“Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to [ email address withheld ] for unlock.”

two-factor-authenticationMany apple device users woke up to find their accounts held to ransom.  I can only imagine how I would have felt if that was the case for me!  The question is, HOW did this happen?  I’m not going to focus on how to recover your devices or accounts, there’s enough information around on this already… I’m going to look at how you can avoid it happening (again)…

It would seem that the lovely person responsible for this piece of work managed to hack users iCloud accounts and put the devices into “lost” mode.  There is no official response from Apple as yet despite any number of reports on the Apple support forums.

Some cold hard realities… in the last year, many major companies have reported potential compromises on their backend systems raising concerns about the safety of customer’s personal details, usernames AND passwords.  Here are just two examples I can point to:

  • Recently, I received communications from Adobe insisting I change my passwords due to a potential compromise – not that they were compromised, they just weren’t sure.
  • Not so long ago, Yahoo emailed me telling me to change my GOOGLE passwords because Yahoo had noticed unusual activities on their systems and knew that many of their customers used the same credentials on both networks.

Even going back to 2012 (yes, the dark ages in terms of Internet days), Wired reporter Mat Honan shared his harrowing experiences of having his iCloud and Twitter accounts compromised (see Reporters Epic Hack for more details).  This behaviour obviously isn’t new.

Now, let me ask you some questions…

  • How many of you think that having a strong password is sufficient to protect your account?
  • How many of you use a different password / username pair for different accounts?
  • What do you think makes a strong password?

The simple fact is, that in today’s online world a strong password is only marginally useful… with the right resources and time a hacker can guess the password or, worse yet, compromise the back end systems and CHANGE your password.  When the majority of our life is held in online accounts (Google, Apple iCloud or others), why are we relying only on username and password combinations?

What can you do to protect your online accounts?

Use Two Factor Authentication and if the organisation you’re considering using doesn’t provide it, look at something else.  Two Factor Authentication is have two “things” that form your access code – as a younger woman in IT Security it was explained to me as “something you HAVE, and something you KNOW”.

You KNOW your password.  You HAVE a fingerprint

You KNOW a PIN code. You HAVE a key that you turn in a lock

Just possessing one of these things is not enough to get through the security safeguards – you need to have both to use together.

Two Factor Authentication exists in the online world and has done for a very long time.  It’s just not something that is encouraged generally in the consumer market because it adds a level of complexity to user support – which is something support organisations try to avoid (understandably).

Traditionally, Two Factor Authentication relied on the person trying to access a system having a separate device that produces a One Time Password.  When a user tries to login, they not only use their password; the end system also challenges them to enter the One Time Password that is displayed on the device they carry.  Sometimes these little devices are called ‘key fobs’ because they are normally attached to the user key rings to keep  them safe.

In the online world, Two Factor Authentication is generally linked to your mobile phone or device.  You need to have that device with you to access your accounts – whether that’s on your computer, tablet or phone.  Without having that device available, you will not be able to access your account.  It is the simple fact that you need to have access to this device as well as knowing the account password that increases the security on your account.

Types of Two Factor Authentication

Two Factor Authentication can occur in a number of ways:

  • SMS – a code is sent via SMS to your phone
  • Phone Call – a code is sent through a phone call
  • Email – a code is sent through email
  • Hardware Token – the traditional hardware device that displays a one time password
  • Software Implementation – an app that runs on your device that displays a one time password

I have to say my mind boggles at getting a code via Email – unless you’re 100% certain about your email account  security, this feels like letting the wolf through the door.  Just my thoughts on that.

Who Supports Two Factor Authentication?

Two Factor Auth (2FA) has a great list of which organisations support what type of Two Factor Authentication.  It’s a good reference.

It would appear that Apple uses it’s own Two Factor Authentication service which protects all your iDevices – this service was introduced in March 2013.  You shouldn’t just consider turning this service on, you should do it!

However, there are many companies that already support 2FA and thanks to the Electronic Frontier Foundation, here’s how you can enable Two Factor Authentication on some of your accounts:

Many of these services authenticators are compatible with the Google Authenticator service, so you have one app on your device to manage all your logins.

Physical Device Security

Of course, once you put your two factor authentication on your device you need to be very conscious of the physical security of your device.  Stay Smart Online (an Australian Government website) has some great tips around this:

  • Enable a password on your phone.  Don’t rely on the swipe codes, use a password
  • Add a pincode to your SIM
  • Set your device to automatically lock (of course, this saves the embarrassing butt dials as well)
  • Encrypt your data – check what your device offers on this
  • Turn off BlueTooth and Wifi if not in use
  • Turn off automatic BlueTooth discovery so your phone can’t be found when in public
  • Check out the ‘lost phone’ type options provided by your carrier and phone manufacturer
  • Back up your data!  If the worst happens, make sure you can recover quickly.

Account security is your responsibility – it’s up to you to take every reasonable measure to protect your accounts against compromise.  Do you have any other tips for protecting your account that I might have missed?

 

About the Author Charly Dwyer

Charly has more than 30 years experience in the IT industry ranging from hands-on technical, to high-level business management, Charly has installed and configured computing equipment and has managed business contracts in excess of $25 million dollars.

As a result, Charly identifies the best way to integrate solutions and technologies for the most cost effective way to achieve a businesses outcome.

Share your thoughts

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}