Technology is awesome. When traveling, we can stay connected to the ones we love more than ever.
When traveling, we can stay connected to the ones we love more than ever.
We can easily send them pictures, communicate with them, and stay connected to our lives back at home. We can pay bills, we can submit expense reports, and we can even feed our puppy treats remotely when we have sitters.
Like I said, technology is awesome.
But this increased technology also comes with risks. When using free wifi, someone could be trying to access the information you are sending from your computer. When using an internet cafe (or even the computer in a hotel lounge), someone could have set up a keylogger to steal your passwords.
I’ve only had my accounts compromised a few times. Now, nothing can save you from accidentally leaving your Facebook open on a computer (ALWAYS LOG OUT), but this could help you keep your account safe–even if your password is compromised
The answer is enabling something called “Two-factor authentication” (or 2FA). What this means is, websites will require two forms of verification before you log in.
The first is your password. The second is a code that is usually texted to you. This code is unique each time you try to log in from a new location.
If you are afraid of not being able to have codes texted to you in flight, please read this guide to how I use Google Voice to get past that. However, many phones let you receive text messages over WiFi now. My Verizon phone does–so check with your provider before you worry about this too much.
Many websites you access have different ways of turning this on. Luckily, there is a website that lets you access tutorials for most major products.
For example, when I type in Twitter, I get (click to make larger):
After 2FA is enabled, someone cannot access my Twitter account, even if they have my password. They would need my cell phone as well.
I recommend turning this feature on for any account you log into while traveling or while on public computers.
Some companies are making it much easier to use two-factor authentication–for example, Google has been using apps and other easy methods to verify logins.
I was part of one of the recent data breaches and had someone try to log into an account of mine. But I received a phone verification code for the login and knew to change my password immediately.
Bury your money in tin can in backyard?
SMS 2FA is mediocre as a 2FA method: https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentication/ https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/
tl;dr There are two main problems
1) It’s susceptible to phishing attacks – you get a text claiming to be from say Google, saying your accounts been locked out, and you need to reply with the six digit code you’re getting via another text
2) It’s not terribly difficult for a crook who knows some information about you (especially in hte post-Equifax world) to convince your phone company that they’re you, and have your phone number moved to their cell phone
I will still use SMS 2FA because it’s still better than nothing, but if I’m giving an app authenticator option, I will always use that instead (you install an app such as Google Authenticator which generates six digit codes based on the time and a shared secret when you set it up).
And whenever you’re setting up 2FA, you should always make sure to get the one time use backup codes (I don’t think I’ve seen any 2FA that doesn’t offer this) and stick that in your password manager (and if you don’t use a password manager…you should definitely use one!).
There are some services that only offer SMS 2FA. For that I will always use Google Voice, because it’s much more resilient to the number porting attack (you have to log into my Google account to port out my number, and my account is protected with app based 2FA).
What’s stopping the phishers from saying “Please reply with the code found in the Authenticator APP”?