Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

One Factor, Two Factor, Three Factor, More

There has been a lot of talk online today about how Matt Honan, a reporter for Gizmodo, was the victim of a cyber attack that left his iPhone, iPad and even MacBook erased and useless. Matt is placing a lot of blame at the feet of Apple and Amazon for not properly authenticating the attackers and giving them access to his account. Access the attackers then used to remote wipe his devices.

I don't think Apple or Amazon did anything wrong. Let me rephrase that, they didn't do anything out side of the industry norm. As such everyone really shouldn't vilify them for doing the same thing everyone else does. Take for example your bank. What happens if you forget your password to your online bank account?

This actually just happened to me yesterday. I tried to login into one of my online bank accounts and I tried what passwords I thought I had set it to and after five attempts my account was frozen. So I called the bank on the phone, talked to the nice lady and explained that I forgot my password and was locked out of my account. She asked for my name, address, account number and last four digits of my Social security number. She then unlocked the account and emailed me a new temporary password.

So really the only thing needed to get access to my bank account (and probably yours to) is access to a Gmail account. The old emails will most likely have the name address, account number and last four digits of the social security number in them somewhere. If that information wasn't in the old emails it probably wouldn't take more than a few Google searches to find it. Easy Peezy.

So authentication, verifying someone is who he says he is, is a big deal. A big deal that most organizations, including banks, and Apple and Amazon in these cases, don't do very well. So what's the solution? Some people say that two-factor is the answer. Gmail offers it, some online games issue token generators to their users, and there are even some banks that use it. Two-factor authentication uses some way to generate a random number that you then enter into a system. If the random number you enter matches the random number the system also generated then the systems knows it is you and authenticates you.

Two-factor authentication is great and I wish more organizations would use it but two factor isn't perfect and the problems I have seen is that people think it is. They end up relying on that second factor a little too much, so much that it ends up becoming one factor again! Not to mention the recent breach of RSA, one of the largest two-factor authentication companies in the world.

But the big problem with two-factor authentication is cost. If you're a bank and use a physical token to generate random numbers then you need to pay for the tokens, distribute them to your users and deal with them quickly when they inevitably fail. If like Gmail you use an automated token you still need to build the infrastructure to support it, have plans in place for when people lose their phones, etc… All of this subtracts from the bottom line and with most companies running on razor thin margins as it is this is not cost they are keen on absorbing.

So what is the solution? How do you prevent what happened to Matt from happening to you? Well you could wait around and let companies like Apple, Amazon and your bank determine if instituting two-factor authentication is cost effective or not and then hope that it doesn't get compromised. Or you can take a few simple steps to protect yourself.

The first thing is to make a back up. That's basic common sense these days and super easy. Macs come with Time Machine for a reason and Windows machines have similar automated software. Second use Gmail as the address for any accounts that can access money and turn on the free two-factor authentication they offer. Obviously use different passwords everywhere. Don't link accounts, sure its tempting because it makes things wicked easy but try not to have information in one account that can be used to access another. Personally I use a different credit card and email address at Paypal, Amazon and Apple. It isn't fool proof but it does make things more difficult.

And lastly just think twice when someone asks you for information? Does this cashier really need your phone number? While your phone number, or address, or even your bank account number may not be a secret it can potentially be used to find out other information. If someone doesn't need the information don't give it to them.

"Hey, Let's be careful out there."


Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More