Last week I wrote about a new internet scam doing the rounds.
This attack is particularly clever and really plays on people’s emotions in order to get them to send the hacker money. Or bitcoin, in this case.
As I said, there’s a good chance you, or someone you know has already been targeted by it. Indeed, I received a number of emails from readers saying they had been targeted by this scam.
If you missed my issue about it last week, you can read it here.
In that issue I suggested a good way to keep your accounts safer is to enable two-factor authentication (2FA).
As I didn’t really have space to go into how 2FA works last week, I asked you to write in if you’d like me to cover it in more detail this week.
Well, it turns out people are very interested in this topic. So, as promised, today’s issue is all about 2FA – how it works and how you can start using it on your accounts.
Why 2FA is so important
For years the standard way of logging into your online accounts has been to use a username and password combination.
This works fine if your password is very complicated and hard to guess.
If you password is long, has random characters and numbers in it and isn’t made up of common words, there’s very little chance a hacker could gain access to your account with a password cracker.
However, there are a few major problems with simply having a username and password.
- Most people don’t use random passwords like “eK8%9G!h+Se(”. Instead they will tend to use real words so they can remember them better.
- Because passwords are annoying to remember, most people will use the same password for many different accounts.
- Your username and password is stored by the company your account is with. So if they get hacked – through no fault of your own – the hacker gets access to your account.
On point 1, real words are much, much easier for hackers to “brute force”. A password like blue2 could be cracked within minutes by a password cracker.
So if you’re using a real word for your password, your account is not safe at all.
Over the last few years companies have got much better at forcing people to use complicated passwords though. You’ve probably seen this phrase many times in the last few years: “Your password must be at least 8 characters long, contain at least one number and at least one symbol”.
Problems 2 and 3 are much harder to solve. And, to make matters worse, they feed into each other.
So let’s say you have a complicated password, but you use it for more than one account.
Let’s say it’s your LinkedIn password, your email password and your Netflix password.
LinkedIn gets hacked. The hackers steal millions of users email addresses and passwords and post them on the web or sell them to criminals.
Now these criminals and hackers try these leaked email address and password combinations against many other popular services and they get access to your email account.
Remember, you’d used the same password for LinkedIn and your email.
Once a hacker gets access to your email account it’s pretty much game over.
They can then search through your emails, find out which other services and companies you use and then use the “forgot your password” link on all these sites to change the passwords and get access.
They then have even more accounts to sell on. Or, they can start ordering goods and services in your name. Or both.
By the way, that LinkedIn hack is real. In 2012 LinkedIn was hacked and 6.5 million usernames and passwords were stolen.
Big hacks like this happen all the time. They are not rare. Because of the centralised nature of the systems they use, a single breach can result in millions of user accounts being hacked.
(A cure for this is, of course, switching to blockchain-based systems. This is one of the key selling points of decentralised systems. But that is a topic for another day.)
So, what would have stopped the hackers getting access to your email account? 2FA.
How 2FA works
If you think of your username and password as one factor, 2FA simply adds a second one.
So, you can’t log in with just a username and password, you also need another piece of information.
Telephone banking and other important services have been using 2FA for decades. “… and can you also please tell me the third letter in your mother’s maiden name?”
The problem with this old-style 2FA is that it is static. It doesn’t change. So it’s not really much more secure than a username and password.
Once the hacker also gets access to your mother’s maiden name, or whatever fixed piece of information you’re using, they log into any service that is using this style of 2FA.
Modern 2FA is different. The information that makes up the second factor is ever-changing.
If a hacker gets access to it, they will only be able to use it one – and usually only if they are very, very quick.
Modern 2FA sends you a unique code.
The service asks you to enter this after you have already correctly entered your username and password.
This code is usually accessed in one of three ways:
- It is sent to you as a text message
- It is emailed to you
- You access it on an app on your phone or computer.
You then enter this unique code and you get access to your account.
There is an even faster way this can work. For certain services you can use your phone itself as the second factor. A message will pop up asking if you’re trying to login to our account. All you do is tap “yes” and your login will go through.
So, in this case, even if a hacker get access to your username and password, without your phone or access to your email address, they won’t be able to get into your account.
It’s basically like a second password that changes every 30 seconds or so.
In tomorrow’s issue I’ll talk about how to set up 2FA, which services you can use it for and the common pitfalls you should be aware of when using 2FA.
As you’ll see tomorrow, 2FA is not foolproof. But it is much, much better than just relying on a username and password to keep yourself safe online.
Editor, Exponential Investor