One of IT’s biggest barriers is jargon, where simple concepts are given overly complex names. Among those is 2FA (two-factor authentication) or MFA (multi-factor authentication). Why don’t they just call it “Another way of checking that you really are who you say you are”. OK, maybe that’s a little wordy!
Remember how easy it was when you just logged in with a name and a simple password? Sadly, criminals found it easy too – with your name and password. So, like a castle with various levels of defence, IT companies added new methods of authentication to keep ahead of those criminals and to protect your information.
At its simplest, 2FA brings together something you know, something you have and/or something you are. MFA is moving towards also using factors such as time and location. It’s not a new concept: “Traditionally debit card payments for many years have been 2FA: something you have (card) and something you know (pin).” Jimmy Wales (founder of Wikipedia).
“Something you know” could be a password, a PIN or answers to secret questions. “Something you have” is a phone, a credit card or an authenticator app. “Something you are” is biometric data, which is becoming easier to access with the increased availability of fingerprint scanners and face/voice recognition.
So my banking app is locked to my phone (something I have) and requires my fingerprint (something I am) to log in. Facebook asks for my password (something I know) and a code from my authenticator app (something I have). The irony is that the weakest form of 2FA is the most common – the SMS OTP (yes, more jargon). This is the One Time Password, or code, you're sent by text when you’re doing, for example, a credit card transaction. Texts are "vulnerable to compromise—albeit such compromises remain comparatively and thankfully rare—but it is becoming more of an issue." (Forbes) so it’s better to avoid this method if you have a choice.
The common theme between most of these verification methods is that they require a smartphone, which makes life difficult for the many people – particularly of an older generation – who don’t have one.
What’s the future? It seems that 2FA/MFA isn’t going away any time soon. However, companies including Microsoft and Google are working with FIDO (Fast IDentity Online) Alliance to rethink “the nature of online authentication”, moving away from passwords completely. In a few years, I hope they’ll develop easier, more accessible solutions for everybody. In the meantime, though, while MFA is cumbersome “it's worth it in the long run to avoid serious theft, be it of your identity, data, or money” (PC Mag).
Recently, someone in Jakarta changed the details of my Paypal account. Adaline Alexander from Alabama purchased three songs on my iTunes account. And in a moment of madness, I bought an $800 Dell laptop for Loretta Lestrange from New York.
Of course, none of these things actually happened. But someone wanted me to believe that they had, to trick me into giving them my details. According to PayPal, “approximately 90% of all email sent worldwide falls into the spoof, phishing, spam, and general junk category.” So how do you spot a dodgy email?
For more tips, take a look at www.which.co.uk/consumer-rights/advice/how-to-spot-an-email-scam.
In my spring article on spring cleaning your computer I wanted to recommend tools which, while great in themselves, needed to be downloaded from freeware sites. The trouble is, these sites offer traps for the unwary so here are some tips on how to more safely use them.
Trap 1: misleading search results
Search for a program and some search engines such as Bing and (these days to a lesser extent) Google, will show adverts at the top of the page. Beware of clicking these. The second result when searching “chrome download” on Bing is uk-download.com which admits that “When you choose to download the software that is available on this site, you may be presented with offers from third-party advertisers.” Make sure that, where possible, you download from the official website. And if something’s not free on the official site, be very suspicious of sites on which it is free.
Trap 2: too many buttons
Looking to download a program, you go to its page on a freeware site and only to see multiple buttons: “Update Drivers Now”, “Download Now!”, “>”, “GET IT NOW”.
Which is the right one to download your program? To find out, install an ad-blocking extension such as Adblock Plus or, my favourite due to its low memory use, µBlock Origin. These remove advertising content, giving you a very clean webpage with only one button … the one you really need. Note that the new Microsoft Edge doesn’t yet support extensions so you currently can’t use this trick on that browser.
Trap 3: bundleware
Now you’ve clicked the right button and downloaded the setup file you go to run it. STOP! Some developers “bundle” other programs with their own. And some freeware sites, like the notorious download.cnet.com, will take clean programs and add in extra software—called PUPs or Potentially Unwanted Programs—that you really don’t want. Why do they do this? They get paid for it! So, whenever you download something, don’t just open it. Use Show in Folder to find it in your Downloads folder, right-click it and run anti-virus and anti-malware scans.
Trap 4: express install
If offered a choice between Express and Custom Install, always use Custom; it’s not just for “advanced users”. Custom allows you to choose exactly what does and doesn’t get installed—check all the options carefully—and should prevent you ending up with anything that’s slipped through your previous checks.
A final tip: to avoid these traps, whenever possible use ninite.com, “a safe, centralized place to get the freeware you need”. Read more on howtogeek.com.
1971 saw the first computer virus—Creeper. It harmlessly copied itself and displayed the message “I'm the Creeper, catch me if you can!” Reaper swiftly followed. Its sole aim was to find and delete Creeper and was effectively the world’s first anti-virus. In the decade that followed, the few viruses created were simply experiments to push the boundaries of computer science.
Forty-plus years on, things have changed. While I’m sure some of today’s viruses are still geeks’ pranks, most have a more deceitful purpose. Now known as malware—malicious software—along with viruses, there are worms, Trojans and spyware, designed by criminals to defraud you by stealing your information or taking over your system. Independent testers estimate that there are 55,000 new malware variants released every day.
This sounds scary but, just as Reaper was created to eliminate Creeper, there is now a whole industry devoted to the control of malware and you should take advantage of the tools they provide.
I suggest a three-pronged approach to safeguarding your computer. Firstly, install and use a regularly updated anti-virus program. You don’t have to pay for this—the makers of respected anti-virus packages also offer excellent free versions. Highly rated are AVG (free.avg.com) and avast! (www.avast.com); both are simple to use and have their virus definitions (the information they use to identify viruses) updated every few hours.
Secondly, be aware that no anti-virus is 100% infallible so some malware will inevitably sneak through. Malwarebytes Anti-Malware (www.malwarebytes.org) is excellent at finding this and cleaning it up. Unlike other anti-virus software, the free version of Malwarebytes doesn’t run all the time so you need to make sure that you scan your system with it on a regular basis.
Thirdly, just take care. Don’t open suspicious email attachments and don’t go to untrustworthy web sites. It’s also good practice to run a quick virus-scan on any file you’ve downloaded from the internet before you use it.
While the majority of malware is designed to attack Windows users, other systems can be affected too. In 2012, Apple dropped claims that Macs can’t get viruses after a widespread Trojan attack. Two years before that, the first Trojan targeted at Android systems was discovered. Yes, even your smartphone can be infected, so make sure you have a good anti-virus on that too!
Whatever system you use, you needn’t be scared of malware. As JR Rafael blogs on Computerword, “a little caution and some common sense will go a long way in keeping you safe from the big, bad virus monsters lurking around our virtual worlds.”
PS For the latest recommendations (April 2016) for the best virus checker, take a look at the PC Advisor article 17 best antivirus & best free antivirus for PC and laptop UK .
As I write this in April, the tech news is full of Heartbleed–a security vulnerability that allows hackers to steal passwords from seemingly-secure websites. As the designer of the new website for the Community Centre, I’d like to reassure you that www.bfobrca.org has not been affected by this problem. We don’t collect user information or passwords and the site is hosted on a server which does not use the affected software.
On a wider basis, what does Heartbleed mean to you? If you use any affected sites, which include social media sites such as Facebook, Pinterest, Instagram and Tumblr, entertainment sites like YouTube, Netflix and Flikr or gmail and yahoo email, you should change your password as soon as possible. If you use the same password on other sites, such as your bank, you need to change those too. But don’t choose a password that’s too easily identifiable with you—your birthday, your child’s name—or something on the list of the most commonly used passwords, which include 123456, password, abc123, qwerty and, for some strange reason, monkey! Make the new password a good one, a strong one.
Experts recommend the use of a password manager such as LastPass. If you don’t feel comfortable using one of these (or if you do use one and need to create a master password), here are some hints for coming up with a strong password.
The key is to find a password that a hacker can’t guess, but you can remember. This sounds hard, but can be easier than you think. One of the best ways I’ve come across is the mnemonic technique: use the initial letters of a memorable sentence, then add some non-alphabetic characters. So, for example, I might think “If I won the lottery I would buy a house in St Tropez!” Using the first letter of each word gives “IIwtlIwbahiST”. That’s a great start, but to make it stronger still, substitute in some numbers and add the punctuation back in. To me a b looks a little like 6 and i could be 1, giving “IIwtlIw6ah1ST!”
Now there is just one very important step you need to take: make the password unique for each website you use. If you’ve got a great memory, you can create a new password for each site. But if not, use the combination above as the core of your password and add a few letters from the website address. A new password for your google email account( https://mail.google.com) would, for example, be “IIwtlIw6ah1ST!oog”. And there’s your unguessable but easily memorable password (don’t worry–those complicated-looking substitutions will soon become second nature).
Bear in mind that this technique isn’t a replacement for a good password manager—but it’s definitely better than using 123456!
I originally wrote this article for the Summer 2014 edition of the BFOBRCA Community News.