A drum I’ve been banging on for a long time is to make sure you’re properly securing your accounts: don’t share passwords between different services, and enable Multi-Factor Authentication (MFA) anywhere you can.
On June 20th, Krebs on Security wrote about crooks turning on MFA to block legitimate users from accessing their accounts:
“During this period, we started realizing that his bank account was being drawn down through purchases of games from Xbox and [Electronic Arts],” Dayman the elder recalled. “I pulled the recovery codes for his Xbox account out of the safe, but because the hacker came in and turned on multi-factor, those codes were useless to us.”
Turn on MFA before crooks do it for you — Krebs on security. (2020, June 20). Krebs on Security. https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/
It’s really important to take online security seriously.
- Use an app like 1Password to generate complex passwords for every site you use.
- Turn on MFA on any site that allows it.
- Avoid SMS based MFA schemes whenever possible, as they’re vulnerable.
In our app BeLooped, we decided to rely completely on the security of the user’s existing email addresses.
- When the user runs BeLooped, we generate a unique (and unseen) ID for the session.
- We ask for the user’s email address and use it to deliver a “secret code.”
- The user enters that secret code into BeLooped.
- The combination of that email address, unique ID and secret code can be used to generate a secret token on the server that provides access to the user’s account.
- We keep that token around in the phone’s secure storage, so users don’t have to go through this often.
Without access to the email address, the user can’t get the secret code and can’t log into BeLooped. We have various algorithms that prevent brute force attacks from “cracking” secret codes.
This system has advantages and disadvantages over traditional passwords, but the biggest advantage is the user can’t choose an insecure password or share passwords with another service because there are no passwords to share. The biggest disadvantage is that we need to rely on users to secure their email address properly, but we feel that if users don’t do this their online lives are at significant risk anyway.