Protect your on-line accounts, but not with text messages.

As I outlined here, if you are using on-line accounts for e-mail, social media, etc. then one of the strongest means of protecting yourself from the evil doers is to use, what is called, two factor authentication. If you are not doing this now, you really should be as it improves your protection massively.

This is where you can set your on-line accounts to not only request your user ID and password (something you know) but also using your phone (something you have) by way of an app or sending you a text message with a code that you enter on the site to confirm you are you

If you have this set-up to authenticate by a SMS Text message, then a bad guy who has access to your LinkedIn details from the 2012 hack should not be able to access your e-mail account using the password that they have recovered from there, because as soon as they try to access your e-mail account, you will be sent a text message. So you’re safe … right?

Well, if they have your LinkedIn details, they may also have your mobile phone number (or they have it from other means). So as soon as they try to access your e-mail and a text message is sent to you from your e-mail provider, they follow it up immediately with a text from themselves to say somebody is trying to access your account and to reply to them with the 6 digit code that you just received. If you do this, they immediately access your account and lock you out of it. You can see how this works on this short video from Symantec.

 

 The three tips on that video at the end are very pertinent:
  1. Beware of unsolicited text messages
  2. If unsure, check with your account provider
  3. Password recovery text services never require a response via text or other e-mail

So really, the best way to secure your account is to use an app on your smart phone like Google Authenticator, Authy or Duo. These are constantly generating random 6 digit codes which you can use to authorise your access to an account. These will work even in flight mode. So if you receive a text message asking for your code, you can simply ignore it. Here’s an example from Google Authenticator:


The training that L2 Cyber Security Solutions delivers, will give you a better understanding of the threats that are out there and show you how you can easily protect yourself from them.