We’ve all been trained not to give out our passwords, but online criminals are getting ever more clever. Phishing scams have effectively tricked uncountable people into compromising their online security, and one of the best ways to stop it is two-factor authentication. Even technologically savvy people can be fooled by clever hackers, though. According to Google, it solved the phishing problem by giving everyone a hardware security dongle. They only cost a few bucks, so that’s an amazing deal.
For the unaware, phishing is simply the practice of stealing sensitive account information by posing as a legitimate entity. For example, a password reset email that appears to be from your bank could simply be trying to fool you into entering your login details on a fake page. Spear phishing is a more targeted version where the attackers go after a specific person or group of people. This is something that Google deals with a lot because its employees have access to a wealth of valuable information.
Using two-factor authentication makes it vastly more difficult to break into someone’s account. Logging into an account with two-factor requires something you know (your password) and something you have (usually a single-use code). Google switched to physical security keys in early 2017 as a replacement for code generators or phone alerts. It says none of its 85,000 employees have been successfully phished since. Previously, Googlers used the Google Authenticator app to generate codes for logging into their accounts.
Security keys, like the popular YubiKeys used at Google, utilize the Universal 2nd Factor (U2F) standard to store a unique access token on a small USB device. Simply plug that into your computer, and you can log into your account. There are old-style USB-A versions as well as newer USB Type-C dongles that support both computers and phones. A few even support NFC to wirelessly authenticate on Android phones.
U2F security keys work with many online services like Google, Dropbox, LastPass, Github, and more. They work with Chrome, Firefox, and Opera browsers. For someone to compromise those accounts when secured with the physical key, they need to phish your login details and then steal the key from you in real life. That’s infinitely more difficult than sending clever scam emails from the other side of the world.
If you want to start using a security key on your accounts, you can get them for as little as $20.
New macOS Security Bug Unlocks App Store With Any Password
Apple's macOS High Sierra has a flaw in the latest version that allows admin users to bypass a locked app store by entering any password they like.
Researchers Found Another Major Security Flaw in Intel CPUs
Security researchers have found another flaw in Intel CPUs — this time related to Intel Active Management Technology. Once again, this flaw can be leveraged to take complete control of a system, regardless of any security measures the user might employ.
Lawmakers Urge AT&T to Cut Ties with Huawei, Citing National Security Concerns
It's been several years since the last dust-up, but US lawmakers and regulators are still sounding the alarm about any cooperation with Huawei.
Most Android Security Scares Are Bullshit
Many of the Android malware stories we see making the rounds end up amounting to nothing because of the way the platform operates these days. While Android malware is definitely out there, you usually don't need to panic.