Awareness of the topic of cyber security is becoming more prevalent in the mainstream. Where it was once the fixation of computer scientists and engineers, lay people are increasingly beginning to understand the importance.
Most people will understand the potential problems of cyber criminals gaining access to things like their bank account and take appropriate precautions but many are still lax when it comes to cyber security in general.
There are some very clever pieces of software out there that ‘crack’ passwords or exploit weaknesses in the security of a Web service in order to access private data. But so much criminal activity is predicated ‘hacking the human’ - i.e. good old fashioned opportunism, and confidence tricks.
As an individual there is little you can do to influence the security systems of the services you use - other than to vote with your ‘cyber’ feet and refuse to use online services which don’t take security seriously. However, there is much an individual can do to minimise risk.
In this upcoming series of articles we will look at some of these related topics.
In the first article we’ll look at passwords and the move towards two or three factor authentication.
The use of passwords to access online services is nearly as old as the Web itself. Most services will ask for a username (often an email address) and password in order to grant access to the system. This is an example of ‘One-factor Authentication’ - it relies on asking something of the user that it is assumed the user (and only that user) and the system knows.
The system is based on the assumption that the user is keeping this bit of information safe. Therefore if the system asks the user for that bit of information and they offer that piece of information and it matches the information the system knows, then the user is assumed to be identified. In an ideal world there is nothing wrong with this system.
The inherent weakness occurs when that piece of information i.e. a password, is discovered by a malicious 3rd party.
There are three sources from which his information could be ‘stolen’
i) The system itself:
Despite what Hollywood movies may portray, this is actually harder than it seems (for a well maintained system)
ii) A second system:
This is where you use the same username/password combination on more than one service. Should one of those services be compromised, a simple hacker script will try those credentials on a list of other services to see if they can gain access. For instance, let's imagine you have an account on a simple local news sharing site. You access this using your email address and a password. Now let's say, the security is lacking somewhat and a criminal manages to get a list of emails and passwords for all the accounts on that system. There are 2.9 billion Facebook accounts, so it is a reasonable assumption that some of those people with accounts on the news Website also have a facebook account. It's a task of seconds to try the stolen list of email addresses and passwords against the Facebook login process. Anyone with an account of the news site who uses the same email address and password combination on Facebook, has now had their Facebook account hacked. What's worse is that Facebook can act as an authentication agent for other services - have you ever been to a Web service which offers the ability to 'Register or Log in with Facebook'? Thus we see that the simple mistake of duplicating a email and password combination on a venerable site has unlocked a whole raft of other accounts!
iii) The User themselves:
This is by far the most common way in which passwords are stolen. This could include leaving the password on a post-it note, maintaining a document or notebook with a list of passwords, sharing it with someone with compromised security, sending it or storing it in a non-secure place such as emailing or texting. You could also fall prey to some kind of deceit where you believe you are entering your details into a valid service, but it is actually a fake site which will collect your data. This is a form of ‘phishing’ which we will look at in a future blog in this series.
As mentioned above, there is little you can do personally about the first case, but the second two are well within the individual's control to guard against.
In the second case ‘compromising a second system’, the advice is simple.
NEVER USE THE SAME USERNAME AND PASSWORD FOR MORE THAN ONE SYSTEM.
This is even more important if you use that same password for your email.
Many systems will assume an email inbox to be secure. So for instance, if you forget your password and request a reset, most secure systems will email a link to the email address associated with your account to that email. You therefore need access to your email to confirm the reset request.
If you have used the same password for your email, not only can a criminal access your account for the compromised service, they can access your email and change passwords, thus locking you out. They can then request password resets of other services and confirm those, thus gaining access to countless other accounts.
To guard against the most common vulnerability - the user's own actions, you should take precautions to never share or document your password.
Sharing passwords to other staff members in a school is an all-too-common occurrence. We find that even though all our subscriptions allow the addition of extra staff accounts at no extra cost, many schools still circulate their account details to colleagues in order to access resources.
Of course, the real world issue is that people have countless accounts on a variety of Web based services and expecting people to have the ability to remember them all is a tall order.
One solution is to use a password manager. These are a secure method of storing your passwords against a specific username and web address which can be accessed through a single password. You may already have one of these if you, for instance, use Chrome as a browser and have a Google account or maybe you have activated the Keychain system built into Apple devices.
There are a number of third party password manager options - some of which are reviewed here.
A second approach may simply be to actively forget most passwords. Concentrate on remembering the passwords for the services you use often and forget the rest. Make sure you remember your email account password - and make sure it’s a good secure one.
Then for any service you log into infrequently, set up a complex password - the secure passwords suggested by your browser are a good bet. Then each time you want to access those sites, simply go through the password reset process - this will normally take you less than a minute.
For more tips on passwords see our article: How do you manage passwords with primary school children?
As we discussed earlier - a username/password combination is an example of One-factor or Single-Factor authentication. Given the inherent problems with this, many services are looking more to Two-factor or even Three-factor authentication.
Two-factor authentication - often written as 2FA:
If we think of Single-factor authentication as “Something the user knows” we can think of Two-factor authentication as Single-factor authentication with the addition of “something the user has”. This may be something like a fob that can generate a code based on a specific context. Think about the card reader you may use to confirm a transfer with your online banking. It could also be an app running on your phone or the phone itself - have you ever had a service send a text message with a confirmation code that you need to enter into a Web site before you may gain access? Paypal, for instance, uses this method.
Three-factor authentication (3FA):
This method builds on the previous two. Not only does it want evidence of ‘Knowledge’ (something the user knows) and ‘Possession’ (something the user has), it further requires ‘Inheritance’ - “Something the user is”. This is not just accessing authorisation based on access to specific credentials but also, who is actually trying to use the credential.
Third factor authentication credentials are all biometric, such as the user’s voice, hand configuration, a fingerprint, or a retina scan etc. We may be aware of smart phones or laptops which use fingerprint or facial recognition to unlock the device. This is the kind of tech that may be used in three-factor-authentication.
Strictly speaking it is only 3FA if these biometric methods are used in conjunction with the previous two factors. So although the unlocking of your phone with your fingerprint uses a biometric method, it is not necessarily in itself an example of 3FA.
We will see the higher factors of authentication used more and more often as the arms race between security systems and cyber criminals continues ever onward.
As ever, the advice remains the same. Be sensible, don’t fall into predictable patterns of password usage and don’t share your security credentials to other people or duplicate them across other services.