Home Grayman Phishing and 2 Factor Authentication

Phishing and 2 Factor Authentication

by Grayman
written by Grayman

BLUF

Don’t trust links and websites. Verify first. Activate Two Factor Authentication.

Phishing

Phishing is one of the most popular ways to steal victims’ sensitive information such as credentials, credit card numbers, IDs, 2FA codes, etc.

》Before filling in your private information into a website, check the URL bar. Make sure the website address is correct.

– Try retyping it and letting auto-populate take over.

– Check for misspells, punycode, subdomains used as domains, HTTP instead of HTTPS.

– Try a web search with the URL first. (Be careful before you do this because some search bars will load the website rather than run a search. Test how your bar works first.)

》There are services that shorten a URL (bit.ly or tinyurl.com) and hostile actors can take advantage of it by hiding a malicious website’s identity. Check the end path by using a service like checkshorturl.com.

》Don’t trust unsolicited emails or messages that request you to immediately log in into your bank, social media, or financial app. They often warn of a breach, asking you to secure your account, or a notice that your payment on Amazon didn’t process. Emails can be spoofed, so don’t trust it just because the email address looks correct.

》Never give any information over the phone if it’s a conversation where you received the call. Be polite and tell them you’re going to look up the number and call them back. For bank cards, call the number on the back of the card.

Two Factor Authentication

One extra security measure to protect your accounts is using two-factor-authentication (2FA).

》With 2FA, if the attacker gets access to your credentials, they would still need to have this 2FA code to successfully log in. These codes are generated and available only in the app on your smartphone. With 2FA enabled, it is nearly impossible to steal access to your Instagram, Facebook, PayPal or any other account.
》Use an authenticator app such as Google or Facebook Authenticators for 2FA.
》You can use your cell phone number as the 2FA option or a 3rd party service.

Debrief on 2FA

(for those that really want to get serious about security)

Just as a point of clarification, while using SMS-based Second Factor Authentication (2FA) is better than not using 2FA at all, it is actually not the best option.

Any form of 2FA is WAY better than not using anything (including SMS based 2FA). SMS-based 2FA is one of the least secure methods of 2FA since it is susceptible to SIM jacking and social engineering attacks. Using an authenticator app is far more secure. My favorite is “Aegis” authenticator, however, I have used LastPass Authenticator in the past.

Aegis Authenticator

Aegis Authenticator has great privacy and security features built into the app, like masking the codes for all your accounts until you click on the one you need, and only then revealing the 6 digit code, as well as storing the codes in a “vault” (encrypted database). You can also set a pin or use biometrics to unlock the app.

Aegis stands out above others that I have tested (not exhaustively, there are a lot of great ones out there) because you can store encrypted backups of your vault and restore them to a new device if you need to.

LastPass Authenticator

LastPass Authenticator it is very convenient for the layman since it can sync across devices when you connect it to a LastPass Password Manager account. I am not the fondest of LastPass anymore for my personal threat model, but for the everyday person they are great for ease of use, and I recommend it to the slightly less tech-savvy people who don’t want to manually deal with backups and store them in secure cloud storage, etc.

Backup/Recovery Codes

Backup codes (sometimes also called Recovery Codes) are also a very secure form of 2FA, although they should not be the go-to since they are one-time use, but I always recommend that everyone have them.

The system I use is to store the recovery codes in a text file, make a Sync.com account (secure encrypted file storage), and store your recovery codes there. I don’t use that account for anything else other than storing recovery codes, and the 2 most recent backups of my Aegis vault. As such, I don’t need to access it often and it is a great backup for emergencies if your phone is ever seized, stolen, or broken and you don’t have access to your 2FA method. You log in to your sync.com account and gain access to any of your accounts with one of the one-time use recovery codes.

The only thing is that you have to KNOW the password to your sync.com account since the worst-case scenario assumption is that you won’t have access to your password manager either.

I apologize for the long-winded explanation, but basically, any 2FA is leaps and bounds above nothing, but if giving a recommendation of which method is the best, I would say app-based 2FA is significantly more secure than SMS-based 2FA and always have recovery codes stored safely if you lose access to your 2FA method.

SIM Swapping

Why might SMS based 2FA not be the best option? Two words. Sim Swapping.

It’s a scheme that involves a hostile actor gaining personally identifiable information (PII) from the victim then using that info to gain the trust of a cellular carrier to have the provider switch off your SIM card and activate a new SIM card the hostile actor already possesses. They then gain access to your texts/calls/data which is used to send password reset requests to further access your other accounts.

Deter SIM swapping:

– Hang up when a purported company you do business with calls you and asks for PII. Instead call back with a number you can confirm belongs to the company.

– Do not click on any links in emails. If a company requests you correct an issue on your account, delete the email and type in the correct address on your browser to correct the issue on the website you can confirm belongs to the company.

– Use standalone app-based 2FA. Do not share PII online. If a swap does occur; contact your carrier to regain access, change passwords, contact your financial institutions to alert them, and report to ic3.gov and law enforcement.

This article was originally written by the Grayman Briefing. Stay in the know, sign up for Intel and Situational Awareness alerts pushed to your phone on emerging threats and preparedness warnings. Click HERE to subscribe to the Grayman Briefing.

=====

Become a Survival Dispatch Insider …

We bring together survival enthusiasts and preppers to share skills and knowledge, so you can enhance your preparedness for emergencies and ensure the safety of you and your community.

The Results You’ll Get …

Our community, courses, and memberships are pretty special. We’re focused on the ways it will make a huge difference in your life.

Here are a few of the things you’ll be able to do as a member of Survival Dispatch Insider …

1) Improve your emergency preparedness by learning survival skills and strategies from experienced preppers.

2) Build lasting connections with like-minded individuals that share your passion for safety and readiness.

3) Access a wealth of knowledge and resources to assist in protecting you and your community during unexpected situations.

Click HERE to get started.

0 comment
FacebookEmail

Related Articles

How to Plan a Cross-Country Trip in a...

How to Start Making Energy Bars at Home

Cotton or Wool?

Putting Together Your Bug-Out Fire Kit

Gerber Compleat

Spring Wild Edibles are Here!

When Duty Calls Bear Independent Answers

Survive a Plane Crash or Hijacking

Carry a Get Home Bag (GHB)

Using Maps, Compasses, and GPS for Navigation