In this issue:
- Hack-Proof: A two-factor authentication guide
- Cybersecurity shorts
- Software updates
Hack-Proof: A two-factor authentication guide
Two-factor authentication has gone from new technology to a widely used tool implemented on most websites and apps. Two-factor authentication (sometimes called two-step verification) is an extra security measure you can place on your accounts. When you enable this feature, you will have to enter a short-lived one-time code (sent to your phone or device) after submitting your username and password.
This process adds an extra layer of security to your account—even if a hacker knows your username and password, they cannot log into your account without the one-time code that is sent to your phone. You need two-factor authentication enabled on your most crucial accounts—email, banking, credit cards—and you should enable it on any account that has the technology and allows access to your personal information, such as social media sites.
The one-time code can be sent to you in a variety of ways—you choose the delivery method when setting up two-factor authentication for your accounts. Here is a brief overview of each option.
Authenticator apps
The newest and most secure form of two-factor authentication is receiving codes through an authenticator app such as Google Authenticator. Once you download Google Authenticator and link it your Google account, you can use the app to generate passcodes for other non-Google websites when setting up two-factor authentication on that site.
The authenticator app is considered the most secure because it is the toughest for hackers to access. Authenticator apps can also be used when you do not have cell phone service, which is helpful if you are traveling overseas and still need access to your accounts. It does require a separate app, however, and it can be difficult to re-install on a new device.
Text message
A popular and easy way of obtaining your one-time passcodes is via text message. Choosing this option means that after entering your username and password at a website, it will text you a code that you will enter on the website. This method is easy because it does not require any additional devices or downloads.
Experts, however, do worry about the security of text message two-factor authentication codes. These codes can be intercepted by hackers, allowing them to access the key to your account. In most cases, hackers will probably not spend time doing this as there are plenty of unprotected accounts they can get into. Some hackers or individuals may, of course, be targeting certain people. But for most people, text message two-factor authentication is still a good protection method.
The power of two-factor
No matter the method you choose, you need to enable two-factor authentication at least on your most sensitive accounts. Two-factor protects your accounts and can act as an early-warning system. If you receive a code that you did not generate, it may be a sign that someone has your username and password. In that case, you want to change your password immediately.
And in most cases, you do not need to enter a code every time you log into your account. On most websites, you can designate certain devices as "safe" and you will not be required to enter a code when logging in from those devices.
Cybersecurity shorts
Riviera Beach City pays $600,000 to get files back after ransomware attack. The Florida city fell victim to the attack three weeks ago when an employee clicked on a phishing link. The ransomware immediately encrypted the network's files and also disabled the email system, disrupted direct deposit, and stopped 911 dispatchers from being able to enter calls into the computer. The city worked with outside security consultants who recommended paying the ransom. The council agreed unanimously, making it one of the largest ransomware payments in history.
Equifax downgraded to "negative" outlook by Moody'safter high costs related to cybersecurity and litigation following the 2017 breach. This is the first time that a cybersecurity situation has caused an outlook change. Equifax has already spent over $600 million on lawsuits and investigations and more money is likely to be spent.
First American Financial Corporation leaked over 800 million files over the last 16 years. Starting in 2003, the real estate title insurance company's website allowed anyone to access digital records that contained bank account numbers, mortgage information, tax records, Social Security numbers, and more. The website allowed anyone who had been sent a link to a valid document hosted on the website to view other documents by modifying a digit in the link. There was no other authentication process to view the documents.
Phishing links may be hiding in your Google calendar. Researchers at Kaspersky have noticed calendar emails being sent to Gmail users that contain malicious links disguised as surveys or Google doc links. If you get unsolicited calendar invites, be sure to look at them closely. You can also protect yourself by ensuring that invites are not automatically added to your calendar. To do so in the Google Calendar app, go to Event Settings, Automatically Add Invitation, and select "No, only show invitations to which I've responded."
Are your remote workers cyber secure? One benefit of technology is that many workers can perform their job duties from a remote location without a need to be in the office. However, this popular work setup can lead to cybersecurity issues if workers are not educated or given the resources to be secure. If you are a remote worker or employ remote workers in your company, you need to provide training and be sure they are staying safe by using a password manager. You can read more tips here.
Popular tax accounting software Wolters Kluwer fell victim to a malware attack last month. The software is used by the top 100 accounting firms, 90% of top global banks, and 93% of Fortune 500 companies. Once the attack was discovered, the software was taken offline, causing panic in the accounting world just days before non-profit organizations' taxes were due. Wolters Kluwer does not believe that customer data was accessed during the attack.
Cyberattack against small business shuts it down. Innovative Higher Ed Consulting (IHEC), a two-person startup focusing on helping academics get their research noticed, was the victim a cyberattack. Here, thieves ran 100,000 stolen credit card numbers through the new company's payment system. The founders noticed the fraud and reported the activity to Bank of America Merchant Services, which sent IHEC a $27,000 bill to reverse the charges. IHEC had not yet activated fraud protection tools because the website was not up and running yet. However, these tools would have caught the fraud. You can read more about what happened here.
Millions of Quest Diagnostic patients may have had their information exposed in a data breach.The New Jersey-based clinical lab was notified by its bill collecting vendor, American Medical Collection Agency, that an unauthorized person had access to its system. Quest says that no lab results were part of the breach as American Medical Collection Agency only had access to payment card information and Social Security numbers. Some medical data may have been exposed. American Medical Collection Agency has since filed for bankruptcy.
2020 Census is not cyber-secure, according to the Government Accountability Office. During an audit, the agency discovered that the Census Bureau's plan for combating cybersecurity threats during next year's census has many flaws. For the first time, in 2020 residents will be able to take the Census online. But the bureau has fallen behind on rolling out necessary IT systems. Experts worry that the online system could be compromised, possibly skewing results.
Cybersecurity insurance—what does it all mean? These types of policies are on the rise, but it can be difficult to understand what each policy covers since there is no standardization between companies, according to The Wall Street Journal. To make the process easier, read this guide to learn what questions you should ask before deciding on a cybersecurity insurance policy.
Phishing messages now being disguised as push notifications. Lookout, a mobile security company, has seen an increase in these types of messages in recent months. The push notifications appear to come from legitimate apps and direct you to phishing pages asking for your login credentials. Some appear as a missed call or to be from Slack. If you get a notification you are unsure about, ignore it and check the legitimate app on your device.
U.S. Customs and Border Protection suffered from a malicious cyberattack resulting in 100,000 travelers' images and license plates being exposed.According to the agency, the breach occurred after a subcontractor transferred the images to its network, violating privacy protocols. The incident is currently being investigated.
Government agencies still using Equifax to verify identities following 2017 breach. The Government Accountability Office released a report this week stating that agencies such as the U.S. Postal Service, the Social Security Administration, and the Centers for Medicare and Medicaid still use the three big credit reporting agencies to authenticate new user accounts with knowledge-based questions pulled from a credit report. Following the 2017 Equifax breach, the Government Accountability Office said this practice is no longer safe, as the answers could be easily accessible.
Software updates
Adobe: Adobe has released an update for Flash Player once again this month. Again, Adobe will stop supporting the software next year so consider removing it from your devices if you no longer use it.
Firefox: If you have the browser Firefox installed on your machine, be sure to update it immediately. A zero-day exploit has been discovered and is already being exploited. To force your browser to check for updates go to Help and About Firefox.
Microsoft: Microsoft released updates for 88 security issues this month. The vulnerabilities primarily affect Windows, Microsoft Office, Internet Explorer, and Edge. Many of the issues are considered critical and you should update your devices as soon as possible. Your device should prompt you to update, but you can learn more about the vulnerabilities here.