The Argument for Phony Security Question Answers (Again)

A seventeen year old kid in Australia recently bypassed Paypal's two factor authentication. This should be troubling news to anyone who engages in financial transactions on the Internet. I've written a thing or two about password management and security on line and have been a strong advocate of two-factor authentication, hailing it as "state of the art" consumer level security.

Two-factor authentication is supposed to mean that "even if someone succeeds in hacking your
password, they won't be able to log in to your account from a device that you haven’t already approved. The log in won’t be allowed until after you receive a text message on your cellphone with a code, which must then be entered in addition to the password." But, not so at Paypal, according to our junior jackaroo.

What happened at PayPal?

As many are aware, PayPal is owned by eBay. As a convenience for their users (i.e., to encourage their users to use PayPal for everything) eBay provides their users with a direct link to their PayPal accounts. Here's the fly in that ointment: apparently eBay does not check to see whether two-factor authentication is enabled before allowing anyone who manages to log in to eBay to shoot right into the linked PayPal account with just a username/password combo.

That may not seem like such a big security hole, since it requires the crook to have your username/password combination at two sites, but that's really not that far fetched if a hacker has been able to gain access to the victim's computer.

It gets worse. According to PCWorld, "The payment processor’s two-factor authentication could potentially be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions." Given that most security questions involve questions like "Where were you born?" and "Where did you go to high school?" the illusion of two-factor authentication becomes more and more mirage-like.

I've shared the answer before, but it's time to share it again: How about using your random password generator to come up with a short but random string of characters, and saving it in your password management app?

Mother's maiden name? oL-eF-yeph

Grab the July edition of the monthly "News & Tricks" newsletter

It's hot off the press and ready for reading! Grab your copy of the latest White Collar Handyman newsletter, and if you're not a subscriber, just click here and become one!

iOS 7.1.2 Update for iPhone, iPad & iPod Touch Now Available

According to Apple, latest iOS update includes the following changes:

• Improves iBeacon connectivity and stability
• Fixes a bug with data transfer for some 3rd party accessories, including bar code scanners
• Corrects an issue with data protection class designations of Mail attachments

It also contains "miscellaneous bug fixes and security updates."

You can download the update over-the-air via Settings > General > Software Update or install it via iTunes by connecting your phone to computer using a USB cable. Even though you can update/upgrade directly over the air on your phone, don't. Although it's only a 23.1-megabyte delta update (just the changes, not a whole system file) user experiences with over-the-air upgrades vary, while those who use the tried and trusted USB method seem to be unanimous in their success stories. And, I always like to make a fresh backup to my hard drive first.

Here's the safest way to upgrade/update:

• Attach the iPhone to your computer.
• Open iTunes.
• Click on "Back Up Now."
• Wait for the backup to finish
• Click on "Check for update" and then do update to 7.1.2

Because it's a delta update, you shouldn't have to wait to long to get back on the device, with all your data and settings intact.

As always, unless you are absolutely dying to have the listed issues fixed, maybe wait a couple days. You never know what might be broken, diminished or deleted in an update. You won't get any prizes for updating first, but you might get some surprises.

Grab the latest edition of the monthly "News & Tricks" newsletter

The latest edition of the White Collar Handyman "News & Tips" newsletter is out.

Grab it here, and if you're not yet a subscriber, the sign up form is just over there to the right. Please sign up!

Need another reason to use strong passwords and two-factor authentication? iPhones Held Hostage!

One of the of the security features offered by Apple for its computers, iPhones and iPads has turned around and bitten several Australian users who found that they were suddenly locked out of their devices and asked to pay a ransom of up to $100 to a hacker holding access to their devices hostage. 

Find My Phone is a great security feature that allows an iPhone owner to remotely lock his or her device should it be lost or stolen, thereby securing all the data on the phone and rendering it useless without the entry of a security code. But, problems arose for the Aussies when a hacker going by the name of Oleg Pliss somehow obtained usernames and passwords, and locked the rightful owners out. Apple says it has not been the victim of any security breach and suggests that credentials were gained either by phishing or because of password reuse.

Phishing attacks are just a modern form of film flam and trickery. A scammer sends an email that looks authentic, and the dupe dutifully responds with all kinds of information that is best not shared with bad guys. Phishing can be thwarted by never clicking on links in emails. If a legitimate web site needs information from you, you will be able to find their inquiry on their website. If you get an email asking for any information:

1. Make note of what website it is supposedly from.
2. Delete the email.
3. Go to the subject website by opening your browser and using your own bookmark. If you do not have a bookmark, enter the URL for the website you are trying to reach, or use a trusted search engine to bring you to the genuine site.
4. Log in and look for a message to you.

Follow this method for dealing with emailed information requests and you will avoid falling prey to almost all phishing attacks.

I've discussed Password Reuse before. In a word, it's bad. If you use the same username and password at more than one site, once a hacker gets information from one web site breach, he has access to every account you have that uses that username/password combo.

Finally, Two-Factor Authentication: In a word, it's great! Here is a large list of websites indicating which do and which do not have 2-Factor Authentication. In short, without rehashing what's been said before, if a provider offers 2-Factor Authentication, use it, and if they don't, encourage them to do so.

Learning a Thing or Two about Email Security from Sarah Palin

Even if you have followed the advice to generate a unique random 30 character password for your Internet account passwords, you are still in danger of being hacked. Certainly, the danger is more remote. The fact is, most hackers are going after random accounts on the Internet looking for the low hanging fruit. If your password is KjuD;NnoG7RaygNNuFcsCHQmwcofLv and someone else's is "g00gle123" chances are it's the other guy who's going to be victimized.

But what if it's more personal? What if it's an ex-employee, ex-spouse, vindictive co-worker or neighbor or some other vengeful sort with you in their crosshairs? This targeted hacking presents another problem that banks, credit card companies and others seem to be setting you up for.

What's your mother's maiden name? Where did you go to high school? What's the name of your first pet? Where did you honeymoon? What's your maternal grandfather's first name? What's your date of birth?

Recognize these types of questions? It's the "Lost Password Trap," and it's just out there waiting for you. Do you remember answering those questions when you set up your online banking? Sure. It's these questions that a website will use to verify your identity if you forget your password. But do you remember answering these questions over cocktails, during pillow talk, or merely in casual conversation? How much of this is simply findable on your Facebook profile?

This is exactly how Sarah Palin's email account was hacked in 2008! A hacker, claiming to be Sarah Palin went through the Yahoo email procedure for recovering a lost password.

Birthdate: 2/11/64
Zip Code: 99654
Where did you meet your spouse: Wasilla High

Similar techniques were used to infiltrate the Twitter accounts of Barack Obama, Britney Spears, Lily Allen and lots of not-so-famous victims.

Some will advise you to make up a fake answer to these questions. Not bad, but your fake answer may be as guessable as your real one. Mother… Goose? Pet…Fido? If you can keep it in your head, it's probably not a great idea.

How about using your random password generator to come up with a short but random string of characters, and saving it in your password management app?

Mother's maiden name? oL-eF-yeph

What's In Your (Digital) Wallet?

On April 29, the Supreme Court heard the case of a young man who was pulled over for driving a car with expired tags.

"Hmm… coulda happened to me," you think.

Sure, that or an inspection sticker, tail light out, jaywalking, whatever. What happened next is frightening. The cop who pulled him over picked up young Mr. Riley's Samsung Instinct M800 smartphone and took a look-see. There he found pictures that linked our motor vehicle violations suspect to an unsolved drive-by shooting that ultimately resulted in a murder conviction and a 15-to-life sentence.

While few of us will have sympathy for a murderer who was convicted of murder, the thought that I could be jaywalking down the street at one moment and giving the police complete and unfettered access to everything on my iPhone the next (photos, email, documents) is horrifying.

This is one more reason to have a strong password on your smartphone: Although the protection provided by a strong password might not survive a court order, it will certainly prevent the immediate disclosure of your most personal photos and emails during a routine traffic stop!

You may not have killed anyone, but is there anything on your phone that you don't need Barney Fife taking a gander at? Riley's lawyer argued that it may be one thing for cops to go through your pockets and wallet, but letting them nose through an Android or iPhone at a traffic or sidewalk stop is like giving "the police officers authority to search through the private papers and the drawers and bureaus and cabinets of somebody's house." The Court's decision may decide whether it's legal for the police to search the digital contents of your cellphone without a warrant.

Even if it's legal, it doesn't have to be easy. Even a 4-digit code is better than nothing. Maybe take a moment to lock it up, now.