Happy weekend, all!
Hi Cult friends!
Sorry we haven't been around much this week - a lot going on irl. This will be an open chat so please feel free to share music, comments, and gifs.
I'd like to share a couple topics I've been learning about online security. I know this can be a boring subject but it's VERY important, so I hope you'll read this and check the links when you have time. I'm not an expert but if anyone has questions I'll try to help in the comments.
First we'll talk about 2FA (two-factor authentication) and then a related topic involving a growing scam putting our mobile numbers at risk.
2FA
2FA is an additional login step after your username and password. The idea is that if your user and password are compromised, the hacker still has to enter a one-time code sent either to your phone by SMS, email, or an authenticator app.
(SMS isn't the best way to do this, but it's still worth doing - we'll talk about that in a minute.)
Here's a gif showing a WordPress login using 2FA.
You enter your user and password, then a new window pops up asking for a verification code. Okay, so where do you get this code?
The best way to set this up is with an authenticator app for your phone (and some have browser extensions). The app generates the code. Google has one (here), so does Microsoft (here), and there are third-party apps as well like Authy (very easy to use) or you can look on the app store. iOS has a great free one called OTP Auth by Roland Moers.
1Password and LastPass also do this very well, if you use those for password management. You're not re-using passwords, are you? Are you????
Seriously, turn 2FA on where you can. To find out if a site has it, you can look at a list like this one, but you can also check your account settings or profile and it will have a place to set it up.
2FA can also be done with a physical security key like the Yubikey if you don't want to mess with codes. I haven't tried those yet but here's a good article from The Verge.
The second topic relates to 2FA by text/SMS on your phone. This is better than not doing 2FA at all, but it is more risky than using an authenticator app because of a fast-growing scam called SIM hijacking. Here's an article from Let's Talk, but you can find more info easily by googling "SIM hijacking" or "port-out scam."
SIM Hijacking
What happens is that someone gets your mobile number and a few other identifiers like name, address, email. They call up a mobile provider like Verizon or T-Mobile and say they want to port your number to a new SIM card (and conveniently, they're holding it in their hand).
So if the provider does it, what happens?
Calls...texts...anything involving your phone number... all start going to that new phone.
So if your bank texts you a code to log in, it now goes to the hacker's phone and you can't access your bank account. This is why using 2FA with an app is better than SMS. Most of the apps let you back up your 2FA accounts on your computer or a cloud drive.
A WIRED journalist wrote a compelling article back in 2012 about when his online life and personal computers were hacked. This is really an eye-opener: The inside story of how hackers destroyed Mat Honan's digital life.
The author correctly takes responsibility for lax security practices and no backups. He almost lost every photo he had of his newborn daughter. Back up your computers, kids!
What else can I do?
To help prevent SIM hijacking, most mobile carriers offer an extra PIN added to your account that has to be provided to port your phone number. This PIN isn't your regular password. It's a separate code specifically to port out your number if you ever want to. Lifehacker has some good info about how to set it up with your carrier, and why you should do it.
This isn't a fun topic and it can be scary. Our phone numbers and email addresses were never intended to be personal identifiers, but they've become exactly that and we use them for logins every day. When you think about all the people and businesses that have your phone number and email address and may not be storing it safely, you can see the risk.
Okay, end of lecture and thanks for reading ๐ Leave a comment and let us know how you're doing!
What are you listening to? ๐ง
What are you doing this weekend? Shopping? ๐ Housecleaning? ๐งน
Gardening? ๐๐ป Working? ๐
What's for dinner tonight? ๐
How's the weather where you are? ๐จ
It's warm and sunny here...as usual! We were joking at work the other day that we don't even look at the weather anymore ๐☀️ I miss fall though ๐
Let us know if this post was helpful, and if so we can do a few more discussions about computer security.
Or we'll just dance if we want to...๐บ
Sorry we haven't been around much this week - a lot going on irl. This will be an open chat so please feel free to share music, comments, and gifs.
I'd like to share a couple topics I've been learning about online security. I know this can be a boring subject but it's VERY important, so I hope you'll read this and check the links when you have time. I'm not an expert but if anyone has questions I'll try to help in the comments.
First we'll talk about 2FA (two-factor authentication) and then a related topic involving a growing scam putting our mobile numbers at risk.
2FA
2FA is an additional login step after your username and password. The idea is that if your user and password are compromised, the hacker still has to enter a one-time code sent either to your phone by SMS, email, or an authenticator app.
(SMS isn't the best way to do this, but it's still worth doing - we'll talk about that in a minute.)
Here's a gif showing a WordPress login using 2FA.
You enter your user and password, then a new window pops up asking for a verification code. Okay, so where do you get this code?
The best way to set this up is with an authenticator app for your phone (and some have browser extensions). The app generates the code. Google has one (here), so does Microsoft (here), and there are third-party apps as well like Authy (very easy to use) or you can look on the app store. iOS has a great free one called OTP Auth by Roland Moers.
1Password and LastPass also do this very well, if you use those for password management. You're not re-using passwords, are you? Are you????
Seriously, turn 2FA on where you can. To find out if a site has it, you can look at a list like this one, but you can also check your account settings or profile and it will have a place to set it up.
2FA can also be done with a physical security key like the Yubikey if you don't want to mess with codes. I haven't tried those yet but here's a good article from The Verge.
The second topic relates to 2FA by text/SMS on your phone. This is better than not doing 2FA at all, but it is more risky than using an authenticator app because of a fast-growing scam called SIM hijacking. Here's an article from Let's Talk, but you can find more info easily by googling "SIM hijacking" or "port-out scam."
SIM Hijacking
What happens is that someone gets your mobile number and a few other identifiers like name, address, email. They call up a mobile provider like Verizon or T-Mobile and say they want to port your number to a new SIM card (and conveniently, they're holding it in their hand).
So if the provider does it, what happens?
Calls...texts...anything involving your phone number... all start going to that new phone.
So if your bank texts you a code to log in, it now goes to the hacker's phone and you can't access your bank account. This is why using 2FA with an app is better than SMS. Most of the apps let you back up your 2FA accounts on your computer or a cloud drive.
A WIRED journalist wrote a compelling article back in 2012 about when his online life and personal computers were hacked. This is really an eye-opener: The inside story of how hackers destroyed Mat Honan's digital life.
The author correctly takes responsibility for lax security practices and no backups. He almost lost every photo he had of his newborn daughter. Back up your computers, kids!
What else can I do?
To help prevent SIM hijacking, most mobile carriers offer an extra PIN added to your account that has to be provided to port your phone number. This PIN isn't your regular password. It's a separate code specifically to port out your number if you ever want to. Lifehacker has some good info about how to set it up with your carrier, and why you should do it.
This isn't a fun topic and it can be scary. Our phone numbers and email addresses were never intended to be personal identifiers, but they've become exactly that and we use them for logins every day. When you think about all the people and businesses that have your phone number and email address and may not be storing it safely, you can see the risk.
What are you listening to? ๐ง
What are you doing this weekend? Shopping? ๐ Housecleaning? ๐งน
Gardening? ๐๐ป Working? ๐
What's for dinner tonight? ๐
How's the weather where you are? ๐จ
It's warm and sunny here...as usual! We were joking at work the other day that we don't even look at the weather anymore ๐☀️ I miss fall though ๐
Let us know if this post was helpful, and if so we can do a few more discussions about computer security.
Or we'll just dance if we want to...๐บ
Comments
Post a Comment