• Skip to main content
  • Skip to primary sidebar
Scambusters
menu icon
go to homepage
search icon
Homepage link
  • Get Our Weekly Scambusters Newsletter
  • Advice
  • Avoiding Scams
  • Scammer Techniques
  • Identity Theft
  • Consumer Help
  • Phishing
  • Bank
  • Phone
  • Urban Legends
×

No Spying! Why You Need An Authenticator Phone App

authenticator

Authenticator apps are a must for your 2-step security : Internet Scambusters #954

Last week we told you about big changes in the password manager market. This week we're looking at how apps like Google Authenticator can make your sign-on even safer.

Safer, in fact, than some of the other methods used in two-step verification -- where a second code is needed to confirm a password.

That's the view of Microsoft security expert Alex Weinert, as he explains in this week's issue why some two-steps are better than others.

Let's get started…


No Spying! Why You Need An Authenticator Phone App


Think you're safe using a security check like two-step verification when you sign on to an app or website?

You may not be, according to a tech expert at Microsoft. But you can increase your security by choosing the right verification method.

Two-step verification is a process in which you're asked to key in some extra information in addition to your password. Sometimes, it's referred to as multi-factor authentication (MFA).

We explained how it works in an earlier issue: How to Easily Enhance Your Password Security. But, in simple terms, it blocks crooks' attempts to sign on to accounts using stolen usernames and passwords.

The scammers enter these but then face the challenge of providing the second code or other verification, which means they need access to the device that provides it, usually a phone.

Verification mostly uses a number code, but it can also be a biometric method like fingerprint reading or facial recognition. Which method you use can have a significant effect on the security of your sign-on.

More Scam Reports:  Top Scams Targeting Teens And Young Adults

The most common method is an SMS text code or voice message that is sent to your smart phone. Unless the crook has access to your smart phone, he can't log on. But that doesn't necessarily mean he actually needs your phone. Scammers use all sorts of tactics to get the code.

Research at Microsoft shows that MFA stops most automated attacks, but the use of SMS codes runs a higher risk of being compromised than other two-step methods.

Alex Weinert, Microsoft's director of identity security, blames current cellphone technology. Texts and voice calls, which tech folk refer to as "phone transports," are the least secure of the MFA methods available today. And the situation is likely to worsen, he says.

Texts and calls are transmitted unencrypted (read: old-fashioned, insecure). This makes them easy to intercept and be read -- and the crooks have the eavesdropping tools to do that. They also have software that can phish for codes -- tricking users into giving them away.

"What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device," Weinert explains.

It'd be impractical to try to add encryption to the publicly switched telephone networks (PSTNs). So, we're stuck with this insecure method, at least for the time being.

Furthermore, even employees of phone networks have been conned into transferring verification numbers to phone numbers that have been hijacked by scammers, using a process known as SIM-swapping. We explained the SIM swapping scam in issue #916 -- 5 Actions to Avoid SIM Swap Scam + Latest Covid Scams.

More Scam Reports:  How Credit Card Skimming Practices Are Stealing Your Information

Instead of getting codes from texts or voice calls, says Weinert, when we have a choice, we should be using app-based authenticators. These are programs installed on mobile devices; they generate codes that link with and match or pair up with numbers, dates, and times shared by whichever service you're trying to sign on to.

Crucially, authenticator apps use encrypted or scrambled messages so they can't be read, even if they're intercepted.

The free Apple and Android app Google Authenticator is a good example. The codes, technically referred to as time-based, one-time passcodes (TOTPs), change every minute. Microsoft has a similar app.

Of course, it's still better to use texted codes than not to use two-factor authentication. It's just not as secure as authenticators.

Says Weinert: "It bears repeating… that MFA is essential - we are discussing which MFA method to use, not whether to use MFA."

Quoting an earlier blog, he adds: "Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population."

Alerts of the Week

Two alerts for you this week:

First, could you be in line for a prize from the American Senior Citizen's Sweepstakes?

No. Because it doesn't exist. It's just the latest disguise for a lottery scam in which victims are tricked into handing over large sums of money to get hold of their (non-existent) winnings.

More Scam Reports:  AI Scams — Learning What AI Is All About

So, you know what to do if you get the call or message to say you've won. Ignore it.

Second, the latest imposter scam features crooks posing as agents from the US Drug Enforcement Administration (DEA).

The scammers use threats, claiming a stash of drugs has been found in a car rented in the victim's name and that they'll be arrested if they don't pay an immediate fine or fee.

As usual, the crooks want the money to be sent untraceably, by wire or in gift cards. Apart from that dead giveaway, the DEA points out that it doesn't call people to say they're under investigation or threaten an arrest.

Another one to ignore.

Time to conclude for today -- have a great week!

« Your Choices When a Free Password Manager Starts Charging
7 Ways to Avoid a Restaurant Wine Scam »

Primary Sidebar

Search For Scam Info

Popular

  • fake notifications
    How to Stay Safe from Suspicious Cell Phone Alerts and Notifications
  • car theft
    Are You An Easy Target for Car Theft?
  • credit cards online
    Credit Card Information Stored on Websites: Is It Safe?
  • unsubscribe
    Unsubscribe and Opt-Out Links! Are they Safe?

Footer

↑ back to top

About

  • Privacy Policy
  • Terms & Conditions

Newsletter

  • Sign Up! for emails and updates

Contact

  • Contact

Copyright © 2024 Scambusters.org and Breakthrough Consulting, Inc.