Discussion about
dave

January 29th 2014 1:36 am

Turn on 2-factor authentication on all your accounts!

Stories like this give me the heebie-jeebies: "How I Lost My $50,000 Twitter Username"
https:­/­/medium.com­/p­/24eb09e026dd

Thanks to some social engineering on brain dead PayPal service reps (and GoDaddy reps, because of course GoDaddy), Naoki Hiroshima ended up losing his potentially very valuable Twitter handle (@N).

It's one of those things that reminds me to try and lock down everything as much as possible. So far, I have enabled two-factor authentication on some of the most valuable services I frequently use. What else is missing? And for that matter, what else can be done to make sure we secure our accounts?
  • Apple ID
  • Dropbox
  • Facebook
  • Google account
  • Paypal
  • Steam
  • Twitter

sort by

17 replies
frankspin

While two factor can help I think this article, and Mat Honan's, are showing a fundamental breakdown in security on the company tech support side. I think companies need to do more to better educate their CSR's and to not so willingly give away information over the phone.
4 like dislike
dave

Interestingly enough, I think Mat Honan's post did say that had two-factor authentication been enabled for either his Gmail or Apple ID, things would have been much more difficult for the hackers to break into his account.
2 like dislike
kineticartist

this biggest problem is stores arent libel for any fraudulent charges the bank eats those and we are responsible for $50 I bet you if the store was libel their cashiers would be trained better to CHECK ID before allowing a credit card purchase but alas to a store a fraud purchase is still a purchase
1 like dislike
frankspin

Yeah I'm not too keen on retailers no longer requiring signatures on purchases less than $50. I feel like less than $20 is acceptable but 40-50 is still a lot of money for most people.
3 like dislike
Met

All these stories are pretty scary about how @n and @mat were stolen and @jb was almost stolen.

It really makes you feel like the average user would need to be VERY security conscious just to save their entire e-lives from being stolen from them in an hour or so.

One thing I noticed is a common trend in these stories, Amazon is the weakest link that always gives away your information allowing all these hacks to happen.

Also, when you cross-reference that with the recent study on password management, you find Amazon REALLY far down that list:
arstechnica.com­/security­/2014­/01­/apple­-com­-does­-mo...

I think one big lesson here might be to have your Amazon account on another email address.
3 like dislike
baileylo

I'm curious what happens if your phone / laptop are stolen or you forget to pay a bill and lose your phone number. I lost my phone a couple months back and can only imagine that having two factor auth would've made resetting passwords for all my services more difficult.
3 like dislike
frankspin

This is why I like the SMS option over relying on Google's app. If this was to happen I can just get service disconnected and reactivate a new phone.
4 like dislike
dave

I think this is a great point. On one hand, I think you're potentially screwed if you don't take the right precautions. But you can do things to mitigate a disaster.
  1. Setup a passcode lock on your phone that erases the phone after 10 failed attempts.
  2. Turn off text message previews on the lock screen, so if someone DOES knows / figures out your password, they still can't see your two factor authentication code (if you get this via SMS).
  3. Print out and keep recovery codes in a safe place. Gmail, Facebook, Apple and others let you save a long hash that allows you to recover your account if all else fails.
  4. Lose your phone? Report it stolen and immediately get a replacement so you can get texts and login to your accounts.
2 like dislike
dave

Addendum to this: If you're traveling and your phone gets swiped, I think that's going to be a gigantic pain in the rear, especially if you're traveling internationally. The chances of this are probably low, but still. That would be a huge headache!
1 like dislike
frankspin

I found someone who is running a continuous list of sites offering two-factor authentication which you can find here: evanhahn.com­/tape­/two­-factor­-auth­-list/

If you want to contribute to the project you can do so via the github page https:­/­/github.com­/EvanHahn­/two­-factor­-auth­-list
3 like dislike
kineticartist

very cool frank thank you for those links!
0 like dislike
kineticartist

Since paypal is the number one way I get paid by web development and hosting clients Ive been using their PIN card system for over 4 years when I login (Or anyone else who tries ) they are prompted for a 6 digit code I generate from a credit card looking device if I dont have it with me Im prompted for information Only I know to gain access to my Paypal Ive also been using 2 factor auth where ever I can including gmail/google and FB and I teach my clients to do the same
1 like dislike
HughesNet

2 factor authentication is nice in theory but for someone like me that has their phone OS completely changed from day to day it just doesn't work. I much rather rely on strong passwords and something like 1Password.
0 like dislike
kineticartist

most two factor auth send a code to your phone number so even if your OS changes Your number stays the same correct? or am I missing something? and Im no dummy but I installed KeePass and was completely bewildered I cant imagine any of my clients using it I only got as far as generating a master key and setting up the DB after that I was lost
0 like dislike
Met

I think he's referring to Google's option of using their Google Authenticator app instead of getting an SMS each time. But that's entirely optional and you can switch back to getting an SMS each time you log in if you want.
1 like dislike
HughesNet

Exactly, I was referring to the app method which just wouldn't work for me. The SMS method works and I am giving that a try. And then you have services like logmein that don't even offer sms but instead use email. Maybe if I use a google voice number as the SMS for all my 2 factor except google's... then I am not even tied to my phone as I can always just check the web portal.
0 like dislike

This post has been removed.

kineticartist

Ive made it my duty to educate my clients wherever and whenever I can as I believe a smart client is happy client a lot of IT support will let their clients do crap passwords just so they can bill for the clean up afterwords but it is a struggle even on my own end to use strong passwords and use 2 factor because Im very busy and this slows me down but then I think of the lost hours if I got hacked or any of my clients got hacked yeah its a no brainer
0 like dislike
share:

6 users following this discussion:

  • HughesNet
  • Met
  • kineticartist
  • frankspin
  • baileylo
  • dave

This discussion has been viewed 6340 times.
Last activity .