Tag Archives: Google

A lesson in Phishing and Two Factor Authentication

13 August 2017

The post ‘Hackers Hijack Popular Chrome Extension to Inject Code into Web Developers’ Browsers’ published on August 3, 2017 by Graham CLULEY at the Tripwire blog ‘The State Of Security‘ gives another good reason for the use of Two Factor Authentication.

Since phishing emails become better and better it is not surprising that even professionals can be tricked.

Thus I can fully accept the developer’s answer ‘I stupidly fell for a phishing attack on my Google account.’ to the question ‘Any idea how this could have happened?’.

But I cannot understand why the Google account was not secured with Two Factor Authentication (TFA), in particular because Google’s Push Notification makes life with TFA really easy.

With TFA enabled, this cyber attack could have been prevented.

Have a great week, and activate TFA for your Google account.

Review: Poor password practices put 60% of UK citizens at risk

4 December 2014

Poor password practices put 60% of UK citizens at risk.

Warwick Ahsford’s report is really alarming.  ‘More than six in 10 UK consumers put their data at risk by using a single password across multiple online accounts, a study has shown.’

But the worst is yet to come. They are using also weak passwords: ‘Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.’

Passwords are definitely inappropriate for authentication in the age of cyber crime. The news of the past weeks show that major players on the IT market like Twitter, Microsoft or Google developed technologies to address this problem.

FIDO U2F Security Key

FIDO U2F Security Key

The FIDO U2F standard (FIDO = Fast Identity Online Alliance, U2F = Universal second Factor) appears to be a quantum leap towards secure authentication in the world-wide web. Google has already integrated this standard in the Chrome browser. The second factor is established by a security key attached to a USB port.

Unfortunately it comes to fruition only after login into your computer, phone or tablet Computer, and only for Chrome.

And that’s in my opinion the crux of the matter. In a perfect world, I would like to login to my computer with a PIN or fingerprint and the FIDO U2F security key attached to the device.

A central, world-wide available and trusted identification authority verifies my identity and creates my identity token, which is valid for the duration of my session.

All services like Google, Home Depot, Amazon, the city council or the tax office rely on this identity token. For reasons of security the identity must be checked again before critical transactions are carried out.

Sounds fantastic, doesn’t it?

Look forward to a world without passwords!

Google confirms ‘five million’ customer data dump but denies breach

13 September 2014

Google confirms ‘five million’ customer data dump but denies breach – IT News from V3.co.uk.

The news about the Google hack this week were somewhat puzzling at a first glance. Five million customer data stolen but no attack on internal systems? It took me some time to understand this.

In my opinion some hackers collected a large number of accounts from lots of companies, including some Google accounts. From my experience with phishing attacks, and the statements in several reports about the lousy data quality, this sounds quite plausible.

Some statements in post ‘Cleaning up after password dumps’ published by Google’s Spam and Abuse Team on 10 September in its Online Security Blog confirmed my impression:

It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

How could we avoid such data theft in the future?

From a technical point of view only Two or Multiple Factor Authentication (MFA) could prevent such attacks. In post Google denies breach after hackers leak millions of user logins published on 11 September in Computerweekly.com, Yiannis Chrysanthou, security researcher in KPMG’s cyber security team, stated, that MFA is the sole means to prevent misuse of stolen credentials.

The last statement in this post was very puzzling:

“Of course this extra security comes with increased investment – but the improved customer protection makes it viable and valuable,” said Chrysanthou.

What increased investment? For usage of Google 2 Step Verification? Or TFA in Apple’s iCloud Services or WordPress.com? There are no additional costs! The only drawback of MFA is loss of comfort for the users of this services. But the gains in security are invaluable. I would be very pleased if Amazon, eBay, and Microsoft would add TFA to their services as soon as possible.

When it comes to implementation of MFA inside of companies we definitely talk about increased investment. Adding MFA to an Active Directory that serves ten thousands of internal users or to a service for external customers will result in an additional investment and higher operation costs. But with TFA the eBay data breach earlier this year would have been prevented. Just as the Code Spaces collapse.

The big question is as always: What is the total loss of turnover created by a data breach compared to the total costs of implementing TFA?

Can Code Spaces tell us?