On September 1st Rob Pegoraro, a tech columnist at USA Today, reported on a data leak involving a few million customers at T-Mobile, a popular mobile device service provider. He writes, "The T-Mobile hack may have made it easier for attackers to stage a SIM swap attack, in which they take over a phone line to intercept two-step verification (also called two-factor authentication), a process during which users respond to a text, email or push notification to verify ownership of a particularly valuable online account." He then goes on to discuss various forms of two-factor authentication, contrasting their usefulness and claiming that the most common form of two-step authentication, wherein a user enters a randomized numerical code sent via text or email into a prompt that appears upon signing into an account, is not actually the most secure. Evidently, this is the easiest form of two-step authentication for hackers to interfere with. Instead, Pegoraro recommends using USB security keys, which are physical USB devices containing encrypted security information. With these devices, users can only sign into an account if they have a physical key, removing the risk of hackers exploiting security information that has to be transmitted across an internet signal.
Open up any article about tech security recommendations, and you're likely to see two-factor authentication somewhere down the list. Still, the USA Today piece highlights some realities about online security that firms must inevitably confront.
Tilting the Odds in your Favor
As we discussed last week in our post about data leaks, any firm needs good security protocols in place to prevent the comprising of sensitive information. Unfortunately, the grim reality is that it's impossible to mitigate all risk when it comes to cyber crime. Not too long ago, measures like two-step authentication simply weren't necessary; a good old-fashioned password would do the trick.
Of course, this does not mean that firm leaders should throw up their hands and give up on cyber security altogether. While there exists no full-proof security measure--no bubble wrap to pack a firm's systems in, so to speak--the more thorough the security infrastructure, the easier a firm's leader can rest while working on the things that are more important. As such, measures like two-factor authentication are essential, in spite of the misgivings expressed in the Pegoraro's column. To make a comparison with public health, it's impossible to completely wipe out all hostile micro-organisms from the world, but simple measures like washing hands, getting regular check-ups, and wearing masks can go a long way in curbing the number of people who get sick. The same holds true with cyber security.
As the USA Today article points out, the most secure form of two-step authentication is the use of encrypted USB security keys. The problem is that keys of this sort are expensive when compared to simpler forms of two-step authentication. Plus, keeping track of how they're issued to staff, maintained, and kept secure could potentially add more labor onto an IT team, especially for smaller firms who don't have the time and man-power to handle such an operation. Small firms and start-ups will need to think critically about what risks they're willing to accept and how much time and money they will need to invest in preventative measures when planning their operations.
Luckily, Titan Tech has a long history of working with small firms and non-profits who lack the resources of large corporations. They can create a comprehensive plan to mitigate security risks and make recommendations on viable security measures, even for organizations with slim budgets. Feel free to reach out to them if you would like to know more.
And join us next week for more tech news.