Data breaches are a common occurrence nowadays, with larger and larger personal data being exposed to the public and the hands of malicious organizations. Big companies such as Yahoo, LinkedIn, and Equifax are not immune to these data breaches and resulted in exposing millions of customer accounts. In the Philippines we also experience these data breaches, recently in COL Financial (online stock brokerage) and in Jobstreet (job board). Therefore it is important for you to protect your online accounts to minimize the damage caused by these data breaches.

I personally have accounts in COL Financial and Jobstreet, and so the reported data breaches served as a wake up call for me to take steps into securing my own account. In this article I will share some ways on how to protect online accounts in a practical way.

No online service is 100% immune to data breaches, and so we take a mindset that all of the services we use online will eventually have a breach. It is not a question of how, but when the attacks will occur. Companies have a daunting task of needing to be always one step ahead of the attackers. There are many ways an attacker can gain access to customer data in an online service, such as:

  • Technical breach – Attempting to access the service itself and gain access to the data by guessing passwords
  • Backdoor programs/vulnerabilities – Installing programs in the servers that provide access to the attackers from the inside. Also if the servers are not updated to the latest versions, there may be existing vulnerabilities that can be used by the attacker to gain access to the system
  • Social engineering – A coordinated attack using email, social media, and other means of communication that aims to gather credentials and other sensitive information from customers or company employees

Here are some ways on how we can protect our online accounts:

Generate Strong, Random Passwords

You have probably heard this one over and over again through blogs, books, articles, news, and signup forms. Usually when you sign up for a website they check the password that you create and see if its a “strong” password. Typically they require you to have lowercase, uppercase, symbols, and numbers in your password.

While these measures are good in that they force users to generate passwords that are somewhat hard to guess, this results in passwords that are hard to remember and thus it may prompt the user to write down or save the passwords on another medium, such as a spreadsheet, a text file, or a sheet of paper. This reduces the overall security of the account as all the passwords can be stolen physically or digitally without even attacking the website itself.

To combat the tendency to write down passwords in an insecure location, let’s explore another way of generating a strong password that can be also easily remembered.

There was an XKCD comic that illustrated the difference between a password using special characters, numbers, and multiple cases and a password that is composed of completely random words. It showed that a seemingly random password that uses special character substitutions to obfuscate the actual password is quite difficult to remember but is quite easy for a computer to guess. In contrast, a password composed of purely random words can be easily remembered but has a high entropy such that it is difficult for a computer to guess.

To make the point clearer, let us use one of the many password generators using this “XKCD” approach, such as xkpasswd.net. This website allows you to generate random passwords, including the ones described in the comic. For simplicity, you can load this config into the website to preset some settings and generate some passwords quickly:

{
 "num_words": 4,
 "word_length_min": 4,
 "word_length_max": 6,
 "case_transform": "NONE",
 "separator_character": "-",
 "padding_digits_before": 0,
 "padding_digits_after": 0,
 "padding_type": "NONE",
 "random_increment": "AUTO"
 }

Using this configuration, here are some of the passwords that were generated:

raise-family-often-future
town-find-late-public
plant-leader-storm-suffix

To illustrate how we can easily remember these passwords, think of how you can connect or relate each of the words, and then create a story that you can memorize in your head.

For example, the first password can be remembered as the sentence “When you raise a family, you often think of the future“. I can assume that after reading that sentence twice, you will have already memorized the password!

The second password can be remembered as the sentence “When you go to town, always find the late(st) public transport”. The third password is definitely harder to connect and relate to each word compared to the first two, but I will leave it as an exercise to the reader ūüėÄ

When using this approach for password generation, there is one important rule: the words must be completely random. It is not enough that you think of different words from your head. Even though you think the words are random, it is still going to be influenced by your thoughts and subconscious mind and this results in a password that is not strong enough.

When attackers combine other information about you, they may use that information to guess the word combinations that you are likely to use. Therefore it is important to use external, unbiased tools to generate the word combinations for you instead of creating them yourself.

Use a Password Manager

Even when using rememberable passwords, due to the many websites that we access on a daily basis, it can be hard to track and remember the password that we use for each website. Because of this sometimes we list our passwords either in paper (physical) or in a text file (digital). This results in a situation wherein if an attacker gains access to that file, many accounts that you have can be compromised.

This is where password managers come in. This article describes how password managers improve your account security and the considerations for using them.

Use Multi-Factor Authentication

Multi-factor authentication provides an additional layer of security by requiring a unique code or link for the account in addition to the account password. A common implementation of this is two-factor authentication (2FA) which you may have already encountered on websites that you use. Due to the increasing occurrence and severity of data breaches, many websites implement 2FA and recommend users to enable it for their accounts.

SMS Authentication

A familiar method of implementing 2FA is by requiring users to connect their mobile number to their account. Whenever you log in to your account, the service sends a unique code to your phone via SMS. This code is needed in addition to your password to be able to access your account.

The way this increases security is that it provides a separate authentication mechanism. If an attacker was able to guess or hack your password, they will still not be able to access your account as long as they do not have access to your mobile number or phone.

One problem with the SMS 2FA implementation is that it is not completely secure. Even though we may think that SMS is secure as you need to have your phone or SIM card in possession before you can receive the message, this is not the reality. SMS messages are not encrypted meaning it is sent in plain text between networks. Anyone with the capability can intercept those SMS messages or spoof your SIM card and acquire your 2FA code.

If an attacker knows both your password and your mobile number, they can technically gain access to your account even though you have 2FA enabled.

Authentication Applications

A more secure way of receiving 2FA codes is by using an authentication app. These are mobile applications that can generate unique codes for each service that you use. Some popular examples are Google Authenticator, Authy, and Duo. Using these applications are convenient as most of the time you can just scan a barcode and your secure codes will be set up automatically.

Some advantages of using an authenticator app compared to using SMS are:

  • The authenticator app can work even if you are offline or does not have access to the mobile network. If you are using SMS codes, you will not be able to receive the codes if you do not have access to the mobile network.
  • The authenticator app provides the codes instantly. When using SMS, there could be delays before you can receive the 2FA codes depending on network load and congestion.
  • 2FA codes generated using the authenticator app cannot be intercepted as these codes use a unique secret key that is saved on the device.

The last point is the main reason why using an authenticator app is secure. Since there are no data being transmitted when you are using the app (as you can use it offline), then no one will have access to your 2FA codes (unless they have physical access to your phone or your phone itself is compromised).

Whenever you change your mobile device though, you will need to set up those 2FA accounts manually again for all services that you use since the unique codes are tied to a specific device. While I have seen users complain about this as they cannot transfer the authenticator app credentials to a new device, I think this is an important security feature. This illustrates the fact that your 2FA codes are kept safe as long as the device itself is not compromised.

Final Thoughts

There are many ways that you can do to secure your online accounts. The items listed above is not intended to be an exhaustive list, but doing them will already increase your protection significantly. In this time and age of prevalent digital usage and information available to more and more people, we cannot afford to be complacent in our data security.

Photo by Markus Spiske on Unsplash

Leave a Reply

Your email address will not be published. Required fields are marked *