Two-Factor Security Check Is Not Enough — This is What You Need

Simple phishing trick could help crooks crack two-factor authentication: Internet Scambusters #877

Two-factor authentication — the technique of requiring a second security check on your password — may no longer be enough to protect you.

A simple phishing trick may be all it takes to con you into giving away this precious sign-on information, as we explain in this week’s issue.

Plus, we have the lowdown on a bug that hit the top-selling LastPass password manager — and news on how to claim compensation from Yahoo! after their security breach.

Let’s get started…


Two-Factor Security Check Is Not Enough — This is What You Need


One password is not enough for your safety. We already told you that. To increase security, especially on sites that have our confidential information, it’s common to have to answer a secret question.

But, increasingly these days, secure sites offer us the opportunity to use two-factor authentication. In very simple terms, that means that after entering a password, the site sends a code via email or to your cell phone that you have to key in tor prove you’re you.

We wrote about this a couple of years ago (see How to Easily Enhance Your Password Security) and much of what we wrote then still stands.

With one big exception.

According to latest investigations, there’s a way to beat two-factor authentication. But you can still beat the crooks.

That’s because they still have to trick you into giving up certain information. If you’re wise to their scam, you won’t fall for it.

At a conference on Amsterdam a few months ago, security experts showed how it works.

Crooks can use two pieces of software that work together to steal your two-factor (or 2FA as it’s sometimes called) information.

First, they use tricks similar to those used in phishing to take victims to a fake sign-on site, where they have to key in their log-on details.

The scammers then use this information to log onto the genuine site the victim was hoping to visit, which then generates the 2FA code and sends it to the victim’s phone.

Alternatively, the user is asked to use a piece of authentication software on their phone, which generates a random code that has to be input within 60 seconds.

Either way, the victim keys this number into the fake page, giving the scammers everything that they need to pass themselves off as the user.

All of this is done automatically by one of the pieces of software, enabling the crooks either to use the hijacked account or monitor transactions.

In many cases, once the two-factor code has been entered on a site, users can opt to not have to use it again on the same computer, or to delay inputting it again for a few weeks.

This gives the crooks complete freedom to roam around victims’ online accounts and do whatever they want on the site.

Researchers believe 2FA is still a worthwhile security device but urge users to be more vigilant than ever about landing on a fake, phishing page. That means checking the site is secure.

And that means looking for the ‘s’ in the ‘https’ on the address line — though this too can be faked — checking that you keyed in the correct address without errors and avoiding clicking on links that pretend to take you to a legitimate page.

A better, more effective security contender has appeared recently that might be worth considering in the future. It’s referred to as “universal second-factor’ (U2F) authentication.

This involves a physical device, often a USB or fingerprint reader connected to the computer that the criminals can’t get their hands on. The authentication takes place on the user’s PC.

These are not expensive, starting at around $15, and are easy to use. But, generally speaking, the more you pay, the more secure and effective the device is — according to online reviews.

LastPass Bug

Staying on the topic of passwords, you might have read recently about a bug found in the most popular password manager, LastPass.

Like all password managers, this software works by requiring a user to key in a master password. It can then automatically generate and “remember” sign-on details for any site.

Without getting technical, the newly discovered bug could have enabled hackers to gain access to data from sites previously accessed by the user.

The bug affected only users of Chrome and Opera browsers and LastPass was quick to put it right.

However, if you use this software and don’t have it set to automatically update, do it now. The “safe” version is number 4.33.0.

To check the number of your version, click on the LastPass dropdown icon and then on “Account Options.” From there, click on “About LastPass,” which opens a small screen with details including the version number.

To update, you have to download the latest version of the program and install it. You don’t have to uninstall the previous version. This is used to transfer data from the old to the new.

Going forward, we’re likely to see more improvements in password and Internet security, but you should always let “caution” be your watchword. And if you have any reason to suspect you’ve been hijacked on a particular site, whether through two-factor authentication or any other means, change your password immediately.

Alert of the Week

One-time darling of the Internet, Yahoo!, has agreed to a settlement to compensate victims of a data breach.

The organization, now owned by phone company Verizon, is to pay up to $358 to users who had a Yahoo! email account between 2013 and 2016. But you have to jump through a few hoops to get your money.

To learn more, visit: YahooDatabreachSettlement.com

Claims have to be lodged by July 20 next year (2020).

That’s it for today — we hope you enjoy your week!