Authenticator apps are a must for your 2-step security : Internet Scambusters #954
Last week we told you about big changes in the password manager market. This week we're looking at how apps like Google Authenticator can make your sign-on even safer.
Safer, in fact, than some of the other methods used in two-step verification -- where a second code is needed to confirm a password.
That's the view of Microsoft security expert Alex Weinert, as he explains in this week's issue why some two-steps are better than others.
Let's get started…
No Spying! Why You Need An Authenticator Phone App
Think you're safe using a security check like two-step verification when you sign on to an app or website?
You may not be, according to a tech expert at Microsoft. But you can increase your security by choosing the right verification method.
Two-step verification is a process in which you're asked to key in some extra information in addition to your password. Sometimes, it's referred to as multi-factor authentication (MFA).
We explained how it works in an earlier issue: How to Easily Enhance Your Password Security. But, in simple terms, it blocks crooks' attempts to sign on to accounts using stolen usernames and passwords.
The scammers enter these but then face the challenge of providing the second code or other verification, which means they need access to the device that provides it, usually a phone.
Verification mostly uses a number code, but it can also be a biometric method like fingerprint reading or facial recognition. Which method you use can have a significant effect on the security of your sign-on.
The most common method is an SMS text code or voice message that is sent to your smart phone. Unless the crook has access to your smart phone, he can't log on. But that doesn't necessarily mean he actually needs your phone. Scammers use all sorts of tactics to get the code.
Research at Microsoft shows that MFA stops most automated attacks, but the use of SMS codes runs a higher risk of being compromised than other two-step methods.
Alex Weinert, Microsoft's director of identity security, blames current cellphone technology. Texts and voice calls, which tech folk refer to as "phone transports," are the least secure of the MFA methods available today. And the situation is likely to worsen, he says.
Texts and calls are transmitted unencrypted (read: old-fashioned, insecure). This makes them easy to intercept and be read -- and the crooks have the eavesdropping tools to do that. They also have software that can phish for codes -- tricking users into giving them away.
"What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device," Weinert explains.
It'd be impractical to try to add encryption to the publicly switched telephone networks (PSTNs). So, we're stuck with this insecure method, at least for the time being.
Furthermore, even employees of phone networks have been conned into transferring verification numbers to phone numbers that have been hijacked by scammers, using a process known as SIM-swapping. We explained the SIM swapping scam in issue #916 -- 5 Actions to Avoid SIM Swap Scam + Latest Covid Scams.
Instead of getting codes from texts or voice calls, says Weinert, when we have a choice, we should be using app-based authenticators. These are programs installed on mobile devices; they generate codes that link with and match or pair up with numbers, dates, and times shared by whichever service you're trying to sign on to.
Crucially, authenticator apps use encrypted or scrambled messages so they can't be read, even if they're intercepted.
The free Apple and Android app Google Authenticator is a good example. The codes, technically referred to as time-based, one-time passcodes (TOTPs), change every minute. Microsoft has a similar app.
Of course, it's still better to use texted codes than not to use two-factor authentication. It's just not as secure as authenticators.
Says Weinert: "It bears repeating… that MFA is essential - we are discussing which MFA method to use, not whether to use MFA."
Quoting an earlier blog, he adds: "Multi-factor Authentication (MFA) is the least you can do if you are at all serious about protecting your accounts. Use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population."
Alerts of the Week
Two alerts for you this week:
First, could you be in line for a prize from the American Senior Citizen's Sweepstakes?
No. Because it doesn't exist. It's just the latest disguise for a lottery scam in which victims are tricked into handing over large sums of money to get hold of their (non-existent) winnings.
So, you know what to do if you get the call or message to say you've won. Ignore it.
Second, the latest imposter scam features crooks posing as agents from the US Drug Enforcement Administration (DEA).
The scammers use threats, claiming a stash of drugs has been found in a car rented in the victim's name and that they'll be arrested if they don't pay an immediate fine or fee.
As usual, the crooks want the money to be sent untraceably, by wire or in gift cards. Apart from that dead giveaway, the DEA points out that it doesn't call people to say they're under investigation or threaten an arrest.
Another one to ignore.
Time to conclude for today -- have a great week!