There is one simple thing you absolutely need to do about all the services you use (or at least the ones you think are crucial) is enable double factor authentication, also known as 2FA. The concept is simple, once activated, in addition to your password, you will be asked for a unique code valid for a limited time. This unique code is sometimes sent by email, sometimes by SMS, and sometimes available in a dedicated application just that. In case of the two factor authentication/ this is a very important factor now.
But if I write this article today, it is to discourage you from using dual factor authentication other than with a dedicated application. And we will explain why.
Let’s take the example of the mailbox first. If someone takes control of your mailbox, he can do everything, including reset your passwords on all your favorite sites and when a 2FA code will be asked, he will receive it directly by email. So that or nothing is almost the same thing.
Is the 2FA code received by SMS more convenient and most people choose. Just access a SIM with its number and it’s good. Obviously, the day you suddenly change phone number, you have it in the bone. And there, it will depend on the sites. For some, it will be dead and lose your account forever. For other, there will always be a way to recover a password and blow the 2FA (but what good is it to put this protection in this case?) And in other cases, access can be made to you , but all the data in your account will be erased which can also be problematic.
Why?
Well for 2 reasons
The first is that some have found a way to exploit a flaw in the SS7 protocol of mobile networks to hijack SMS. As this article explains, people were looted their bank account just like that because of this loophole.
But it is not necessary to go so far in the technique when we can rely on the negligence of our telephone operators (and that’s the second reason). Indeed, I often see articles or tweets that explain that a criminal cheated the call center of an operator to be sent a copy of the SIM card of his victim and thus steal money.
Where are we staying?
Well, the last option is an application that generates 2FA codes on the fly. And without being foolproof, it’s already a little beefier, because if someone wants to access your accounts, it will, in addition to recovering your password, you steal your phone and know the code to unlock it. Of course, if you have not set any lock security on your smartphone, your 2FA application does not claim a PIN or password and, in addition, your website passwords are saved in your browser. We cannot do anything for you. Limit, you deserve to have your bank account looted.
Note that when you enable dual factor authentication for use with an app, you must be very cautious. Indeed, the site will provide you with a key or a QR code that must be kept safe somewhere so that if you lose your phone or you format it, you can still access your account.