Why bother?
As the Wired article explains, this hack was based on Social Engineering. It involved the hackers physically calling customer support for both Amazon and Apple to provide information that allowed them to gain access to those accounts via their password reset mechanisms. Mr. Honan had "chained" these impacted accounts together and essentially they fell like dominoes after access was gained into the Amazon account.
Two factor authentication on his gmail account would not have stopped all of this destructive damage since Google was not involved in the mechanism used to gain access to Amazon and his AppleID. But, had he enabled two factor authentication on gmail it would have kept the hackers out of his Google account and would have indirectly protected his Twitter account. Unfortunately since both Amazon and Apple had a serious flaw in their security ecosystem Mr. Honan would still have likely lost the data on his iPhone, iPad and his MacBook.
There has been significant press lately about password strength. If you haven't already done so, read my blog on the LinkedIn password hack that managed to steal the password file for thousands of users. In that blog I describe why you should change your LinkedIn password after that attack and ensure that you have a strong password that is not shared with your email accounts. But that blog post is all about protecting, and having an effective, password. Two factor authentication takes security one step farther.
What is two factor Authentication?
- Something you know (your password)
- Something you have in your possession that nobody else has (usually a token of some kind)
Using this second factor essentially means that even if your password has been compromised the hacker cannot access your account unless they have the token that has been sent to your phone. This protects your email account from the type of attack that happened to Mr. Honan, which effectively amounted to a password reset on the email account. It also protects you from other forms of security breaches in which your password has been compromised to an attacker such as the stolen password file incident that happened to LinkedIn.
Two factor authentication may seem intimidating, or an unnecessary hassle, but it really is not that intrusive once you have it setup for the first time. As you can see in the screen shot above Google gives you an option to "Trust this computer". If you check that box you will not need to enter the second factor again from that computer. Do not check that box on any shared computer. Yahoo has a similar feature that allows you to trust a computer and bypass the second factor verification step.
I urge everyone to take this threat seriously and incorporate two factor authentication on every account that they have it available for. Honestly, if your email provider does not offer it I would switch to one that does such as Google or Yahoo. Too much of our lives are dependent on our online accounts to not protect them properly. Think of how many accounts you have, such as your bank, credit cards, brokerage firms, etc., that have a password recovery option that sends a reset notification to your email account. For a hacker, obtaining access to that email account is the equivalent of gaining the keys to the kingdom. Protect it as best you can.
Kelley, why do you recommend not to check the "Trust this computer" box? Isn't that factor tied to my physical computer (that hopefully nobody but me has access to).
ReplyDeletePaul, you are correct. Your computer does become the second factor after checking that box. Checking that box on your home computer is perfectly fine, I should have been more clear. What I'm talking about when I say shared computers is any computer you do not control. For example a computer in a hotel business center. You never know if a computer, such as one in a hotel business center or a library, has a keystroke logger installed on it. If it did, and you checked that box, whomever installed the keystroke logger now posses both factors, your password and the browser that has been "trusted".
ReplyDeleteGood info, Kelley. Thanks!
ReplyDelete