Logins Let Us Down, Again.

I’ve said it before and I’ll say it again, when it comes to our personal digital security, we’re our own worst enemies. That’s because many of us tend to be way too lackadaisical about creating secure user names and passwords. Instead we default to using our kids’ names and dates of birth — or something equally predictable — to keep our accounts and other vital personal information secure. If you think today’s hackers can’t work that out, you’ve got another thing coming.

In fact, the annual Verizon Data Breach Investigations Report (DBIR) published in April revealed that 63 percent of confirmed data breaches over the past year involved hacked passwords. It turns out that all many of the bad guys (and girls) are taking our credentials and using them against us.

There are various ways to respond to this, but a couple that are underused despite being highly effective and relatively easy to implement, are two-factor and multi-factor authentication. Let’s take a closer look at why using these approaches is such a good idea.

In God We Trust, Everyone Else Bring Data

If you want to understand which cyber security threats are most important, the Verizon report I mentioned earlier is a good place to start. Every year Verizon takes cyber incident data from around the world and builds a dataset of confirmed breaches that are then analyzed for patterns.

The 2016 edition of the report compiles data from 67 organizations including Verizon Enterprise Systems, Intel Security, and various national law enforcement agencies, as well as a variety of security firms. The final dataset encompasses 64,199 incidents and 2,260 confirmed data breaches.

What the report makes clear is that as a society, we’re still not getting the basics of security right. And that starts with our passwords.

As I noted above, in 63 percent of the confirmed breaches analyzed in the Verizon report, attackers used legitimate user credentials (i.e., user names and passwords). In some cases, the problem was that people had weak passwords that the hackers could easily figure out. In others, people never bothered to reset the equally vulnerable default passwords they received. Most of the rest were stolen using malware, phishing or keylogging. You can see the actual breakdown in the chart below.

Source: Verizon Data Breach Investigations Report (DBIR) 2016

Source: Verizon Data Breach Investigations Report (DBIR) 2016

No matter how it’s done, targeting user credentials is a key attack approach criminals and others are using to gain access to computer systems.

So what can be done?

Better user training is important to reduce the number of incidents where employees click on phishing email links. Monitoring for malware can also help, as can having longer strings or using complicated phrases as your passwords, and managing them all in a password management tool.

The problem is that none of these solutions is fail-safe because they each still rely on what’s known as one-factor authentication. By the way, a factor — in this case the password — is simply something that only the person logging into the system or account is supposed to know. Once it’s been obtained by anyone else, the account or device can be compromised.

Last month it was reported that Mark Zuckerberg had his Twitter, Pintrest and LinkedIn accounts hacked. His password for all three accounts was said to have been “dadada.” That he had such an ineffective password is bad enough. But the fact that he was reusing the same one across all three accounts meant that he was putting himself at real risk. Eventually, that risk caught up with him.

Two-factor or multi-factor authentication — where there’s more than one factor that you need enter to access an account — would have helped Zuckerberg prevent some of these problems. Twitter, for example, gives you the option of having to enter a code that they text to you every time you log in. That means that in addition to entering your standard user name and password, you have to enter a unique code that’s only being sent to your phone. By adding this second factor, it makes accounts a lot more difficult to hack.

While this second factor helps make it harder for any would-be hacker to gain access to your accounts using your user name and password, it’s by no means perfect. One issue, for example, is that although the code is being sent to a separate device, as a user you then have to enter it back into your primary device along with your user name and password. Fair enough, but if your primary device has been compromised with malware, an attacker may be able to see that second factor as you type it and thus gain access to your account.

One solution to this type of attack is to validate the second factor authentication via a separate channel, such as the phone itself. Some vendors enable this, sending you a special request that requires confirmation on the phone itself.

In my next post, I’ll look at some of these different options for increasing the security of your systems using either two-factor or multi-factor authentication in more detail. As we’ll see, like with many things in information security, it’s not always as simple as it might seem.

In the meantime, make sure you’re using a password manager, not reusing passwords between systems, and that you’re turning on whatever two-factor or multi-factor authentication the applications that you use offer. Trust me, it’s a lot easier than dealing with the headaches of being hacked.