This past week a client had their email address of 20 plus years hacked on the service provider’s email system … not on his local computer. The hacker may have gotten his complex password through some type of systems breach with Comcast.
Within a short period, all of his email over the years was deleted, his contacts copied and bogus emails sent out to all of his contacts requesting help and a reply to a bogus email the scammer set up.
It took over an hour on the phone with Comcast security to get the password changed, two factor authentication (2FA) set up and also set up a passkey.
Comcast security was able to recover the majority of his emails within a few more hours.
The client had to send out an email notifying his entire contacts list about the spoofed email.
Why did this story get told? A word of caution that what once was enough, isn’t anymore.
Passwords have been around since 1961 when the first time-sharing computer was created. As computers got faster and more complex, more complex passwords became necessary.
Due to hackers, crime syndicates and nation-states using the same sort of technology, complex passwords are no longer enough.
Password Limitations.
Passwords can be:
- Shared
- Guessed, or
- Stolen, which means they aren’t secure.
Password resets account for up to 40% of helpdesk calls in some industries.
The average cost of a password reset is $70 for a business, according to Forrester.
Users using multiple accounts (up to 100+ passwords on average) create higher risk by reusing and only slightly modifying passwords.
2FA is what came next. 2FA is two-factor authentication, sometimes called two-step verification or multi-factor authentication.
Here are three examples of 2FA:
- Something you know: passwords, PINs, answers to security questions, etc.
- Something you have: smartphone, USB drive, smart card, etc.
- Something you are: fingerprint, facial recognition, retina scan, etc.
2FA Limitations:
- user inconvenience
- device dependency, and
- vulnerability to phishing
It can stop a lot of attacks, but not all of them.
Passkey, what is it?
Unlike passwords (which need to be remembered), passkeys are cryptographic key pairs where the private key remains securely stored on the user’s device and the public key is stored on the service’s server. Authentication happens when the device proves possession of the private key.
For example, your health portal for your hospital or medical services provider may tell you that you have the option of using your username/password or a passkey. Generally, when you are using a passkey, you will key in a 4-6 digit number when logging into your portal on a secure website. This number is a shortcut to the long cryptic key. You use the passkey instead of using your login username/password combination to login to your account. Using the passkey is much more convenient and safer.
Passkey Limitations:
- Device dependency.
- User education and adoption.
- Cross-platform and cross-device issues.
- Recovery and backup.
- Initial setup and management.
- Security concerns.
- User experience.
Passwords, 2FA and passkeys will decrease your chances of being hacked, but there are no guarantees. The cautionary tale at the beginning of this email is proof of that and, as you can see above, none of them are foolproof. But they are the best security we have at this time to keep people out of our computer systems and to protect us from hackers.
If you are interested in learning more about securing your computer systems send an email to jnay@jimnay.com. You can also call or text us at 615-443-4842.
All the best,
Jim Nay
Recent Comments