Security Tools

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.

TO COMPANIES

For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

They’re constantly testing their own networks and employees for weaknesses, and regularly drilling their breach response preparedness (much like a fire drill). And, apropos of the Marriott breach, they are finding creative ways to cut down on the volume of sensitive data that they need to store and protect.

TO INDIVIDUALS

Likewise for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.

Marriott is offering affected consumers a year’s worth of service from a company owned by security firm Kroll that advertises the ability to scour cybercrime underground markets for your data. Should you take them up on this offer? It probably can’t hurt as long as you’re not expecting it to prevent some kind of bad outcome. But once you’ve accepted Realities #1 and #2 above it becomes clear there is nothing such services could tell you that you don’t already know.

Once you’ve owned both of these realities, you realize that expecting another company to safeguard your security is a fool’s errand, and that it makes far more sense to focus instead on doing everything you can to proactively prevent identity thieves, malicious hackers or other ne’er-do-wells from abusing access to said data.

This includes assuming that any passwords you use at one site will eventually get hacked and leaked or sold online (see Reality #2), and that as a result it is an extremely bad idea to re-use passwords across multiple Web sites. For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised. Continue reading →

Latest Warnings / Security Tools / Web Fraud 2.0 — 70 Comments
23
Nov 18

How to Shop Online Like a Security Pro

‘Tis the season when even those who know a thing or two about Internet scams tend to let down their guard in the face of an eye-popping discount or the stress of last-minute holiday shopping. So here’s a quick refresher course on how to make it through the next few weeks without getting snookered online.

Adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet, for the simple reason that there are tons of completely fake e-commerce sites out there looking to separate the unwary from their credit card details.

Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers. For example, KrebsOnSecurity got taken for hundreds of dollars just last year after trying to buy a pricey Sonos speaker from an established Amazon merchant who was selling it new and unboxed at huge discount.

I later received an email from the seller, who said his Amazon account had been hacked and abused by scammers to create fake sales. Amazon ultimately refunded the money, but if this happens to you around the holidays it could derail plans to get all your shopping done before the expected gift-giving day arrives.

Here are some other safety and security tips to keep in mind when shopping online:

-WHEN IN DOUBT, CHECK ‘EM OUT: If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. After all, it’s not uncommon for bargain basement phantom Web sites to materialize during the holiday season, and then vanish forever not long afterward.

If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

-USE A CREDIT CARD: It’s nearly impossible for consumers to tell how secure a main street or online merchant is, and safety seals or attestations that something is “hacker safe” are a guarantee of nothing. In my experience, such sites are just as likely to be compromised as e-commerce sites without these dubious security seals.

No, it’s best just to shop as if they’re all compromised. With that in mind, if you have the choice between using a credit or debit card, shop with your credit card.

Sure, the card associations and your bank are quick to point out that you’re not liable for fraudulent charges that you report in a timely manner, whether it’s debit or a credit card. But this assurance may ring hollow if you wake up one morning to find your checking accounts emptied by card thieves after shopping at a breached merchant with a debit card.

Who pays for the fees levied against you by different merchants when your checks bounce? You do. Does the bank reimburse you when your credit score takes a ding because your mortgage or car payment was late? Don’t hold your breath.

-PADLOCK, SCHMADLOCK: For years, consumers have been told to look for the padlock when shopping online. Maybe this was once sound advice. But to my mind, the “look for the lock” mantra has created a false sense of security for many Internet users, and has contributed to a dangerous and widespread misunderstanding about what the lock icon is really meant to convey.

To be clear, you absolutely should run away from any e-commerce site that does not include the padlock (i.e., its Web address does not begin with “https://”). But the presence of a padlock icon next to the Web site name in your browser’s address bar does not mean the site is legitimate. Nor is it any sort of testimonial that the site has been security-hardened against intrusion from hackers.

The https:// part of the address merely signifies that the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. Even so, anti-phishing company PhishLabs found in a survey last year that more than 80% of respondents believed the green lock indicated that a website was either legitimate and/or safe.

Now that anyone can get SSL certificates for free, phishers and other scammers that ply their trade via fake Web sites are starting to up their game. In December 2017, PhishLabs estimated that a quarter of all phishing Web sites were outfitting their scam pages with SSL certificates to make them appear more trustworthy. According to PhishLabs, roughly half of all phishing sites now feature the padlock. Continue reading →

Security Tools / Time to Patch — 29 Comments
14
Nov 18

Patch Tuesday, November 2018 Edition

Microsoft on Tuesday released 16 software updates to fix more than 60 security holes in various flavors of Windows and other Microsoft products. Adobe also has security patches available for Flash Player, Acrobat and Reader users.

As per usual, most of the critical flaws — those that can be exploited by malware or miscreants without any help from users — reside in Microsoft’s Web browsers Edge and Internet Explorer.

This week’s patch batch addresses two flaws of particular urgency: One is a zero-day vulnerability (CVE-2018-8589) that is already being exploited to compromise Windows 7 and Server 2008 systems.

The other is a publicly disclosed bug in Microsoft’s Bitlocker encryption technology (CVE-2018-8566) that could allow an attacker to get access to encrypted data. One mitigating factor with both security holes is that the attacker would need to be already logged in to the targeted system to exploit them.

Of course, if the target has Adobe Reader or Acrobat installed, it might be easier for attackers to achieve that log in. According to analysis from security vendor Qualys, there is now code publicly available that could force these two products to leak a hash of the user’s Windows password (which could then be cracked with open-source tools). A new update for Acrobat/Reader fixes this bug, and Adobe has published some mitigation suggestions as well. Continue reading →

A Little Sunshine / Security Tools — 90 Comments
21
Sep 18

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).

And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

To file a freeze, consumers must contact each of the three major credit bureaus online, by phone or by mail. Here’s the updated contact information for the big three:

Online: Equifax Freeze Page
By phone: 800-685-1111
By Mail: Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348-5788

Online: Experian
By phone: 888-397-3742
By Mail: Experian Security Freeze
P.O. Box 9554, Allen, TX 75013

Online: TransUnion
By Phone: 888-909-8872
By Mail: TransUnion LLC
P.O. Box 2000 Chester, PA 19016

Spouses may request freezes for each other by phone as long as they pass authentication.

The new law also makes it free to place, thaw and lift freezes for dependents under the age of 16, or for incapacitated adult family members. However, this process is not currently available online or by phone, as it requires parents/guardians to submit written documentation (“sufficient proof of authority”), such as a copy of a birth certificate and copy of a Social Security card issued by the Social Security Administration, or — in the case of an incapacitated family member — proof of power of attorney.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Another important change: Fraud alerts now last for one year (previously they lasted just 90 days) but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this. Continue reading →

A Little Sunshine / Security Tools / The Coming Storm — 101 Comments
12
Sep 18

U.S. Mobile Giants Want to be Your Online Identity

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.

Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:

The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.

The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.

Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”

Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.

“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.” Continue reading →

Security Tools / The Coming Storm — 61 Comments
10
Sep 18

In a Few Days, Credit Freezes Will Be Fee-Free

Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

A credit freeze — also known as a “security freeze” — restricts access to your credit file, making it far more difficult for identity thieves to open new accounts in your name.

Currently, many states allow the big three bureaus — Equifax, Experian and TransUnion — to charge a fee for placing or lifting a security freeze. But thanks to a federal law enacted earlier this year, after Sept. 21, 2018 it will be free to freeze and unfreeze your credit file and those of your children or dependents throughout the United States.

KrebsOnSecurity has for many years urged readers to freeze their files with the big three bureaus, as well as with a distant fourth — Innovis — and the NCTUE, an Equifax-operated credit checking clearinghouse relied upon by most of the major mobile phone providers.

There are dozens of private companies that specialize in providing consumer credit reports and scores to specific industries, including real estate brokers, landlords, insurers, debt buyers, employers, banks, casinos and retail stores. A handy PDF produced earlier this year by the Consumer Financial Protection Bureau (CFPB) lists all of the known entities that maintain, sell or share credit data on U.S. citizens.

The CFPB’s document includes links to Web sites for 46 different consumer credit reporting entities, along with information about your legal rights to obtain data in your reports and dispute suspected inaccuracies with the companies as needed. My guess is the vast majority of Americans have never heard of most of these companies.

Via numerous front-end Web sites, each of these mini credit bureaus serve thousands or tens of thousands of people who work in the above mentioned industries and who have the ability to pull credit and other personal data on Americans. In many cases, online access to look up data through these companies is secured by nothing more than a username and password that can be stolen or phished by cybercrooks and abused to pull privileged information on consumers.

In other cases, it’s trivial for anyone to sign up for these services. For example, how do companies that provide background screening and credit report data to landlords decide who can sign up as a landlord? Answer: Anyone can be a landlord (or pretend to be one).

SCORE ONE FOR FREEZES

The truly scary part? Access to some of these credit lookup services is supposed to be secured behind a login page, but often isn’t. Consider the service pictured below, which for $44 will let anyone look up the credit score of any American who hasn’t already frozen their credit files with the big three. Worse yet, you don’t even need to have accurate information on a target — such as their Social Security number or current address.

KrebsOnSecurity was made aware of this particular portal by Alex Holden, CEO of Milwaukee, Wisc.-based cybersecurity firm Hold Security LLC [full disclosure: This author is listed as an adviser to Hold Security, however this is and always has been a volunteer role for which I have not been compensated].

Holden’s wife Lisa is a mortgage broker, and as such she has access to a more full-featured version of the above-pictured consumer data lookup service (among others) for the purposes of helping clients determine a range of mortgage rates available. Mrs. Holden said the version of this service that she has access to will return accurate, current and complete credit file information on consumers even if one enters a made-up SSN and old address on an individual who hasn’t yet frozen their credit files with the big three.

“I’ve noticed in the past when I do a hard pull on someone’s credit report and the buyer gave me the wrong SSN or transposed some digits, not only will these services give me their credit report and full account history, it also tells you what their correct SSN is,” Mrs. Holden said.

With Mr. Holden’s permission, I gave the site pictured above an old street address for him plus a made-up SSN, and provided my credit card number to pay for the report. The document generated by that request said TransUnion and Experian were unable to look up his credit score with the information provided. However, Equifax not only provided his current credit score, it helpfully corrected the false data I entered for Holden, providing the last four digits of his real SSN and current address.

“We assume our credit report is keyed off of our SSN or something unique about ourselves,” Mrs. Holden said. “But it’s really keyed off your White Pages information, meaning anyone can get your credit report if they are in the know.”

I was pleased to find that I was unable to pull my own credit score through this exposed online service, although the site still charged me $44. The report produced simply said the consumer in question had requested that access to this information be restricted. But the real reason was simply that I’ve had my credit file frozen for years now.

Many media outlets are publishing stories this week about the one-year anniversary of the breach at Equifax that exposed the personal and financial data on more than 147 million people. But it’s important for everyone to remember that as bad as the Equifax breach was (and it was a total dumpster fire all around), most of the consumer data exposed in the breach has been for sale in the cybercrime underground for many years on a majority of Americans — including access to consumer credit reports. If anything, the Equifax breach may have simply helped ID thieves refresh some of those criminal data stores.

It costs $35 worth of bitcoin through this cybercrime service to pull someone’s credit file from the three major credit bureaus. There are many services just like this one, which almost certainly abuse hacked accounts from various industries that have “legitimate” access to consumer credit reports.

Continue reading →

Security Tools — 42 Comments
29
Aug 18

Instagram’s New Security Tools are a Welcome Step, But Not Enough

Instagram users should soon have more secure options for protecting their accounts against Internet bad guys. On Tuesday, the Facebook-owned social network said it is in the process of rolling out support for third-party authentication apps. Unfortunately, this welcome new security offering does nothing to block Instagram account takeovers when thieves manage to hijack a target’s mobile phone number — an increasingly common crime.

New two-factor authentication options Instagram says it is rolling out to users over the next few weeks.

For years, security experts have warned that hackers are exploiting weak authentication at Instagram to commandeer accounts. Instagram has long offered users a security option to have a one-time code sent via text message to a mobile device, but these codes can be intercepted via several methods (more on that in a bit).

The new authentication offering requires users to download a third-party app like Authy, Duo or Google Authenticator, which generates a one-time code that needs to be entered after the user supplies a password.

In a blog post Tuesday, Instagram said support for third-party authenticator apps “has begun to roll out and will be available to the global community in the coming weeks.

Instagram put me on a whitelist of accounts to get an early peek at the new security feature, so these options probably aren’t yet available to most users. But there’s a screenshot below that shows the multi-factor options available in the mobile app. When these options do become more widely available, Instagram says people can use a third-party app to receive a one-time code. To do this:

Go to your Settings.
Scroll down and tap Two-Factor Authentication.
If you haven’t already turned two-factor authentication on, tap Get Started.
Tap next to Authentication App, then follow the on-screen instructions.
Enter the confirmation code from the third party authentication app to complete the process.

Note that if you have previously enabled SMS-based authentication, it is likely still enabled unless and until you disable it. The app also prompts users to save a series of recovery codes, which should be kept in a safe place in case one’s mobile device is ever lost.

WHAT IT DOESN’T FIX

Instagram has received quite a lot of bad press lately from publications reporting numerous people who had their accounts hijacked even though they had Instagram’s SMS authentication turned on. The thing is, many of those stories have been about people having their Instagram accounts hijacked because fraudsters were able to hijack their mobile phone number.

In these cases, the fraudsters were able to hijack the Instagram accounts because Instagram allows users to reset their account passwords with a single factor — using nothing more than a text message sent to a mobile number on file. And nothing in these new authentication offerings will change that for people who have shared their mobile number with Instagram.

Criminals can and do exploit SMS-based password reset requests to hijack Instagram accounts by executing unauthorized “SIM swaps,” i.e., tricking the target’s mobile provider into transferring the phone number to a device or account they control and intercepting the password reset link sent via SMS. Once they hijack the target’s mobile number, they can then reset the password for the associated Instagram account.

I asked Instagram if there was any way for people who have supplied the company with their phone number to turn off SMS-based password reset requests. I received this response from their PR folks:

“I can confirm that disabling SMS two factor will not disable the ability to reset a password via SMS,” a spokesperson said via email. “We recommend that the community use a third-party app for authentication, in place of SMS authentication. We’ll continue to iterate and improve on this product to keep people safe on our platform.” Continue reading →

Data Breaches / Security Tools — 79 Comments
1
Aug 18

Reddit Breach Highlights Limits of SMS-Based Authentication

Reddit.com today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users. As Web site breaches go, this one doesn’t seem too severe. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.

In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers.

Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed. “We point this out to encourage everyone here to move to token-based 2FA.”

Reddit didn’t specify how the SMS code was stolen, although it did say the intruders did not hack Reddit employees’ phones directly. Nevertheless, there are a variety of well established ways that attackers can intercept one-time codes sent via text message.

In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. In both port-out and SIM swap schemes, the victim’s phone service gets shut off and any one-time codes delivered by SMS (or automated phone call) get sent to a device that the attackers control. Continue reading →

Security Tools — 187 Comments
23
Jul 18

Google: Security Keys Neutralized Employee Phishing

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.

A YubiKey Security Key made by Yubico. The basic model featured here retails for $20.

Security Keys are inexpensive USB-based devices that offer an alternative approach to two-factor authentication (2FA), which requires the user to log in to a Web site using something they know (the password) and something they have (e.g., a mobile device).

A Google spokesperson said Security Keys now form the basis of all account access at Google.

“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The basic idea behind two-factor authentication is that even if thieves manage to phish or steal your password, they still cannot log in to your account unless they also hack or possess that second factor.

The most common forms of 2FA require the user to supplement a password with a one-time code sent to their mobile device via text message or an app. Indeed, prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.

In contrast, a Security Key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB device and pressing a button on the device. The key works without the need for any special software drivers.

Once a device is enrolled for a specific Web site that supports Security Keys, the user no longer needs to enter their password at that site (unless they try to access the same account from a different device, in which case it will ask the user to insert their key).

U2F is an emerging open source authentication standard, and as such only a handful of high-profile sites currently support it, including Dropbox, Facebook, Github (and of course Google’s various services). Most major password managers also now support U2F, including Dashlane, and Keepass. Duo Security [full disclosure: an advertiser on this site] also can be set up to work with U2F.

With any luck, more sites soon will begin incorporating the Web Authentication API — also known as “WebAuthn” — a standard put forth by the World Wide Web Consortium in collaboration with the FIDO Alliance. The beauty of WebAuthn is that it eliminates the need for users to constantly type in their passwords, which negates the threat from common password-stealing methods like phishing and man-in-the-middle attacks.

Currently, U2F is supported by Chrome, Mozilla Firefox, and Opera. In both Firefox and Quantum (the newer, faster version of Firefox), U2F is not enabled by default. To turn it on, type “about:config” in the browser bar, type or paste “security.webauth.u2f” and double-click the resulting entry to change the preference’s value from “false” to “true.”

Microsoft says it expects to roll out updates to its flagship Edge browser to support U2F later this year. According to a recent article at 9to5Mac.com, Apple has not yet said when or if it will support the standard in its Safari browser. Continue reading →

Latest Warnings / Security Tools — 76 Comments
28
Jun 18

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.

Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.

Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife.

In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store.

Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account.

“The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.”

Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes.

“While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.”

Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider.

“The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.”

OFFLINE BANKING

Many people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity.

“What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.”

After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously.

“But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.” Continue reading →