Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

One Factor, Two Factor, Three Factor, More

There has been a lot of talk online today about how Matt Honan, a reporter for Gizmodo, was the victim of a cyber attack that left his iPhone, iPad and even MacBook erased and useless.  Matt is placing a lot of blame at the feet of Apple and Amazon for not properly authenticating the attackers and giving them access to his account. Access the attackers then used to remote wipe his devices. 

I don't think Apple or Amazon did anything wrong. Let me rephrase that, they didn't do anything out side of the industry norm. As such everyone really shouldn't vilify them for doing the same thing everyone else does. Take for example your bank. What happens if you forget your password to your online bank account?

This actually just happened to me yesterday.  I tried to login into one of my online bank accounts and I tried what passwords I thought I had set it to and after five attempts my account was frozen. So I called the bank on the phone, talked to the nice lady and explained that I forgot my password and was locked out of my account. She asked for my name, address, account number and last four digits of my Social security number.  She then unlocked the account and emailed me a new temporary password.

So really the only thing needed to get access to my bank account (and probably yours to) is access to a Gmail account. The old emails will most likely have the name address, account number and last four digits of the social security number in them somewhere. If that information wasn't in the old emails it probably wouldn't take more than a few Google searches to find it.  Easy Peezy.

So authentication, verifying someone is who he says he is, is a big deal. A big deal that most organizations, including banks, and Apple and Amazon in these cases, don't do very well. So what's the solution? Some people say that two-factor is the answer. Gmail offers it, some online games issue token generators to their users, and there are even some banks that use it. Two-factor authentication uses some way to generate a random number that you then enter into a system. If the random number you enter matches the random number the system also generated then the systems knows it is you and authenticates you.

Two-factor authentication is great and I wish more organizations would use it but two factor isn't perfect and the problems I have seen is that people think it is. They end up relying on that second factor a little too much, so much that it ends up becoming one factor again! Not to mention the recent breach of RSA, one of the largest two-factor authentication companies in the world.

But the big problem with two-factor authentication is cost. If you're a bank and use a physical token to generate random numbers then you need to pay for the tokens, distribute them to your users and deal with them quickly when they inevitably fail. If like Gmail you use an automated token you still need to build the infrastructure to support it, have plans in place for when people lose their phones, etc… All of this subtracts from the bottom line and with most companies running on razor thin margins as it is this is not cost they are keen on absorbing.

So what is the solution? How do you prevent what happened to Matt from happening to you? Well you could wait around and let companies like Apple, Amazon and your bank determine if instituting two-factor authentication is cost effective or not and then hope that it doesn't get compromised. Or you can take a few simple steps to protect yourself.

The first thing is to make a back up. That's basic common sense these days and super easy. Macs come with Time Machine for a reason and Windows machines have similar automated software. Second use Gmail as the address for any accounts that can access money and turn on the free two-factor authentication they offer. Obviously use different passwords everywhere. Don't link accounts, sure its tempting because it makes things wicked easy but try not to have information in one account that can be used to access another. Personally I use a different credit card and email address at Paypal, Amazon and Apple. It isn't fool proof but it does make things more difficult. 

And lastly just think twice when someone asks you for information? Does this cashier really need your phone number? While your phone number, or address, or even your bank account number may not be a secret it can potentially be used to find out other information. If someone doesn't need the information don't give it to them.

"Hey, Let's be careful out there."