More and more online services are requiring users move to a form of dual factor or two-factor authentication to access their cloud accounts. This means that, along with setting your normal username and password, you’ll need to authenticate your identity through a second device using an e-mail or one-time code. Most of the time, this is a phone or a tablet. Because of this, there has never been more riding on the security of our mobile accounts. Below, I’ve included some guidelines to follow when signing up for these accounts.
Setting up a two-factor authentication is great, but it has its holes. Some holes are larger than others, as not all authentication is treated the same. The most common method, a one-time pin sent via SMS/text to your mobile device, is also the least secure. If a planned hack manages to phish your password, they can easily call your provider pretending to be you, claim you’ve lost your phone, and request activation of a new SIM. Or, they may convince the support tech to forward your calls/texts to a different number. Several stories have appeared in The New York Times conveying such hacks. To avoid such lackluster authentication, try to use app-based authentication such as the Google Authenticator. Google authenticator, a.k.a. Authy, uses a software token that implements two-step verification services using the time-based one time password algorithm for authenticating users to mobile applications. It has compatibility with many apps available today.
The National Institute of Standards and Technology recently issued new guidelines for digital authentication, urging companies to stay away from text-based authentication. If you want to review the authentication options available for services you use, check out the site twofactorauth.org. You can search for different applications and websites commonly used to determine different methods of authentication offered. Most people who have a large number of assets do not mind an extra inconvenience for added security. For them, the added peace of mind can justify the need to jump through a couple extra hoops.
Some online services also offer users the option to receive a one-time code via an automated phone call. It goes without saying, but this method is also vulnerable to someone tricking the customer service rep into doing something they clearly should not do. An example of this occurred with the CEO of a company called Cloudflare. The CEO’s account was hacked by someone who social engineered an AT&T representative and convinced them to forward all of the CEO’s second factor phone calls (an automated message that is sent from the provider to verify identity) to a number that the attacker controlled.
Finally, just be smart about which applications you install on your phone and spend some time researching the reputation of the application. Be wary of applications that request multiple permissions or access to your phone’s location, photos, etc. You can still be compromised by mobile malware with applications installed from the app store (Apple) or play store (Google). Read reviews of the product and check their ratings. Pay attention to the name of the application you’re installing. There have been reported copycat applications that attempt to mimic popular applications. Fail to notice the subtle differences, and your phone could become compromised.
To learn more about RSM’s consulting services and managed services offerings, please visit our website. You can also contact RSM’s technology and management consulting professionals at 800.274.3978 or email us.