Although Two-Factor Authentication (2FA) is an old security tool to protect your login, many have not yet enabled the feature to prevent their accounts from being misused. Yes, 2FA adds an extra step to your login process and allowing it for all accounts can be a little annoying, but an unsafe password will make it easier for fraudsters to access your bank account, bank / credit cards, or social media accounts.
If you have linked accounts or third-party sites from your Google Account, it may be best to enable 2FA because if a criminal is able to sign in, we will be able to access all your linked accounts and change your password. . Similarly, if you have linked your Instagram account to Facebook, then the hacker just needs to break the password to access both accounts and thus have your entire online reputation.
If you do not think this will happen to you, understand that hackers can get into your account through fraudulent theft of sensitive information, hacking credentials, aggressive attacks, and other methods. You can avoid these types of situations if you enable two-factor authentication as it may require OTP or code you have on your smartphone. Therefore, a criminal will not be able to sign in even if he or she has a password.
Google offers a few options to protect your account. After enabling 2FA, you can sign in with backup codes, or get instant codes with text, voice call or the Google Authenticator app that no one else can access. You can even use the ID authentication key or enable the app notification on your phone.
But with the acquisition of two-factor authentication never being so high, Google plans to make it mandatory. While Google did not show the current percentage of users using 2FA, it is known that more than 90 percent of Google account users were not using this security feature in 2018. Other popular apps like Facebook, Twitter, WhatsApp, and Amazon also offer 2FA, but with the same success rates.
While Amazon now has 2FA in the form of a link sent to the user’s mobile phone when the new login begins, e-commerce companies such as Flipkart will still accept the same features. E-commerce accounts are particularly dangerous now because many users have prepaid card details on their accounts.
Prime Video, if the Amazon app has 2FA enabled, while Netflix does not. This is the latest however to send sign-in alerts.
Can two-factor authentication (2FA) be hacked?
While 2FA is not 100 percent hack-proof, cyber security firms such as Kaspersky and Check Point have told indianxpress.com that it can certainly prevent data misuse in the event of a breach.
“Two-factor authentication, although not 100% hack-proof, is one of the most effective ways to protect your accounts. If it seems like a bit of a hassle, take a brief look at the head to end identity theft, ”said a Kaspersky spokesman.
While financial institutions around the world use two-factor authentication, sending one-time passwords via text messaging may not be the best option as it is open to capture. For example, a person can easily access passwords sent via SMS if screen lock notifications are enabled. Even if notifications are turned off, the SIM card can be removed and inserted into another smartphone, giving access to password-based SMS messages. Kaspersky says SMS-containing SMS messages can be intercepted by a Trojan lying inside a smartphone.
Check Point believes that both SMS and emails are less secure. “Trickbot, which is a Trojan bank, sends unsolicited emails directing users to download malware from malicious websites or tricks them into opening malware by attaching it,” said Sundar Balasubramanian, Managing Director, India and SAARC Region, i -Check Point.
Additionally, researchers from IBM have found that TrickBot operators have developed a malicious program called TrickMo, which captures OTP codes that banks send to customers for verification, without user.
Using various subtle tactics (pleading, bribery, etc.), criminals can obtain a new SIM card with the victim’s phone number from the mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network. Password SMS messages can be caught with a basic error in the SS7 protocol used to transmit messages, ”added a Kaspersky spokesperson.
What can you do to protect your online accounts?
Balasubramanian suggests a more secure One-Time Password (TOTP) Time-based algorithm option similar to the one used in many smartphone applications. “During setup, the verification device (smartphone, USB key, etc.) Share a random random seed rate. Both the server and the authentication device and use the standard algorithm to convert these seeds over time.”
Kaspersky highlights how users can use different types of 2FA and combinations of different services. For example, the most important accounts (mailbox linked to other sites) should be protected in the holding area – that is, locked with a U2F hardware token and all other 2FA options are blocked.
The security tokens for the U2F hardware are actually USB drives and are based on the FIDO U2F standard, which is hard to resist. Tokens use USB or Bluetooth to provide 2FA to various services. One can buy Google’s Titan Key or YubiKey. That way you can be sure that no one will ever have access to your account without this token.
“Users can also use different types of keys: For example, the authentication app on your smartphone as the original, and the U2F logo or paper slip with one-time passwords on your safe as a backup. In any case, the main advice is to avoid using one-time SMS-based passwords if possible, especially on bank-related accounts, ”advised a Kaspersky spokesman.