Tag Archive for SMS

| June 17, 2018
Comments Off on What is SS7?

What is SS7?

What is SS7?– Updated 10/25/2018 – The NYT is reporting that China and Russia are spying on Trump via his unsecured iPhone. NYT says that though intercepted calls, likely related to SS7 the Chinese have pieced together a list of the people with whom Mr. Trump regularly speaks in hopes of using them to influence the president, the officials said. Among those on the list are Stephen A. Schwarzman, the Blackstone Group CEO, and Steve Wynn, the former Las Vegas casino magnate.

Trump uses unsecure cell phoneA number of outlets are speculating that the Chinese are using the known SS7 flaw to spy on the president’s iPhone.  I have written about the problems with SS7 a number of times since 2016 and now the chicken has come home to roost.

Trump recently bragged that he gave the North Korean dictator his personal cell number. If that is true, he has created a major national security exposureKarsten Nohl, chief scientist at the firm Security Research Labs, who researches cell network attacks told Wired,  “Absolutely that is a problem.” He says hackers can abuse flaws in Signaling System 7 to listen in on someone’s phone calls, intercept their text messages, and track their location.

North Korean intelligence isn't already tracking Trump's phonesIf North Korean intelligence isn’t already tracking Trump’s phones through malware, a direct phone number could give them a way in. The SS7 attacks can give hackers relatively easy access to calls and texts, and location data. Wired points out that North Korea has proven itself as an adversary willing to hack and manipulate systems around the world for its financial or intelligence gain—it was responsible both for the 2014 hack of Sony and 2017’s WannaCry ransomware outbreak – SS7 hacking is likely no exception.

The telecom industry and U.S.government have done very little to plug the SS7 hole. Senator Ron Wyden, a Democrat from Oregon and a senior member of the Senate Select Committee on Intelligence, has been tracking the SS7 issue for several years. He has sent letters to FCC Chairman Ajit Pai, asking for answers on SS7 security and details about how many network providers have been breached through SS7. Mr. Wyden wrote, “I’ve spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked, or scammed.”

Attackers used SS7 to get customer dataFCC Chairman Ajit Pai

Mr. Wyden said he had been told by a big-name mobile network that malicious attackers are believed to have used SS7 to obtain US customer data. DHS confirmed reports of “nefarious” types leveraging SS7 to spy on American citizens by targeting their calls, text messages, and other information.

So what is SS7?

The Signaling System 7 (SS7) network is fundamental to cellphones operations, but its security design relies entirely on trust. The protocol does not authenticate messages; anyone with access to SS7 can send a routing message, and the network will make it. Now as SS7 network operators are opening the SS7 network to third-party access, vulnerabilities are being exposed and attacked initially by governments and now criminals.

Since 1975, over 800 telecommunications companies around the world use SS7 to ensure their networks interoperate. SearchNetworking.com defines the Signaling System 7 (SS7) as an international telecommunications standard that describes how network elements in a public switched telephone network (PSTN) exchange information over a digital signaling network.

SS7 control messages

SS7 control messages contain routing, congestion, and authentication information.

  • SS7 routing deals with: How do I send a call to 313-555-1234?
  • Congestion – What to do if the route to a network point is crowded.
  • Authentication – Confirms that the caller is a valid subscriber and lets the call set up continue.

They explain that SS7 consists of a set of reserved or dedicated channels known as signaling links. There are three kinds of network points signaling points:

  • Service Switching Points (SSPs) originate or terminate a call and communicate with SCPs to determine how to route a call or set up and manage some special feature.
  • Signal Transfer Points (STPs) are packet switches that route traffic on the SS7 network.
  • Service Control Points (SCPs) SCPs and STPs are usually mated so that service can continue if one network point fails.

Cell phonesSS7 out-of-band signaling (control) information travels on a separate, dedicated 56 or 64 Kbps channel and not within the same channel as the telephone call. Historically, the signaling for a telephone call has used the same voice circuit that the telephone call traveled on. Using SS7, telephone calls can be set up more efficiently and special services such as call forwarding and wireless roaming service are easier to add and manage. SS7 is used for:

  • Setting up and managing the connection for a call,
  • Tearing down the connection when the call is complete
  • Billing,
  • Managing features such as:
    • call forwarding,
    • calling party name and number display,
    • three-way calling,
    • Toll-free (800 and 888) and toll (900) calls
    • 911 emergency service calls in the US, and,
    • Other Intelligent Network (IN) services.
  • Wireless as well as wireline call service including:
    • Mobile telephone subscriber authentication,
    • Personal communication service (PCS) and,
    • Roaming,
    • SMS messages.

Within SS7, SMS messages are sent on the same channels and infrastructure as SS7 uses to control the core of the telephone networks.

When an SMS message is sent from an SMS-capable cell phone, the message is handled no differently than a normal call setup: it moves from the cell phone to a base station to a Mobile Switching Center (MSC).

SMS messageFrom the mobile switching center, the SMS message moves inside the SS7 network to the Short Messaging Service Center (SMSC), a standard part of the network. The SMSC queries the Home Location Register (HLR) to find out where the recipient of the message is and whether he or she is switched on to receive a message. If not, the SMSC stores the message until it can be delivered.

Mobile Switching Center (MSC) — The MSC is the equivalent of the local switch inside the mobile network. It provides very similar services to a switch, but uses virtual circuits over radio channels instead of physical voice circuits. One variation on the MSC is the Gateway Mobile Switching Center (GMSC) which routes calls into and out of the network and will not have phones locally registered.

Visitor Location Register (VLR) — The VLR is the database attached to an MSC that keeps track of all the phones currently “registered” to it, informing other nodes of status changes, and checking authentication information.

Short Message Service Center (SMSC) —The SMSC is the clearinghouse for SMS messages on an SS7 network and provides store-and-forward services.

Home Location Register (HLR) — HLR is a core database that keeps track of subscribers. It contains information on the current account status and provides authorization information for billing. When a call or SMS is trying to reach a subscriber, this is the node that is queried to find out where in the network that subscriber actually is.

SS7 Architecture

rb-

Mr. Nohl told Motherboard SS7 is, “probably the weakest link in our digital protection chain.” CTIA, the telecom lobbying arm, denies there is a problem with SS7. CTIA told DHS that the SS7 flaws are “perceived shortcomings.” They also said that talking about SS7 attacks is “unhelpful.” CTIA, practicing “security through obscurity,” claimed that talking about the issues may help hackers. 

This is a mess. Contact your senator and representative in D.C. and tell them to support Senator Wyden, efforts to force the FCC to deal with the SS7 flaws. 

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| December 6, 2017
Comments Off on OMG Texting b 25 !

OMG Texting b 25 !

OMG Texting b 25 !This week marks the 25th birthday of text messages. Texting is more properly known as SMS. On Dec. 3, 1992, 22-year-old Sema Group software architect Neil Papworth typed the first SMS (Short Message Service) message, “Merry Christmas” on a computer and sent it over a  GSM network in the UK, to an Orbitel 901 handset owned by then-Vodafone director Richard Jarvis.

SMS serviceIn 1993, a year after the first text message was sent, Nokia (NOK) set up the first commercial SMS service in Finland. Nokia was the first handset manufacturer whose total GSM phone line supported users sending SMS text messages. In 1997, Nokia became the first manufacturer to produce a mobile phone with a full keyboard: the Nokia 9000i Communicator.

Texting adoption

SMS adoption was slow at first, with only 0.4 text messages sent per month in 1995. The fact that UK users could only send SMS messages to those on the same network was a big problem until the restriction was lifted in 1999.  However, as smartphone technology developed and text messages became easier to use, SMS popularity ballooned. As mobile phones became more popular, texting skyrocketed. By 2007, the Brits were sending 66 billion SMS messages a year and in 2012, they sent 151 billion texts.

Nokia 9000i CommunicatorIn the U.S. SMS was slower to catch on, mainly because mobile operators charged more for texts and less for voice calls, and because of the popularity and availability of PC-to-PC instant messaging or IM. However, in the United States, 45 billion text messages were sent per month in 2007, a figure that became 167 billion per month in 2011. In June 2017, 781 billion text messages were being sent in the United States per month according to the experts.

U.S. Texts Sent

MonthNumber of Text Messages Sent Each MonthIncreased Number of Text Messages Sent YoY% Increased Number of Text Messages Sent YoY
June 2017
781.000,000,000147,000,000,000431.3%
June 2016634,000,000,00073,000,000,000768.5%
June 2014561,000,000,00063,000,000,000790.5%
June 2013498,000,000,00075,000,000,000564.0%
June 2012423,000,000,00056,000,000,000655.4%
June 2011367,000,000,000126,000,000,000205.8%
June 2010247,000,000,00086,000,000,000187.2%
June 2009161,000,000,00086,000,000,00087.2%
June 200878,000,000,00030,000,000,000150.0%
June 200745,000,000,00032,500,000,00038.5%
June 200612,500,000,0005,250,000,000138.1%
June 2005
7,250,000,0004,390,000,00065.1%
June 20042,860,000,0001,660,000,00072.3%
June 20031,200,000,0002270,000,000344.4%
June 200133,000,00021,000,00057.1%
June 200012,000,000
Text Message Statistics – United States from Statistic Brain (www.statisticbrain.com)
With 25 years under its belt, many people wonder if the end of the line is near for SMS. This is because apps such as Apple‘s (AAPL) iMessage, Google‘s (GOOG) Hangouts, Facebook‘s (FB) Messenger, WhatsApp, and SnapChat have become very popular.

Closed systems

Chat applicationThese new chat applications also marked a more fundamental shift away from an open standard that anyone could use (even if your operator charged you) to closed messaging systems controlled by technology giants. Text messages, however, might not be going away soon. SMS is a very practical and easy-to-use communication method, especially for areas and countries that do not have reliable internet connections.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| March 18, 2017
Comments Off on Your Mobile is Leaking SS7

Your Mobile is Leaking SS7

Your Mobile is Leaking SS7There is a vulnerability in the global phone system. The flaw allows hackers to access telephone data using nothing but a phone number. The flaw is in the Signaling System 7 (PDF) or SS7. SS7 is a set of telephony signaling protocols that exchanges information on telephone networks.

Listening to phone callsThe Register points out that SS7 signaling technology was developed in the 1970s. It hasn’t been updated, since the systems became accessible over the internet. The weakness in SS7 allows hackers or TLA’s to exploit the vulnerability with the phone number of the user they’re targeting. The flaw allows them to listen to phone calls, read text messages and track the user’s location.

The SS7 flaw

A white paper (PDF) by independent cyber-security company Positive Technologies explains.

The process of placing voice calls in modern mobile networks is still based on SS7 technology which dates back to the 1970s. At that time, safety protocols involved physical security of hosts and communication channels, making it impossible to obtain access to an SS7 network through a remote unauthorized host. In the early 21st century, a set of signaling transport protocols called SIGTRAN were developed. SIGTRAN is an extension to SS7 that allows the use of IP networks to transfer messages.

However, even with these new specifications, security vulnerabilities within SS7 protocols remained. As a result, an intruder is able to send, intercept and alter SS7 messages by executing various attacks against mobile networks and their subscribers.

The real-world result of the SS7 flaw as Alex Mathews, technical manager EMEA of Seoul Korea-based Positive Technologies explained is.

Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signaling to verify the identity of users/numbers.

SMS verification based on text messages using SS7 signallingSMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook (FB), and is also part of second-factor authentication for Google (GOOG) accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume the identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient.

If chat history is stored on the server, this information can also be retrieved.

60 Minutes hacks SS7

The hack first came to light in 2014. Security researcher Karsten Nohl demonstrated the SS7 flaw at a convention in Germany according to FierceWireless. CBS 60 Minutes (rb- That’s still on?) caused a mild ripple after they ran a story on the flaw. The program engaged Mr. Nohl to demonstrate the vulnerability. He was able to track a new iPhone that had been given to U.S. Rep. Ted Lieu (D-CA).

Mr. Lieu, who holds a degree in computer science from Stanford, agreed to use the phone to talk to his staff knowing it would be hacked. From his office in Berlin, Mr. Nohl was able to access Rep. Lieu’s phone. He tracked the representative’s movements in Los Angeles, read messages, and recorded phone calls between Representative Lieu and his staff.

record phone callsCBS correspondent Sharyn Alfonsi contacted representatives from CTIA for comment on the story. The CTIA said that there have been reports of SS7-related security breaches abroad. She stated, “… but (they) assured us that all U.S. cellphone networks were secure.” Despite the fact that Mr. Lieu was on a U.S. network when his phone was hacked from Germany.

An open secret

The flaw “is an open secret among the world’s intelligence agencies — including ours — and they don’t necessarily want that hole plugged,” Ms. Alfonsi reported. The four major U.S. wireless operators declined to discuss more specific questions from FierceWireless. When asked whether the flaw may threaten the privacy and security of subscribers, AT&T (T) and Verizon (VZ) deferred to CTIA. Sprint (S) and T-Mobile (TMUS) declined to discuss SS7.

Listen to phnoe callsRepresentative Lieu has called for a congressional investigation of the vulnerabilities in SS7. He wrote that “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials.” Lieu said the investigation should be conducted by the House Oversight and Government Reform Committee, of which he is a member.

Investigate the flaws in SS7

The Register reports that Senator Ron Wyden (D-OR) recently joined Representative Lieu to investigate the flaws in SS7. The pair plan to send an open letter [PDF] to Homeland Security. They want an update from Secretary John Kelly on DHS’s progress in addressing the SS7 design shortcomings. It also asks why the agency isn’t doing more to alert the public about the issue. The letter states in part:

We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. … We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.

 rb-

It is important to understand that the wired and wireless telephone network that your phone connects to is not secure. They probably never will be.

Telephone networks were not designed to be secure.

In the most recent draft of the new Digital Identity Guidelines requirements from NIST warns that:

Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.

You really have to wonder if this is related to the SS7 hole and why it is only being considered for removal. Maybe some of its TLA friends want the hole to stay in place.

I previously covered the SS7 flaw implications to SMS here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| September 7, 2016
Comments Off on Stop using SMS for Two-Factor Authentication

Stop using SMS for Two-Factor Authentication

Stop using SMS for Two-Factor AuthenticationFollowers of the Bach Seat know that passwords suck and no longer provide reliable security. Because automated mass cybercrime attacks are hammering businesses daily, the National Institute of Standards and Technology (NIST) is disrupting the online security status–quo. According to InfoWorld, the US government’s standards body has decided that passwords are not good enough anymore. NIST now wants government agencies to use two-factor authentication (2FA) to secure applications, networks, and systems.

NIST logoTwo-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. The first is typically something you have, a physical token, such as a card. The second is usually something you know like a PIN number.

The proposed standard discourages organizations from sending special codes via SMS messages. Many services offer two-factor authentication. They ask users to enter a one-time passcode sent via SMS into the app or site to verify the transaction. The author writes that weaknesses in the SMS mechanism concern NIST.

NIST now recommends that developers use tokens and software cryptographic authenticators instead of SMS to deliver special codes. They wrote in a draft version of the DAG; “OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance.”

Short Message Service (SMS)Federal agencies must use applications that conform to NIST guidelines. This means for software to be sold to federal agencies, it must follow NIST guidelines. InfoWorld says this is especially relevant for secure electronic communications.

SMS-based Two-Factor Authentication is considered insecure by NIST for a number of reasons. First, someone other than the user may be in possession of the phone. The author says an attacker with a stolen phone would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.

SMS based two-factor authentication (2FA)InfoWorld says that NIST isn’t deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset, that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is that it is insecure over VoIP.

The author says there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. SMS messages delivered through VoIP are only as secure as the websites and systems of the VoIP provider. If an attacker can hack the VoIP servers or network they can intercept the SMS security codes or have them rerouted to her own phone. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromise users.

Signalling System 7 (SS7) Sophos’ Naked Security Blog further explains some of the risks. There is malware that can redirect text messages. There are attacks against the Signalling System 7 (SS7) protocol. SS7 controls how the phone system works.  (rb- Some believe that TLA’s hacked SS7 to spy on citizens.) This hack allows an attacker to divert the SMS containing a one-time passcode to their own device, which lets the attacker hijack any service, including Twitter (TWTR), Facebook (FB) or Google (GOOG) Gmail, that uses SMS to send the secret code to reset the account password.

Mobile phone number portability also poses a problem for SMS security. Sophos says that phone ports, also known as SIM swaps can make SMS insecure. SIM swap attacks are where an attacker convinces your mobile provider to issue you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.

SIM swap attacksSophos also says in many places it is very easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.

ComputerWorld highlights a recent attack that used social engineering to bypass Google’s two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode, which was a real code generated by Google when the attackers tried to log in, arrived in a separate text message, and users who didn’t realize the first message was not legitimate would pass the unique code on to the criminals.

NIST’s decision to deprecate SMS two-factor Passwordauthentication is a smart one,” said Keith Graham, CTO of authentication provider SecureAuth. “The days of vanilla two-factor approaches are no longer enough for security.

For now, applications and services using SMS-based authentication can continue to do so as long as it isn’t a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor apps. One example is Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.

Hardware tokens such as RSA’s SecurID display a Hardware tokens new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public-key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.

Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.

Fingerprint RecognitionMany developers are increasingly looking at fingerprint recognition. ComputerWorld says this is because the latest mobile devices have fingerprint sensors. Organizations can also use adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, SecureAuth’s Graham said.

NIST acknowledged that biometrics is becoming more widespread as a method for authentication, but refrained from issuing a full recommendation. The recommendation was withheld because biometrics aren’t considered secret and can be obtained and forged by attackers through various methods.

Biometric methods are acceptable only when used with another authentication factor, according to the draft guidelines. NIST wrote in the DAG;

[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns for blue eyes)

Biometrics

At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. They are soliciting feedback from partners and NIST stakeholders on the new standard. They told InfoWorld, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.

You can review the draft of Special Publication 800-63-3: Digital Authentication Guidelines on Github or on NIST’s website until Sept. 17. Sophos recommends security researcher Jim Fenton’s presentation from the PasswordsCon event in Las Vegas that sums up the changes.

VentureBeat offers some suggestions to replace your SMS system:

  • Hardware tokens that generate time-based codes.
  • Apps that generate time-based codes, such as the Google Authenticator app or RSA SecurID,
  • Hardware dongles based on the U2F standard.
  • Systems that use push notifications to your phone.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
« Older Entries