My wife and I woke up this morning to find an email from a good friend of ours, sent at 3:09AM, with the subject: URGENT! Needless to say, we were worried. This is what the email said:
Am so sorry to bother you, am in a terrible situation right now and will need your urgent help. I am in Limassol, Cyprus at the moment and I just misplaced my bag containing all my vital items, passport, phone and money. I am trying to sort things out with the necessary authorities, I may need a little help from you.
By the time I got to Cyprus, I realized what had happened: Her gmail account had been hacked, and someone had spammed all her contacts. Normally in these circumstances, the victim doesn't even know it has happened, so I right away hit Reply to inform her of the problem and get her to change her password. But this time, something didn't sit right... I couldn't quite put my finger on it, and then it hit me. There was no link in the email. No call to action, no malicious website to visit, so I wondered "What's the scam here?" And that's when I noticed that the email address I was replying to wasn't my friends, but a fake address, similar to hers, at a different domain. The attacker was collecting replies in addition to contacts, looking for new victims. Instead of replying to her email, I called and walked her through the steps of resetting her password, changing her reply address, and recovering her emails.
This has probably happened to many of you. I know that it's happened to me. Passwords, no matter how strong (and most of ours aren't that strong) aren't unbreakable. That's why many of our service providers today - Google, Facebook, Microsoft - are now offering 2-step authentication as an added layer of security, and it's why I recommend everyone with a smartphone enable it right now.
What is 2-step authentication?
If you've ever used a Citrix key, you're already familiar with 2-step authentication. As the name suggests, it adds a 2nd step when logging into a service. In addition to your username and password, you're also required to enter a self-destructing key, usually 6 digits.
This technology has been around for a while, but it used to be cumbersome and not worth the effort. You had to carry around physical "tokens", like the Citrix key I mentioned above, to give you access to your codes. It was complicated to set up, and if you lost your token, a nightmare to reset. Moreover, until recently it was seen as overkill, as the solution was often worse than the problem. That's all changed.
- Easy set-up: Setting up 2-step authentication is now a breeze. It took me less than 5 minutes this morning to change all my passwords and enable 2-step authentication for my Google, Facebook, Dropbox, and Microsoft accounts.
- New access options: One of the reasons I hesitated to enable this feature was concern about what would happen when I was travelling and unable to receive SMS messages. You can now get access keys in a number of ways:
- Via SMS, or sometimes an automated phone call.
- From an app on your smartphone, without a data or cellular connection. Better yet, a single app from any publisher will work with multiple services. Microsoft and Google, for instance, both offer "authenticator apps" which you can download for free. They're minimalist, clean, and straightforward to use. Adding a new account to your authenticator app is as easy as pointing your phone's camera at a QR code on your computer screen.
- Last-resort recovery keys: As a last resort, you can generate single-use keys in advance. You can print these and store them anywhere - in your wallet, with your passport, on your phone - and use them as needed. Because they don't include your username or password, they're low-risk if lost, so unlike passwords, it's ok to write them down. Just don't keep them on a post-it note at your computer screen if you're hoping to keep that computer secure.
- Trusted devices: You can also identify trusted computers, so that you don't have to enter a code every time you log in.
- Heightened risk: We now have too much personal data online to be blasé about security. I'm not just talking about email. In Dropbox, Google Drive, or Onedrive, you might have copies of your passport and birth certificate (good idea when you're traveling), your credit card information, confidential business information, and who knows what else.
- The greater good: For the same reason I get the flu shot every year (I'm young and healthy, I'm not at risk, but I can be a carrier that puts my family at risk), I use 2-step authentication. Leaving my cloud accounts open to attack also leaves my contacts open to account. It's inconsiderate and careless of me to put at risk those who trust me.
If you have a smartphone and you use the internet, there's absolutely no reason not to turn on 2-step authentication today. It's a simple, quick way to drastically increase the security of your personal information, your business data, and your contacts' accounts. Generally, you can find it under Security in your Account settings. If you need help enabling it or have questions, contact us. We're happy to help.