Every time when you talk about security, does not mean that a protection will safeguard your data in 100%. Both physical and virtual security is based on how difficult and high cost is your asset for the attacker.
It also does not means that every attacker is lazy, but if they have an easiest target, why they will spend time and effort on you? Unless you are under specific target, like APT (Advanced Persistent Threat). We will talk more about this in near future.
The recent news about 5 million Google passwords leaked, or The Celebrity Nude pics leaked on Internet is some example of Identity Theft that is usually happening. In addition, the most used Identity Theft attack is regarding to payment methods. Many of victims had not only e-mails or pictures stolen, but they can use your stolen Paypal account to buy using your credit card, or to perform wire transfers to a John Doe account and get the money at a branch, using fake IDs.
Every time when a big leakage happens, information security professionals performs a security analysis, to verify where are the problem and how to fix it. Usually the credentials was obtained not from source server (Google or Apple), but on the weak side, the user. By sending fake emails, phishing scams or applying social engineering, attackers can obtain a big number of user and passwords.
By applying two-step authentication, even you are victim of a phishing scam and the attacker possess your user and password, he has another step that he needs to attack to get access to your application. So making hard to obtain this second step, he may leave you and choose a weakest target.
Nowadays, many of public websites already have available an extra resource called “Two-step authentication”. Enabling this feature on your account, the website will ask you for a second password or token, sent to you in a safe device. But how this works?
The first step, is to access your application, like Linkedin. Go to Your Account Settings and look for Security Settings. There will be an option to enable Two-Step Authentication.
The second step, is to choose a safe device. Some applications can send you a SMS, while some others will recommend the use of a mobile app, like Google Authenticator. Then, you will synchronize your safe device with the application. They will send you a temporary password, and you will confirm this password at security settings.
After this synchronization, your application will always request your user credentials, as usual, plus a temporary password from your device.
There are some common questions like: What happens if I travel and do not have access to Internet from my device? Can I set my laptop as a trusted device and do not require Two-Step Authentication from it? The responses will vary from company to company. There are some more restrictive and other that offers offline tokens or a pre-set of tokens that you can print and bring with you. You have to check on every application where you are enabling Two-Step Authentication. The step-by-step will change, for each application. Apple, Facebook, Twitter, Dropbox, Google, Microsoft and others, already have this feature available.
Can I enable this kind of Two-Step Authentication on my company extranet? Sure you can, in fact, you should ask for it. Most of companies uses Web Access Manager solutions that can easy incorporate a strong authentication. The season, when strong authentication was an expensive feature is already in the past. Google released an open source project, where your team can easily integrate to most of applications.
As happened to Credit Card Industry, that replaced magnet target on cards by smart cards (with chip and PIN), the future of Application Authentication is to replace User and Password method to a safer method of identification and authentication. Safer days are coming, while this does not happens, it is better to enable your Two-Step Authentication.
Fabio R. Sobiecki de Sales, CISSP, CCSP, CDPSE
Written on September/2014
Originally published on LinkedIn Pulse – https://www.linkedin.com/pulse/20140915150020-8638059-how-to-avoid-identity-theft/