Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.
So let’s start by identifying some of the biggest threats to personal accounts — phishing, SIM swapping, and database leaks.
By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows.
Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.
SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.
Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000.
A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of database leaks we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password.
You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.
You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.
Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!
10 Steps from Yubico to Protect Your Personal Accounts
1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)
2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, Outlook.com or other supported email services)
3. Remove SMS 2FA from your email account(s)
4. Call your mobile service provider, and request a security PIN
5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)
6. Register your YubiKeys as a second factor for your password manager
7. Store all of your account passwords in your password manager
8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)
9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)
10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts
Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.
“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.” – Jeff Shiner, CEO, 1Password
“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.” – Emmanuel Schalit, Co-Founder & CEO, Dashlane
“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.” – Mike Rymanov, CEO, DSX
“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.” – Ricardo Signes, CTO, Fastmail
“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.