Burglars and cybercriminals have the same philosophy: when a target is secure, pick a softer victim. Using multi-factor authentication is like getting a free and easy deadbolt on your online accounts to go from a soft target to a hard target.
Cybercriminals and professional hackers paid to test defences have said accounts protected with multi-factor authentication are an obstacle they would rather avoid.
It could be said then that adequate security is a matter of being more secure than your neighbors.
Scams Awareness Week: five ways in five days to free and easy cyber security
Most hackers are after quick money. Multi-factor authentication helps protect against these attacks.
The first step to securing your online accounts is to use a password manager and change any passwords that you have reused. Start with your most valuable accounts.
Next turn on multi-factor authentication (also known as two-factor authentication and two-step authentication).
Deadbolts for your accounts
Most hackers are after quick money. They blind fire phishing emails in an all-too-successful bid to snare usernames and passwords while others feed huge lists of hacked logins published online into automated password-guessing tools to break into accounts at scale.
Multi-factor authentication helps protect against these attacks with a deadbolt in the form of a check that is required after your password.
Most of the big technology platforms from Google to Microsoft, Instagram to Reddit offer it for free under user account settings and security or privacy. A directory listing services that allow multi-factor authentication is available at twofactorauth.org.
It is often a six-digit code generated in a special app or sent over SMS. It may, in the case of Google and other services, be an easy notification that appears on your phone asking you to tap to approve access. It can also exist as fingerprint readers and special USB devices.
Attackers who have managed to steal your password must also steal these checks to gain access to your account.
But they have a short window to do it. The checks expire usually after 30 seconds to a few minutes placing a tight time window on any attempt to steal them.
It is a hurdle that for most cybercriminals proves too hard.
Multi-factor authentication is easy for you, however. It is usually only required once, provided you use the same device or web browser and remained signed in. Some sensitive services like online banking that log you out after inactivity require the code be entered on each login.
Phishing works because people are at times inattentive and generally trust what they see.
It stands to reason that those who are willing to enter their details into a login form they believe is legitimate will also enter their multi-factor authentication codes.
Basic phishing sites store stolen passwords in databases that can be used in subsequent attacks.
Advanced phishing sites immediately send captured usernames and passwords to the legitimate services they mimic and log into the victim’s account in real-time. The sites then prompt victims to enter their multi-factor authentication codes which, when supplied, allow the criminal to access the victim’s account.
Other dedicated criminals can steal SMS-based multi-factor authentication by abusing phone porting, a feature that allows consumers to churn their mobile number to new providers.
Criminals need to have enough information on their victim to pass identity checks in order to gain control of a victim’s phone number and receive any SMS-based authentication.
New industry security controls make this attack very difficult. Pre-port verification codes must now be entered before phone porting can take place.
Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser.