I’ve always tried to have the most secure mindset when it comes to my passwords. Unfortunately with the news of the recent LastPass hacks, I’ve had to migrate away from it (over a year ago at this point) but now with the more serious breach that occurred, I decided to update ALL of my passwords, quite literally over 1000 passwords, in order to maintain that maximum personal and business security mentality. I’ve probably spent 8 hours already, just updating passwords, usernames, and 2FA where available.
2FA Availability
That’s the thing that I’m frustrated with at the moment, not all major companies offer Two Factor Authentication via a true 2FA App or even better a YubiKey physical key. Banks are the biggest offender of this. They might offer 2FA via your phone or email verification token, but as we all should know, your phone and your email ARE NOT SECURE EITHER. What do I have to do to get USBank and other major Banks to offer the best of the best in security for access to our digital currency?
All it takes is a hacker taking control of an email, or SIM jacking your phone number, and presto – they have access to the remainder of your personal information and money. Quite scary if you ask me.
Now that I’m looking into this I’m finding that Bank of America – BOA has the highest online security including support for YubiKey. That might be everyone’s best bet, especially large targets like Whales.
[insert picture of a whale]
“Whaling is a highly targeted phishing attack – aimed at senior executives – masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.”
SIM Jacking
Okay so I don’t have a solution for this, unfortunately, most carriers allow for a sim lock but that has its flaws, as someone with enough information could bypass that over the phone with a telecom customer service rep.
It would be cool if a startup or a current telecom company just made a High-security mode for your account/phone numbers linked to the account, which locks the phone number from being replicated to a different SIM without an In-Person double identity verification process. Possibly with fingerprint verification, again in-person to add a barrier to socially engineered methods like SIM jacking.
I think this is essential for everyone as our lives now live on our phones, and realistically I’ve noticed most people are less secure with their mobile devices than they are with their desktop computers. When in the real world your phone/phone number should be more important to protection as it ends up being that 2FA step that malicious entities would have to overcome, and currently it’s doable with the right attack vectors. No seriously how are these multi-millionaires not terrified that with their mindset in cyber-security and when they are targeted, they would be hacked in a matter of hours, not days or weeks? Leaving massive financial risk based on one of 3 attack vectors, compromised email, compromised mobile device, or a socially engineered SIM jacking.