Where are your weak links? Photo: Karl Hilzinger
The term “two-factor authentication” might draw a blank for many people, but nearly everyone has used it at an ATM. To gain access to an account, a person must have something, like a card, and know another thing, like a passcode.
They’re standard hoops to access financial information but activating a “second factor” on a web-based email account is often considered too troublesome, especially for personal email accounts.
Google has made it easier to do by offering Gmail users an option to receive a one-time password on their mobile phone by SMS. The password is then used to log in to their account. Another option is to install its application Authenticator, which generates a unique password on the smartphone rather than relying on a mobile network.
The problem is that many people won’t tolerate this additional step, Paul Ducklin, head of technology at security vendor Sophos told ITPro.
“People are happy to have a token for their banking, because it’s their money. They’re tolerant of a token for work, because they don’t have much choice in the matter. After that, why bother?”
However, two recent hacking cases highlight how personal email security can impact a overall business security through tiny weaknesses that people unwittingly build into their accounts.
Earlier this year hackers used Google’s Gmail account recovery features to take control of the corporate email of Matthew Prince, the CEO and founder of US website accelerator service, CloudFlare.
The company runs its email accounts on Google Apps and hackers used Prince’s account to alter the website settings of a customer to force visitors to that customer’s website to one of the hacker’s choice.
The damage was limited but it caused concern amongst customers that financial details were also compromised in the breach. What Prince did not consider when setting up his corporate Google Apps email account was that his personal Gmail account was a weak point in his company’s security.
“Before this incident, I hadn’t thought clearly about how the various accounts in my life were linked together,” Prince told ITPro. “People underestimate the importance of their email accounts, yet email is the skeleton key to much of the rest of your life.”
The weakness stemmed from Prince choosing his personal Gmail address as the account recovery option for his corporate address.
“I didn’t think much of it because there wasn’t anything particularly interesting that I received in it. However, because that account was linked with a number of other more important accounts in my life, once hackers were able to access it they were able to use that access to gain access to other services.”
The hackers knocked over the first barrier by adding a fraudulent recovery address to that Gmail account. With that they could begin the process of breaking into his corporate account.
Had Prince activated two-factor authentication for his personal Gmail account, it is less likely they could have begun to attack his corporate account.
Prince had enabled the additional security measure for his corporate account, however, there was a weakness in his set-up: because he elected to have the one-time password sent to his phone via a voice service, it was exposed to security weaknesses in his mobile provider. His voicemail was breached and the hacker was able to listen to passwords sent to his phone.
That’s one reason why companies that use Google Apps should install its Authenticator app and not rely on SMS two-factor authentication, said Prince, who has required all his staff to install the application.
“An operator could, potentially, be tricked into redirecting all traffic — including text messages — to another number as well,” said Prince.
Last week, Wired journalist Mat Honan reflected on a strikingly similar hack that led to the destruction of over a year’s worth of records on his iPhone, iPad, and Macbook. His attackers were able to do this after gaining access to his Google Gmail account and Apple .Me mailbox, gateways to his devices and in the case of Gmail, his Twitter accounts.
The hackers did not guess, steal or spy his passwords, but similar to Prince’s hackers, broke in to both accounts by gaming password reset processes normally available to users to reclaim a hijacked account.
Honan would not have been able to prevent the hackers from tricking Apple staff into giving them the power to reset his .me password, but had he activated Google’s Gmail two factor authentication, the hackers would likely not have been able to go on to hijack his Twitter account and the account of his former employer, the tech title, Gizmodo.
“The cascade of compromise led to a business problem from what started as a personal problem,” said Sophos’ Ducklin.