Two-Factor Authentication: Is it worth the hassle?

Passwords are no longer enough. That’s what we keep hearing. Bad people are constantly battering at the door of my digital life looking for a way in, and I need more layers of defence, even if I avoid these classic password boo-boos.

2fa_picEnter two-factor authentication (abbreviated 2FA, a.k.a. 2-step verification if you’re Google, and hashtagged as #2FA on that Twitter thingy). (“Universal 2nd Factor” or U2F is a related technology requiring special bits of hardware. We’ll not go there just yet.)

Like you, I have lots of online accounts, some of which don’t currently use 2FA (I’m not telling you which ones as you might hunt me down in order to cyber-attack me). My first introduction to 2FA was with the UK HMRC web site. They didn’t force me to set it up, as I recall, but I was happy to do so. Now, whenever I need to log in they text me a code which I have to enter in addition to my user name and password.

At this point you (like me) may have some questions, such as:

What problem does 2FA fix?

Sticking with the HMRC example, if someone steals or cracks my HMRC credentials, they still can’t log in as me because they don’t have my phone and can’t receive the 2FA code.

But what if they steal your phone as well?

Not very likely, is it? It could happen, I guess, so let’s assume I’ve been assaulted, they’ve tortured me for my HMRC login and then nicked me phone. I was about to say they’d need to crack my phone security as well, but then I remembered that text messages show a notification on the lock screen – so they might still be able to read the code. Dang it.

Not only that, I did hear of a scammer who managed to scam the mobile phone company as well as the target company so that they were able to receive 2FA codes. No torture or physical theft required. The phone company were negligent and it was a very complex scam, but it worked. (I’d like to include a link to the story but I can’t find it online and, hey, I’m not Wikipedia.)

So the answer is – 2FA could be defeated. Boo.

Aha! And what if you just lose your phone?

That would also be a pain in the proverbial. But HMRC, like all reputable 2FA systems, provides for backup authentication methods. It may be a landline number, another mobile number or even a set of one-time codes you can download and keep for just such a calamitous occasion. (No good keeping them on your phone, naturally.)

So, when configuring 2FA I do need to consider the Plan B option as well.

Do you have to enter a code every time you log in?

With HMRC, yes – that’s how I’ve set it. I don’t use it that often, and the data is highly confidential. But for other accounts, I do live in the slightly troubled territory of Remember me on this computer. We all do it – who wants to log in to everything, every time, on every device? Browsers (or the systems themselves) offer to remember us, or keep us signed in. It’s that balance of security and convenience.

With most systems it’s possible to only require a 2FA code when signing in to a new device. There’s a logic to that because if my account credentials are stolen, chances are that the criminal will try to use them on a computer other than mine. And 2FA will thwart them. (Always assuming they haven’t stolen my phone.) But, as before, there’s a slim chance that the hacking happens directly on my own computer (say with a keylogger loaded by a Trojan). In that case, if I’ve selected “keep me signed in on this computer”, and the digital baddie has control of my PC, I’m doomed. 2FA will not save me. The baddie will access all my secrets and ruin my life.

Boo.

Is 2FA worth the bother then?

Yes, yes, a thousand times yes. Cyber security is all about risk management, just like physical security. The fact that my front door lock isn’t impenetrable doesn’t stop me using it, because it significantly reduces the chances of a burglary. It makes life harder for would-be thieves. If I add a second factor (like an alarm, security lights or a savage guard dog), it mitigates the risk further. A determined criminal could still bypass it all – but the chances are they won’t bother.

Is 2FA using text messages perfect? Nope. Can it be beaten? Yep. (And not just by stealing my phone, by the way; text messages are unencrypted and can theoretically be intercepted during transmission.) Will it help if I’m already signed in, stay signed in and the criminal has access to my device? Nope.

But…

Will 2FA with text messages usually stop a thief accessing my account on another device? Indeed. And theft of my credentials without loss of my phoneI would submit, your honour, is by far the most likely scenario. Why? Because most credential thefts or cracks don’t involve anyone accessing my computer (or my phone) directly. They’re stolen when a company web site is breached or when I’m dumb enough to be social-engineered or phished.

OK. So you recommend using 2FA?

Definitely.

Although…it’s worth being aware that companies mess up sometimes. Not naming any names, but Facebook have angered people with what they now say is a bug causing users to receive spam texts after setting up 2FA. That particular failing hasn’t caused a security problem – just extreme annoyance. Facebook’s 2FA is relatively new (at the time of writing) so it may be prudent to avoid being among the early adopters when a service first offers 2FA.

Which accounts did you say you don’t have 2FA configured for?

Nice try.

Advertisements

The Dad Diaries Chapter 5: In which a bowl is broken and bonding is too expensive

Wednesday, 9th February, 2005

The Bill Bailey DVD we ordered arrived, and I had to agree with Jack’s assessment that it’s “well funny”. I feel an affinity with Bill, since we’re both humourists. The only difference between us is that he’s extremely successful, has great stage presence and happens to be a talented musician to boot. There, I must admit, he’s got the advantage over me, since there’s probably not a huge amount of comedic value in a bloke staring at his guitar trying to remember the chords for Home on the Range.

Friday, 11th February, 2005

A man’s work is never done. In anticipation of guests landing on us (not literally) tomorrow, I took the afternoon off to get the house ship-shape (or, more realistically, house-shape). With F. being out and Sarah not being well, poor old Jack was press-ganged into “volunteering” to help. So, while I spent about 5 hours cleaning two bathrooms, the hall, landing and stairs, our bedroom, the lounge, the dining room and the study, Jack bravely changed his bed and hoovered his bedroom.

Jack asked if he’d be getting extra pocket money for all his efforts. I launched into an uplifting speech about fulfilling our responsibilities, all pulling together, the reward of a job well done and the like. It took me a good three minutes to notice he was no longer there.

Saturday, 12th February, 2005

A most pleasant day with our visitors. We watched rugby, went to town, got soaked walking back from town, then dried off while watching a Tom Hanks film, The Terminal. It’s a peculiar yet heartwarming tale (not unlike these diaries, really) marred only by the fact that in my hurry to restock the popcorn I broke one of our treasured blue Pyrex bowls.

Photo-20180217213003419.jpg
Before the devastation

Much like a hamster, said bowl wasn’t exactly irreplaceable but had nonetheless been in the family for some time and will be missed.

Monday, 14th February, 2005

This being Valentine’s Day I have of course carried out various essential domestic chores, to whit: New battery in dining room alarm sensor (previous one having lasted a paltry six weeks); New fluorescent tube in kitchen worktop light fitting (a snip at £6.50); New 10 Watt halogen bulb in bathroom downlighter (again). My sense of achievement knew no bounds.

Thought I’d better tackle the assignment from last week’s session of the Finding Your Place in the Kingdom of Our Righteous God and Playing Your Part in the Spreading of His Glorious Gospel course. My thoughtful and decisive answers apparently indicated that I was mildly interested in eight different areas of ministry and may possibly have one or more of at least eleven different spiritual gifts. So that’s much clearer then.

This being Valentine’s Day, F., Jack and Sarah watched Forrest Gump.

Tuesday, 15th February, 2005

The extractor fan in the downstairs loo ceiling has been screaming like a strangled banshee for a while. Being on a DIY roll (see yesterday’s entry), I whipped it out and sprayed WD40 into every available orifice. A quick check of the instructions (carefully filed, naturally, along with leaflets for a fridge-freezer, a kettle we threw away in 1998 and 37 other miscellaneous household appliances) revealed a fairly short section on maintenance, consisting mainly of the phrase Do not lubricate under any circumstances.

While washing my hands after this highly successful task, I also had to rinse several drops of WD40 out of my left ear.

Wednesday 16th February, 2005

F. was not pleased by the small, oily pool on the floor in the downstairs loo. I said I’d have a word with the kids as it was probably some weird hair product.

Thursday, 17th February, 2005

I explained to Sarah and Jack that since our tickets for Les Miserables were pretty pricey, there’d be no father-child bonding trip this year. They put on a good show of concealing their disappointment.

Cycled to B & Q to look for a new extractor fan.

 

The Dad Diaries are fictional. Probably.

Android Irritations: How I stopped Google Play Services demanding that I update my phone number

I have a confession to make: Despite being an IT type of many years’ standing I’ve only recently acquired a smartphone. I know! For various reasons, until 2017 I stuck to a distinctly non-smart but very compact Nokia 2332. Finally prompted by the withdrawal of my pay-as-you-go tariff by TalkTalk and not wanting to be shunted to Vodafone, I entered the wonderful world of Android.

(For the phone geeks out there, my weapon of choice was a Huawei P8 Lite 2017. Yes, I do like it, no, this isn’t a review.)

Anyhoo, I soon discovered that every time the phone restarted, I would get a cheery notification from Google Play Services a bit like this:

google_play_services

(Actually mine said, “It looks like you changed your phone number…”.)

When this first appeared I dutifully followed the prompts, logged into my Google account and discovered – as I’d thought – that my phone number was already there, and was already correct. Mild irritation.

Next time I switched on my phone, same thing. And the next time. And the next time. And…you get the idea.

Being an IT pro, I called on all my accumulated experience and detailed technical knowledge by searching Google. I found other people similarly irritated but no fix.

I thought it might be because my phone number was wrong in the system settings (it showed the number given me by my new provider before I ported my old one), so duly contacted the provider and asked for a network refresh (or some such term). This did the trick as far as the system phone number was concerned but didn’t stop Mr Google greeting me each morning.

Boo.

App Data

Finally, after putting up with it for several months, I conquered it, courtesy of MultiMatt (whose problem was almost identical to mine) and Ed Nisley (whose proposed fix did the trick). The fix was: Clear the app data for “Google Play Services”, as described in Ed’s post.

After clearing the data I restarted the phone and it told me I now had no backup account (i.e. my apps, photos, etc. were no longer being backed up to Google). So I just picked an account and all was happy again. I’ve not seen the unwelcome notification since.rejoicing

You’re welcome.

The rehabilitation of butter and why I’ll think twice about sunflower oil

A few years back I was told my cholesterol was a little high and that I ought to try to reduce it to protect myself from heart disease. The two specific diet changes I made were switching from full-fat milk to semi-skimmed and from butter to margarine (usually Flora Buttery).

Funny how things change.

Last year I discovered that the fat in full-fat milk may not be as harmful as we've been told.

Now, it seems, vegetable oils aren't as great as we've been led to believe. And butter isn't necessarily the health villain we thought, either.

How do I know? From my not-at-all-exhaustive research, which produced three articles saying very similar things. That either means they're all right or that they've all copied each other and got it wrong, but I'm inclined to think it's the former. If you know differently, feel free to do that commenty thing at the end of the post.

The articles all say:

  • We didn't start eating vegetable oils in any quantity until the the early 20th century, when heart disease and cancer were less prevalent.
  • The “evil” oils are manufactured in a multi-step process involving lots of heat, noxious chemicals and magical incantations. OK I added the last bit, but they're far from “natural” and much more towards “processed”.
  • Said evil oils can do various nasty things to our insides.
  • The stats on butter consumption, oil consumption and the prevalence of heart disease and cancer show that our tactic of switching away from butter has failed.
  • There are a few “good” oils to use in cooking, and the baddies get used in all kinds of products we buy so we have to read food labels to try to reduce or avoid them.

Here are the pages for your own perusal:

http://www.thankyourbody.com/vegetable-oils/#post/0

http://www.thealternativedaily.com/truth-about-sunflower-oil/

https://wellnessmama.com/2193/never-eat-vegetable-oil/

So there you go. I'm kinda getting convinced by this stuff. Should I ditch the Flora? By the way, last time I was checked my cholesterol was OK. Hmmmm.

 

Passwords: Three ways to let the baddies win

To paraphrase Douglas Adams, the Internet is new. Really new. I mean, you might think space travel, computers and fridges are new, but compared to the Internet they’re positively ancient.

I know, I know. The technology historians will tell you the Internet had its roots waaaay back in the seventies, but really, for 99.9% of us, “The Web” was just a 1947 crime movie until the mid-nineties. Strictly, the “WWW” appeared in 1991, but come on – how many of you had even heard of it (let alone used it) until well into the era of Cool Britannia, New Labour and England’s agonising penalty shootout defeat at Euro 96? Exactly.

So, by my reckoning the Internet is barely 20 years old. Not much more than a teenager, in fact. Like many teenagers, it’s grown really fast. Some of the things it gets up to aren’t very savoury. And it’s always demanding attention. (Excuse me while I go check my emails, tweets and status updates…) Despite its youth, immaturity and anarchic setup, however, we all know it’s been the most runaway of runaway successes.

“Fascinating,” I hear you say, as you simultaneously stifle a yawn and check your watch / phone / tablet / blood pressure. “But I thought this was about passwords.” And so it is. The point about the Internet being new is that, by and large, it still has a culture of trust. Oh, we hear the stories of scammers, viruses and hackers but tend to assume it won’t happen to us. Regretfully, that’s a naïve assumption.

They really are out to get you

Cyberthief

Back in the “olden days” (or perhaps still, in a few remote locations), we’re told that nobody locked their front doors. Crime happened back then, of course, but generally speaking, it tended not to happen and there was that culture of trust. As time went on and burglary increased, we started locking our doors. If we didn’t, and then expected sympathy after being robbed, we’d be laughed at. Not only that, but as time went by we added more sophisticated locks, shoot bolts, window locks and burglar alarms. Multiple defences to make it harder for the baddies. We moved from a culture of trust to a culture of protection and prevention.

In that regard, the online world is like rural England several decades ago. Many of us are touchingly innocent about the malevolent, sophisticated and heartless elements out there in cyberspace. (Does anyone say “cyberspace” any more? Or has it gone the same way as “the information superhighway”?) Not to put the frighteners on you, but I can say with some confidence that there are digital baddies out to get you. They are modern-day highwaymen out to relieve you of your cash. And, yes, although there are multiple routes they take, it all boils down to cold, hard money.

OK, I believe you. But why are they interested in me?

  • They want your identity so they can steal your money.
  • They want your confidential information so they can steal your identity so they can steal your money.
  • They want to blackmail you so they can steal your money.
  • They want to hijack your computer, your phone, your tablet and anything else connected to the Internet so they can disguise their criminal activities, attack other computers, and probably ruin your files while they’re at it.

My conclusion, Ladies and Gentlemen of the Interweb Age, is that it’s time to move from a culture of trust to a culture of protection and prevention.

Ah, so that’s where passwords come in

Precisely. Although, to be honest, passwords are only a small part of the picture. There are other technical tactics, attitudes and habits we need in order reduce the chances of being taken for a cyber-ride. But passwords are fundamental, much as we may loathe them. They’re like fitting that first lock to your front door. Even a cheap rim lock is better than no lock. And if the next door is unlocked, guess which one the villain will choose?

If you upgrade to a stronger Yale lock or a 5-lever mortice lock, your chances of resisting attack increase. And so with passwords.

OK, so get to that “Three ways…” stuff

Quite so. Here, then, are my top Three Ways To Let The Baddies Win when it comes to your passwords. If you’ve heard them all before, I trust you’re not doing them. And if you’ve never heard them before, please stop doing them. Now.

Way #1: Use Simple Passwords

There are a bazillion articles on the web about how you shouldn’t use simple passwords such as:

  • 123456
  • Fred
  • Christmas
  • ManchesterUnited

Yes, even that last one is lousy and could be cracked in a little over 2 minutes:

 

weak_password
Oh. Dear. Password assessment courtesy of My1Login.com.

 

Cyber Villains United would thank you for using any of the above or similar.

Way #2: Use the Same Password for Multiple Sites

Why does this matter? ‘Cos if Joe Evilhacker gets hold of one of your passwords he’s going to try it on loads of popular sites and, in your case, he’ll strike gold because you use the same one on Amazon, eBay and Facebook.

Do not do this. If you’re doing this, don’t do it any more. With immediate effect.

Way #3: Make Your Passwords Conveniently Available

<preacher_mode>

If you’re going to physically write them down, treat that document like your front door key. Don’t write your passwords on sticky notes on the PC. Don’t leave them lying about on the desk. Don’t put them in a notebook entitled Computer Passwords. Make it difficult for anyone who shouldn’t have access to even recognise what the document is, let alone get hold of it.

If you keep passwords on your computer, at least make sure there’s a password on that document. (And, yes, you must also protect the password to that document…) A “password manager” is better than a simple document for various reasons – but whatever approach you take assume that the worst could happen. (And, of course, if the information is in a computer file of some sort, it must be backed up somewhere – otherwise, it might be you that’s locked out of your accounts, not just the criminals.)

</preacher_mode>

A note of clarification

At the (severe) risk of insulting your intelligence, I should emphasise that the above are what not to do. Was that blindingly obvious anyway? It was? Sorry.

Enjoy the Internet, that stroppy teenager, and may your digital defences never be breached.