OK, so now that I have your attention, let’s break this one down.
MFA for Fun and Profit
There is a trend in information security (or InfoSec if you’d rather) towards Multi-Factor Authentication (MFA for short). What MFA means is that to authenticate (log in), you need Multiple (Multi-) forms (Factors) to gain access.
The most common types of MFA revolve around three pieces of information:
- What you know. This is most commonly a username or password or pin number. To log into a site like Facebook, you typically need to provide your username (often an email address) and your password. Both of these pieces of information are things you know.
- What you have. This is most commonly provided by a card or chip or (in many cases nowadays) a cell phone. As an example, if I swipe a badge to enter a parking garage, that is something I need to have, in order to gain access.
- What you are. This typically encompasses what is known as biometrics. Fingerprins, the iris of an eye, hand geometry, and so on. Remember the movie National Treasure with Nicholas Cage? Of course you do – great movie. In that movie, he pulled a fingerprint off a champagne glass, and used that fingerprint to get past a fingerprint scanner. He hacked this form of authentication.
So the golden rule of security, in this regard, is the more different types of authentication, the better (or more secure) it is. It’s great for me to have a bank card (something I have). It’s better, yet, to require a pin number along with that card, in order to do a transaction. If you have a newer credit card with a chip onboard, that is the direction we’re (hopefully) headed. You put in the chip, then enter a pin, and botta bing – you just bought groceries with MFA. We’re not quite there yet, and credit card numbers are bought and sold on the darkweb all the time. They are crazy easy to steal because you only need the one factor of authentication.
OK Sherlock, but why do I care?
Hey glad you asked. For some sites (most notably, banking and financial sites), you are now being required to set up security questions. These security questions cover a deeper level of only one factor – something we know. As an example, to log into my bank account online, I provide my username and password, and then I’m asked a security question that I have to answer. I set those questions up beforehand, and simply regurgitate an answer to log in.
These Security Questions are Not Very Secure
There are many websites out there that provide lists of the most common security questions. Here are a few examples I dug up, with a very quick and basic Google search:
- What is the first and last name of your first boyfriend or girlfriend?
- Which phone number do you remember most from your childhood?
- What was your favorite place to visit as a child?
- Who is your favorite actor, musician, or artist?
- What is the name of your favorite pet?
- In what city were you born?
- What high school did you attend?
- What is the name of your first school?
- What is your favorite movie?
- What is your mother’s maiden name?
- What street did you grow up on?
- What was the make of your first car?
- When is your anniversary?
- What is your favorite color?
- What is your father’s middle name?
- What is the name of your first grade teacher?
- What was your high school mascot?
- Which is your favorite web browser?
Understand, this is just a basic list – and it provides more of the one single factor of “What You Know”. While it seems on the surface to be a deeper level of security, it’s actually not. In September of 2008, the personal email account of Sarah Palin was hacked by guessing the answer to a few of these basic questions. The answers were possible through just a little bit of detective work, and once provided, gave the hacker complete access in to her email. This is just one example – and there are myriad others. Using this type of “security” doesn’t really help all that much.
Facebook Polls for the Phisher
Hey did you know that when you fill out those cute little Facebook top ten posts about yourself that you are potentially providing a hacker information about yourself? They can then use that information to potentially hack your account. The information you provide about yourself online is often etched into eternity, and publicly accessible. Palin’s hacker learned the answers to her email security questions by doing a little bit of Google work. Single Factor Authentication is not that secure.
So that brings me to the point of my rather sensational Blog title. While there are exceptions, it is generally against our nature to lie to other people. But I encourage you to lie – openly and completely – when you set these security questions. That way, when someone does try to hack your account, and has access to your history and background and life story (by sifting through your online footprint), they cannot simply guess the answers to your security questions. The trick is to remember the answer to your questions. If you can pull that off, you’re home free. This trick is recommended by Kevin Mitnick in his awesome book, The Art of Invisibility.
For example, let’s take a few of these common questions.
What is the first and last name of your first boyfriend or girlfriend?
Well, that one would be pretty easy to find out, right? Chances are, you have that person as a friend on Facebook. Someone else out there knows this information – perhaps even your first boyfriend or girlfriend. You just gave that person potential access to your account. But what if you chose a different answer – such as the school bully who you despised? What if you chose for all of these questions, the most blatant lie you could think of?
Who is your favorite actor, musician, or artist?
Who is your LEAST FAVORITE actor or actress? Who is the least musical person you know? All potential answers here.
What high school did you attend? Or what was your high school mascot?
Very easy to guess, and I think one of the questions that got Palin hacked. But what about instead picking your high school rival school? Or decide to instead pick the name of a fictional school like Hogwarts? Be creative in your lies.
OK so I could go on all day long with these, and I imagine by now you get the point. I strongly encourage you (as does Kevin Mitnick) to think outside the box here, and fabricate answers that are not easy to guess.
Well That’s Simply Spiffy
It is. But that covers only one Factor or Type of Authentication – what you know. It is highly advisable to layer in more forms of security authentication. Adding what you know with what you have drastically increases your level of security. It’s no secret that my Steam account username and password were recently hacked. The good news is I had MFA set up, and to log in you also had to provide the randomly generated pin number that Steam texted to my phone. That, my friends, is MFA. Consider adding more layers of authentication to your online accounts – Facebook, Gmail, Twitter and Steam all support MFA. In fact, many online accounts do. My friend (who I don’t know in real life but I’m sure I’d get along with fantastically) over at Lifehacker released this article which delves a little deeper on enabling MFA for online accounts.
Don’t Be Sad – Two Out of Three Aint’ Bad!
Yeah I know – now you have that song in your head. If you’re paying attention, we’ve talked about using two out of the three main factors (or types) of authentication. That is, what we know, and what we have. We’ve left off what you are – biometrics. I’ll be honest with you, at this point. I am not aware of any consumer-level sites or services that offer biometric authentication. Because of the high cost, this factor is typically reserved for higher security areas within companies and government agencies. I’ve used three factors, simultaneously, to access some computer data centers in my line of work. Big Brother is indeed watching, and protecting his stuff.
So anyway, I hope you will head out to your favorite online sites and sign up for their MFA services as soon as possible. Remember – even the most trivial things like Facebook can be a gold mine to a hacker. Lock your stuff down. Do it now!