PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the cyber threats that have emerged when using two-factor authentication (2FA), and what you can do to make sure a would-be cybercriminal doesn’t try to create an off-ramp to try and bypass what is otherwise, a secure method for protecting your personal and financial information.

By David Dungan

Have you noticed anything different while logging in to your online accounts recently?

Some apps have abandoned traditional logins with user passwords in favor of utilizing Time-Based One Time Passwords (TOTP) and/or Two-Factor Authentication (2FA) to bolster account security. 2FA combines the standard password login with a second step, to authenticate that the user is, genuinely, the account owner.

Two-factor authentication (2FA) is highly effective, blocking over 99 percent of automated attacks and significantly reducing successful breaches, even if a password is stolen. That being said, it’s important to keep in mind that no system is entirely foolproof.

Factors that are used for authentication include:

• Something you know: Passwords, PINs, security questions
• Something you have: Phone, smart cards, email account
• Something you are: Fingerprint, iris scan, facial recognition
• Somewhere you are: Based on geolocation or internet network

2FA implementations combine two of these factors. The account login process is more secure because you have to prove your identity by more than just typing a password. If a cybercriminal were to try and circumvent your 2FA, it’s likely they would use one of the following methods, such as:

• Phishing: Setting up a fake login page to steal your credentials and the 2FA code.
• SIM Swapping: Through social engineering, an attacker could gain access to your SIM card in your phone, obtaining 2FA codes sent using a text.
• Compromising your email: By obtaining access to your email account, an attacker could obtain 2FA codes sent via email.
• Keylogger: By planting malware that records keystrokes, an attacker could obtain 2FA codes. Often this type of malware originates from a phishing email or download link.
• Session Hijacking: After logging into your account via 2FA, an attacker could steal the security token stored by the browser that is needed for account access.

Fortunately, there are several recommended best practices that you can follow to keep your accounts and, most importantly, your personal information more secure, including:

• Using strong passwords: Passwords should always be strong and secret.
• Consider using a password manager: Password managers can create and securely store complex, unique passwords. Some examples include: 1Password, KeePass, and Bitwarden.
• Locking down your email client: Protect your email with a strong password and use 2FA.
• Avoiding 2FA texts: Whenever possible, opt for authenticator apps like Google Authenticator, Authy, etc.
• Watching out for malware: As always, be sure not to click on any suspicious links or websites before verifying that they are legitimate.
• Adding a PIN for your mobile carrier: To avoid phishing, set up a security PIN or passphrase with your mobile service provider.

With 2FA becoming increasingly commonplace due to its effectiveness in preventing login credential hacks, it is without a doubt that cyber threat actors will attempt to find methods to bypass it.

By staying vigilant and following best practices, you’ll be better able to protect yourself from running into a digital roadblock.