2-Factor Authentication, and other Security Features
Several Months ago, when I conceived this series, I never thought I would need to address aspects of account security like strong passwords or 2-factor authentication.
My belief was that people were already familiar with them, or there were so many articles on them – and to an extent, I was right.
Then came Corona virus, a dreaded virus to the common man, but the perfect opportunity for cyber criminals to target unsuspecting internet users with social engineering attacks.
These attacks have been used to hijack accounts, steal credentials, commit fraudulent acts, and so on. This article will focus on simple security features that help prevent account hijacking, identity theft and Business Email Compromise (BEC) scams. As is my practice, I’ll give examples using twitter, Instagram, and LinkedIn; however, similar features exist across board.
Multi-Factor Authentication (MFA) provides users with 2 or more factors to authenticate themselves, This can be;
- Something you are: Biometrics e.g fingerprint
- Something you have: Token
- Something you know: Passcode, password or passphrase
Two factor Authentication (2FA) requires users to provide any two out of the three factors listed above, in order to gain access to accounts, or authenticate a transaction. A familiar example is the tokens issued by our banks, which are used to authenticate a banking transaction after a user provides a username and password/code.
Why is it Necessary?
It gives your accounts another layer of security. If an attacker gets your username and password and try to login on a new device, they get prompted to input a verification code – typically sent to the phone number registered to the account. This implies that an attacker will also need to steal or get access to your phone in order to log into your account.
Unfortunately, 2FA is not enabled by default on most platforms. To enable it on twitter, follow these steps:
- Login to your account
- Go to ‘settings and privacy’ and Select ‘Account’ (sample page shown in the image below).
- Select ‘Security’ then select ‘Two-Factor Authentication’. This gives you options on where to receive the authentication code when trying to log in (view image below).
- Select one, and follow the prompt. Most people go with a text message because it is widely used by many service providers.
- Note that you can later disable 2FA, but it is not recommended.
When you are done setting up 2FA on the account, you will notice a tab on the ‘Security’ page called ‘Additional Methods’, which houses ‘Backup Codes’ and ‘Password Reset Protect’. Let’s discuss those additional methods and a few other security features across platforms that are frequently ignored.
A Backup Code is useful when, for one reason or the other, you do not have access to your 2FA methods. So I strongly suggest you also get this code and store it securely – perhaps in your contact list or in the cloud. This feature may not be available on all platforms, but it is available on Instagram as ‘Recovery Codes’. [This is shown in figure 3 above]
Password Reset Protect is a security feature that ensures you confirm your email address phone number to reset your twitter password. This implies that anyone who wants tries to reset your account password must know and have access to the email address and phone number linked to your account. [This is shown in figure 2 above]
Emails from Instagram is a section in your Instagram account settings that stores the emails Instagram has sent to you in the last 14 days. It has two tabs, security – which deals with security and login related emails, and other – which deals with any other email from Instagram. This makes it easier for users to identify fake emails sent by cybercriminals pretending to be Instagram. This neglected feature helps prevent identity theft and account hijacking as users are less likely to give criminals their login credentials. Go to [Settings > Security > Emails From Instagram] to view them.
On LinkedIn, some neglected features include:
- App lock: Allows a user to lock the app with a code or biometrics.
- Permitted Services: Displays services that have access to your account.
- Where you’re signed in: Shows where your account is logged currently in.
- 2-step verification (same as 2FA), and so on.
Login Notifications to the best of my knowledge are enabled by default on a couple of platforms – especially emails. These inform you whenever someone successfully logs into your account. If you ever get this mail, first verify that it is legitimate by checking for phishing identifiers. If the mail is legitimate but you did not log into your account, change your password immediately and enable 2FA if you haven’t done so. Similarly, if you are already logged in but you receive a 2FA text, providing you with a code to login, that means someone is trying to log into your account.
For those who do not know, some phishing identifiers are;
- Mail sent to multiple recipients or using ‘cc’ & ‘bcc’.
- Generic salutations like ‘dear customer’ or ‘dear user’, that don’t bear your name
- After clicking on the sender name to reveal the email, it does not seem legitimate
- Text urging you to take action swiftly, or else.
- Grammatical errors and poor formatting.
As a general rule, do not click on links or download attachments in emails, except it is a mail you are expecting and you have confirmed that it came from the sender you expected it from. This is important because known contacts can be hacked and used to spread malicious attachments and links. It is a highly successful attack because most people already trust the sender and transfer that trust to the content of the mail.
This kind of attack is typically referred to as Account Hijacking, and when it happens to corporate email accounts, it is called Business Email Compromise (BEC). An easy way to counter this is to verify the authenticity of the mail via another means; like a phone call or in person. Like security people say, “Trust but Verify”.
In conclusion, please ensure you check your account information to see if your phone number, email, and the likes are correct. Take this as an opportunity to change your account password if you haven’t done so in the last 6 months. Some of the security features covered in this article bear a different name on some platforms, so look around for them. As you have realised by now, your account security is your responsibility, so take it seriously.
Lastly, take some time to go through the features and settings of whatever app or platform you use, in order to figure out how best to secure your account while enjoying the service.
Feel free to contact me if you have any issue with your personal account security or other cyber related matters, but also remember that google is your friend.
To stay up to date with cyber security threats and countermeasures, follow the Cyber Security Experts Association of Nigeria (CSEAN) on Twitter & Facebook @cyberexpertsng, Instagram @cyberexperts.ng and LinkedIn.
I don’t know if there will be a part 3 of this social media security series, but be on the lookout.
Read Social media security series part 1 here.
Samaila Bako is a Cyber Security Awareness Trainer who is passionate about digital forensics, social engineering, and device security. He is a certified ethical hacker who is interested in how emerging technologies like Internet of Things, Cloud and Artificial Intelligence, affect the size and safety of data.
Twitter – @atsen_