it included a 6-digit simple passcode (which I hope you now have in your phone) and the 2FA built in the operating system. With the 6-digit passcode, the possible combinations were raised from 10,000 to 1 million. This means that an iPhone or iPad is now much tougher to crack.
How to set it up?
Below, I offer an explanation on how to set up the Google 2FA, and eBay/PayPal 2FA. If you need further assistance with the other accounts that offer 2FA, you can always reach out to Meta via email for a cyber consultation.
In Google, log into your account and go to the far right upper corner where you will see either your photo or your initials. Click on that big circle and select “My Account.” A new windows opens with the label “Sign-in & Security.” Click on that, and you will see a new page with the title “Signing in to Google.” To the right of that you will see “Password & Sign-in Method,” and 2-Step Verification. Click on that and follow the instructions on the screen.
Then, go back to the Signing in to Google page, and you will see right below the 2-Step Verification label, another label titled App Password. This is in place because once you set the 2FA in a Google account; you might not be able to use your regular password to check your email from a smartphone or an email platform. Although Google has been changing this to make the 2FA process really easy, there are still some accounts that will require you to enter this special one-time code that Google generates for you.
Thus, if after setting the 2FA you do not see email coming into your device, go to the Signing in to Google page, and select App Passwords. A new page pops up where you see at the very end two pull down menus with the words “Select App” and “Select Device” and the button “Generate.” Under Select App, indicate which one you are trying to sign in and for which you need a special code. If it is not listed there, select “Other” and type the name of the app. Then, select the device and click Generate. That long key that Google generates is what you need to enter now as your password and you only need to enter this once. The device will remember it for you. This is why it is so important that you lock your devise when it is not in use, and that you use a 6-digit combination to lock it.
Since eBay owned PayPal until 2014, you have to set the 2FA in PayPal in order to protect your eBay account as well. If you try to set this up from the eBay account itself, you will go nowhere.
Thus, you will need to log into your PayPal account. Under “My Account,” click “Profile” and select “My settings.” The fourth line is the Security Key and to the right of it you will find the option “Update.” Click on Update, and the “Register your mobile phone” screen will pop up. Follow the instructions on the screen and every time you log into your PayPal account you will need to enter the 6-digit number sent to your phone via text message.
LinkedIn, Twitter, Facebook, Instagram… they all offer 2FA and the set-up is pretty easy.
When is the 2FA a problem?
For those of you who work in facilities that do not allow smartphones inside, you will have to set the 2FA to go as an email to a secondary account because you will not have access to your phone when you try to log in to your personal email or social media account.
If your phone gets hijacked or lost or simple broken, you will not be able to access it to check the 2FA that you will need to login into your accounts. This will be a pain in the rear end. Nevertheless, you log into your accounts at a higher frequency that you break or loose phones. Google offers recovery tokens for cases like this. You might want to print a few to have them handy in case your phone is not accessible.
In the cyberspace domain, ALL accounts and devices are equally important because they all can be used as a stepping-stone to commit a crime. The United States of America is in the midst of economic cyber warfare, and it is your responsibility to ensure that your electronic accounts and devices will not be used to cause damage to our nation. According to Ponemon Institute of Cybercrime, in 2015, hacking incidents cost $15.4 million to the average American firm.
Because the events that occur in the cyberspace domain are not something you feel in your skin, like in the physical domain where someone that wants to rob you puts a knife in your ribs and you feel the pain and the extreme fear of loosing your life, it is often very difficult to bring a sense of individual responsibility to stop cybercrime.
Thus, I offer this analogy using the physical domain to help you see the importance of the statements written above. You live in a cosmopolitan area where there is heavy pedestrian traffic, and you choose to leave doors unlocked and windows open. Every day, your house gets burglarized. You call the police. The officers visit your home, take a report, and advise you to lock windows and doors but you argue that you want fresh air. This goes on weekly, monthly… you are wasting the city financial resources by having the police officers to visit your home and write a report, etc., etc. when you could solve the problem yourself by putting a motion sensor alarm, iron bars in your windows, and maybe a Meridus K9 trained dog! :-)
Do you see the parallel?
Thank you for reading. This is all for this blog, folks!
Meta Intelligence brings cyber risk management courses to your organization. Contact us for details.
Much has been said about the recycling of passwords and, in spite of that, we still have 57% of users recycling passwords. This means that the password you are using in your bank account is the same password that you use for social media accounts or to order pizza. Whenever any of these organizations get hacked and all the passwords are spilled in the black market for grabs, it is not difficult to access all of your accounts because there is a 57% chance that the same password that was used at pizza website will take the cyber intruder to your bank account.
Why is it so difficult for people to embrace a system of secure passwords?
Because the problems that arise in cyberspace domain do not cause physical pain, a reaction of immediate and physical fear like the reaction caused when a thief with a knife approaches you at the ATM.
What if I tell you that you can have 20+ different passwords, that you can carry them in your Notes (iPhone) or Evernote (other smartphones), that you do not have to rely on systems like LastPass (which was hacked already) or any other third party to hold the key to your accessing your important information.
This is how you do it:
You will select a phrase that are very close to you, and that you did not post all over social media platforms. The phrase I will select for my example is United We Stand Divided We Fall. Then, you will select the first two characters of that phrase to create a baseline: UNWESTDIWEFA
This baseline has dictionary words in many languages and it is still not secure. We will use the language Leet to convert vowels into numbers like this: A =4; E=3; I=1; o=0 and I also like to convert the letter L=7. Then, the baseline will look like this using the upper and lower case system of your choice: UnW3StD1W3F4
Although this is a better construed password, it is still easy to crack. So to make the life of cyber crooks more difficult, we will add any of the following markers: ! @ $ & You will put this marker not farther than the fourth character from the beginning and from the end. It will look something like this:
This password is still short because we want to see at least 16 characters. So, you can add your favorite numbers at the end:
Now, we have a password that with today’s technology will take about three months or so to crack. A password that cannot be cracked in at least 24 hours is useless for cyber crooks who need to turn things around quickly.
How can you make one of each account?
If this passwords !UnW3StD1W3F4$5326 is for your email account, you can change it to U!nW3StD1W3F4$5326 for one of your social media accounts; and to UnW!3StD1W3F4$5326 for another one of your accounts. Remember I said do not pass the fourth character in the beginning; you your next combination can be &UnW3StD1W3F4$5326. And just like that, you can have many many different password without having to remember much about them.
Some organizations do not allow passwords longer than eight characters. For those places, I recommend that you always start your password with a special marker and end it with one: &UnW3St&
How do you store this password in your notes to keep it safe?
You do not write the actual password but a hint. So for this password, I would write:
Social Media 1: ! in second America$#
Social Media 2: ! in fourth America$#
Only you know what you mean by America, and only you know what number you have chosen. Do not use your date of birth, marriage, etc. Maybe you want to use the date of your first kiss, unless you also plastered that date all over social media platforms.
Do I change password every month or every three months?
NO!! And many other cyber geeks have written about the recklessness of asking people to change their passwords every three months. According to Mandiant/FireEye, it takes organizations in private and public sectors alike an average of 265 days to realize that they have been compromised. Thus, when you have your employees change passwords every three months or whatever the routine is, two things happen: 1) if you already have intruders in your servers, you let them see the new collection of passwords; and 2) employees become lazy and do not construe long secure passwords but the type we see whenever a system gets breach: password123; padres123, etc.
I am aware that most government organizations ask you to change passwords every three months. If this is your case, you can create a secure password and only change the numbers at the end. When the system tells you that the password is too similar, you write it backwards. This is a practical way of complying with the regulations and at the same time giving the Italian salute to the ridiculous and insecure system.
When do I change my passwords?
When the organization is compromised and because you did not recycle the password, you only need to change it for that organization. The change can be very subtle like moving the special characters to the right or the left so you do not have to recreate another phrase.
Some of my customers like to use a phrase for all financial accounts and a different phrase for the rest of their accounts.
For non-important websites that require passwords and where you do not have your credit card or other form of payment information stored, you can use Blur (dnt.abine.com).
This is all for now folks! Do not procrastinate. Start changing all unsecured passwords today.
Meta brings the course Risk Management When Online to your organization regardless of where you are located. Watch this short clip: https://www.youtube.com/watch?v=aRXazQuPzFs Then call us to schedule training for your team or organization.
About the Blog
This blog is updated on a bi-weekly basis and it will address a variety of topics concerning cybertechnology, privacy and ethics in the cyberspace domain.