Best Practice for Password Safety in eCommerce, Part 2: Two-Factor Authentication
We continue our two-part series on the importance of password hygiene on the premise that one of your passwords has been compromised (find part one here). This is where our second security heavy hitter comes in — two-factor authentication. Two-Factor authentication is simply a second piece of information in addition to a password — such as a pin code, a hardware token, or a fingerprint scan. A second layer of security ensures that even if someone obtains your login credentials, it’s highly unlikely they will gain access to this second bit of information.
Remember — if you remove the human element from your “security equation,” you eliminate the possibility of a human error on your part.
In general, individuals that utilize simpler passwords understand that their password may not be difficult to guess; but they fail to consider how dangerous it can be when they have used identical login credentials in several places online. If a bad actor gains access to your blog, it may not seem like a big deal. It becomes highly dangerous when those same credentials grant them access to your PayPal and your bank account; remember, online criminals use automated tools to check if the login credentials work anyplace else online.
In this article, we look at the best way to put two-factor authentication to work for your security, and for the safety of your online business.
General guide for two-factor authentication
We found that 2fa.directory is a fantastic resource that lists websites first by category, then by whether or not they use two-factor authentication, and if so, what kind. The first three categories are quite self-explanatory: SMS, phone call, and email. The last two, hardware token and software token, you may not be familiar with — but they are considered the most secure.
A hardware token, or a hardware key, is a physical device, such as a YUBIkey, which contains a unique identifier. A software token refers to an offline application on your mobile device.
Why two-factor authentication via sms/text message is a bad idea
While enabling two-factor authentication to deliver a pin code via SMS is quite common, with many smartphones autofilling the delivered pin onto the website, it’s actually not very safe in practice. Unfortunately, it’s possible for criminals to port your mobile phone number to gain access to it. If they obtain access to your phone number, they also acquire both security factors to log into your account(s). Read about journalist Matthew Miller’s harrowing experience wherein a hacker convinced his mobile phone provider to grant them access to his phone number — (unbelievably) twice in one week.
While two-factor authentication via SMS is simple and convenient, it’s no longer considered a secure method in the world of online security.
Instead, go for an offline authenticator, such as Authy. The authorization code is not delivered to your phone; instead, it appears on your Authy app. This means that the code is stored and tied to your physical phone; the only way for someone to obtain access to your second layer of security is to physically steal your mobile phone AND retrieve the contents. In this case, your third factor of security is keeping your physical phone safe and locked with a password.
How human error can thwart two-factor authentication
No security system is ever 100% secure. Here are some ways that human error can cause two-factor authentication to fail:
Phishing scams or technical support scams: These types of scams feature bad actors posing as a technical support employee that uses social engineering techniques to convince the target to either provide login details, or provide access to their device remotely. An example is a perpetrator calling a target, under the pretense of calling from their bank. When receiving a phone call, the easiest method to vet the caller is to simply state that you will call the bank back for your own security.
Man-in-the-middle attacks: This type of attack sees malicious browser extensions containing spyware literally collect the two-factor authentication information from within your browser, along with other sensitive data interesting to the bad actor behind the scheme. A browser extension generally receives full access to the browser session, and to all visuals on the computer screen. That’s why it’s important to be wary of browser extensions, and of allowing your employees to use browser extensions.
Fraudulent two-factor authentication pages or pop-ups: Just like a physical scam that sees a perpetrator placing skimming hardware on top of a card reader at an ATM, so too can a bad actor online simply fabricate a fake pop up to capture your two-factor authentication information. While you cannot really verify the authenticity of the pop-up, it’s easy to protect yourself by ensuring you’re visiting the correct website (many fraudsters create mirror websites with almost identical titles — think Goolge.com instead of Google.com). Also, vet the websites you visit by checking for the Google SSL certificate — and click on it to see that it is issued to the correct website. Remember, just because there’s a lock symbol, doesn’t mean it’s a valid website.
Fake security alerts: These fraudulent alerts incite victims to reset their passwords due to a potential security breach. Bad actors gain access to login credentials and two-factor authentication information using this method. Always maintain vigilance when receiving such alerts: check the sender’s email to ensure validity.
The potential aftermath of a compromised account linked to your eCommerce business
It might not be catastrophic if a bad actor were to locate an API key for a mailing system like Mailchimp in leftover developer code. Even so, leaking personal data is a major issue from a personal data protection perspective. Debugging and leftover code in general is often overlooked as a non-critical issue; however, they may contain sensitive data and a regular security audit is highly recommended to ensure sensitive data is not left hanging. If you re-use that key in other places, however, the ramifications of several accounts linked to your online business accessed by an online criminal far outweighs the convenience of easy login details.
Another scenario finds an employee who uses a simple password locally on their personal computer to access their employer’s systems that contain company secrets. If anyone gets a hold of this one simple password — the company could experience massive financial loss from a data breach, depending on the size of the company and the severity of the breach. If the employee had been required to use a password manager, the situation could have been avoided altogether.
Security is an inconvenience — but it’s proactive protection
Security is an inconvenience, but it’s supposed to be complex. Even if sometimes it may seem as if security is a hindrance to efficiency, it’s actually the other way around. Security is akin to the brakes in your car; it allows you to go even faster, including taking fast turns and braking when needed.
Taking precautions means adding an extra step here or there, but it’s absolutely necessary to protect yourself, your customers, and your business. It would be very easy and comfortable to not have to install locks on the front door of your house, or security cameras, or a doorbell camera; but they proactively protect us, and give us peace of mind. And in the case of an attack, they are well worth the effort.
Be sure to check Lokte’s security services offering to determine whether your eCommerce solution is due for expert assessment.
