3 minute read
TECHNOLOGY Backdoor Hacker Hacks
TECHNOLOGY
The Backdoor to Your Account
Advertisement
Ben Lake
ben@openroad.network
Bad actors are always looking for new ways to gain access to your accounts—that’s nothing new.
Hopefully you are already using good password management practices: unique passwords and enabling Multi-Factor Authentication (MFA) wherever possible. Let’s briefly review these in case you aren’t sure of the benefits.
If you lose one key you don’t want to worry about the thief now having access to all the rooms. Instead, you just change the one lock. MFA (or 2FA, for Two-Factor Authentication) adds a layer of security to your account, usually by texting you a code after you enter your password. The idea is that an account is more secure by confirming your identity through something you know (a password) and something you have (a phone). In practice, MFA goes a long way in keeping bad actors out of your account. But it’s not perfect.
Unique passwords help prevent a breach at one of your accounts from turning a headache into a nightmare. Think of it as having a different key for each room in your house.
TAKE CAUTION
Here are two ways MFA can be overcome. The first is through a technique called “SIM card swapping”, referring to the pinky nail-size chip in your phone that ties your number to that handset. A hacker can call your phone carrier, pretend to be you (much of your information like address and date of birth is publicly available), say you got a new phone, and ask to transfer service to a different SIM card. The hacker can now receive your text messages, reset passwords, and access your MFA-secured accounts.
So how do you protect yourself against SIM card swapping? One solution is to call your phone carrier and set up a PIN that is required to be provided before changes can be made to the account. All major cell carriers offer this, and you may already have one on your account. Ask to enable a “wireless passcode” or “port validation” code. You can also use a different method of MFA that forgoes a text message and instead uses a special code generated by an authenticator app on your phone. This authenticator app doesn’t rely on your phone number, and therefore is not susceptible to a SIM card swap.
The second way MFA can be overcome is through “typosquatting”. This is when a malicious actor creates a bogus website that appears to be the legitimate website you are trying to access; e.g., www.micr0soft.com, with a zero. You may find yourself on a bogus website if you click a link in a phony email (“You must verify your account or it will be disabled!”), or an illegitimate search result listing. The bogus site will look virtually identical to the real one but is actually capturing your password and MFA code as you enter it. To complete the illusion, the bogus site may redirect you to the legitimate site after logging you in behind the scenes.
The best protection against typosquatting is to regard any links in emails with a critical eye, and carefully check the URL in the address bar at the top of the login page before entering your password or MFA code. If you get a funny feeling, trust your instinct and back out or ask someone with technology experience for advice.
Having shared all these scary scenarios with you, keep in mind that MFA will still deter all but the most determined hackers. It is by far the best method to secure your accounts and is relatively simple to set up. Knowledge and vigilance are you best protections in the digital world.
BEN LAKE
Ben is the owner of Open Road Network Services, a Georgetown-based business providing honest, reliable, and affordable technology support to individuals and small businesses. He is particularly passionate about educating and empowering his clients to become more comfortable with technology. 512-942-7623 • www.openroad.network
