Maria Lima

Manager of Special Projects

Phishing: How They Almost Got Me This Time

Cybercriminals are getting better…and a lot more sneaky.

Face it, I’m totally paranoid. I keep all my logins in a password manager. I use two-factor authentication wherever it’s available. And yet…

I totally almost fell for a phishing attempt a few days ago. At first, second and third views of this email, it seemed totally legit that it came from Apple support.

screenshot of phishing email

My first reaction was wracking my brain to remember when the last time I did any telephone support at Apple. The fact that I could not remember anything more recent than a year or so ago raised red flags.

So instead of taking the “survey,” I Googled and discovered that this was probably phishing. I forwarded the email to Apple’s reportphishing account.

Why this was such a good attempt:

  • Apple branding was on point
  • All the links at the bottom of the email seemed to be right

The sneaky thing that I should’ve checked right away: Hovering over the Survey Link showed that the URL went to c.apple.com. When I checked that domain name against WhoIs I found that it’s registered to a company called capple.com. So, yeah, not Apple.

Moral of the story: It might actually look real – no misspellings, no weird graphics. Be aware and be careful!

Maria Lima

Manager of Special Projects

Doing the Two-Step…Verification, that is

Have you seen those commercials about identity theft – you know, the ones where a petite woman is shopping, but in reality, it’s some bruiser of a guy who’s stolen her identity. Funny, right? Only, not really.

In today’s online world, keeping yourself safe isn’t as easy as having passwords to your accounts. Sure, you can use a password management software (LastPass, 1Password, etc) and have unique, complicated password for each website, but is that enough?

Not anymore.

Passwords are only the first step in keeping that gate closed. They are a single point of failure. If someone can guess (or get access to) your password, then Burly Guy is now pretending to be you and going on a shopping spree at Best Buy.

What do you do? hand holding smartphone

As with guarding your car against thieves, you want to have double protection. You lock your car and have an anti-theft system, right? To achieve this online, you should adopt two-step verification (sometimes called two-factor authentication or 2FA.) It’s a much more secure solution than just passwords.

A good example of this is your ATM card – you have the card (1 step) and you have a PIN (2nd step). If you lose your card, unless you wrote the PIN on the card itself, it’s highly unlikely that someone can use the card to withdraw cash.

That’s the point of 2FA – make it harder for potential online thieves to access your accounts.

Using Two-Step Verification

Setting up 2FA is done individually for each account and many online services offer it as a matter of course. Google, Twitter, Facebook and more are prime examples. These are all high-level targets of cyber thieves.

To set up the two-step verification, simply follow the directions provided by your online service. Usually, it’s as simple as providing a mobile phone number. The service then uses your phone to text you when you log in. They’ll send a text message with a unique code (usually a string of numbers), which you then enter after log in. Simple, right?

So, what are you waiting for? Go on, log in to your accounts and set it up. It’s an easy way to throw up another barrier to cyber criminals.

For more information:

Two-factor authentication: What you need to know (FAQ)
Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

Rich Frangiamore

Systems Admin

Pro Tip: Security is great, but make sure you’re not locked out

Recently, I changed my mobile number to try and alleviate phone spam. Luckily, since I use Google Voice, I have the freedom to do this. Unfortunately, I completely forgot about one thing… my Twitter “Login Verification” was set to text to the old number. (This was the case because they have trouble sending SMS to GV numbers.) rock

D’oh.

So, once my number changed, I came to the sick realization that I’d lost the ability to log in to my Twitter account. It took 3+ weeks to get @support to reply to my ticket. For a while, I thought my account was lost forever. Luckily, I still had a couple of clients which were pre-authorized (Plume on my Nexus 4 and MetroTwit on my W8 desktop). This was enough to verify the ownership of my account, and I’m almost back in business.

Lesson here:
Always, always, keep a key under the rock. The key in this case is what they call “backup codes”. I *thought* I saved this in LastPass, but could not find it when I needed it.

Google 2-factor authentication will generate a set of backup codes, numbered 1 to 10. If you lose access to your Google Authenticator, when prompted, you are required to type in the correct code. Other services like Facebook have a similar method which require the mobile app.

The secret? Store your emergency backup codes in an account that does NOT depend on any other services to get in. Get an Outlook.com or other account which has a simple login, and use it for nothing but storing your rock-keys. You’ll thank yourself when you need it.

What are your favorite tricks for keeping track of backup codes and other important login info?

Sarah Jedrey

Marketing Coordinator / Video Editor

Prove you’re a human! With games!

One of my jobs is to track down interesting, pertinent articles and reduce them – and their URLs – to Twitter-friendly lengths. To get those links short, I use Ow.ly.

Full disclosure: I chose it because it was easy to remember and, at the time, had the fewest number of steps and sign-ins to go through. Lazy? Yes. I’m human.Screenshot of test

But I recently went through my URL-shortening routine and discovered that the normal CAPTCHA – those little boxes of text that look like someone scanned a photocopy of a water-damaged book printed in the 1630s – wasn’t there!  Instead, you just have to click “Shrink it!”

What pops up then is an interesting intersection of gamification, tech security, and a possible accessibility nightmare. A randomized, simple game shows up in which you drag the appropriate animated image to a predetermined spot. “Make lemonade”, the game requests, and if you drag the lemon and the ice – but not the basketball – to the pitcher, you have proven you’re a human. Your reward is the shortened URL.

Now, I’m not a big CAPTCHA hater. I’m quite good at deciphering the blurry letters and the s that looks like an f – again, text from the 1600s – and it never is unduly time-consuming for me to use the traditional CAPTCHA. However, if I remember correctly, computers are getting better at making the same distinctions I find so simple, and security folks have been scrambling for a good way for humans to prove their humanity without enraging every one of them. So I see why they upgraded their methods and made sure those upgrades were in a game form.

Matrix staffers tried it out, and most were conservatively positive about it. Oh, one person didn’t mind, and another loathed it, but most saw that this new method could be effective with a few tweaks. I’m mainly concerned about accessibility; there is an accessibility icon a user may click to get a different task, but since I’m able-bodied, I don’t think I’m in a position to judge.

You should go try it out.

Tell us what you think about Ow.ly’s replacing CAPTCHA with its new game.

Jason Stevens

Director of Software Engineering

Too Many Passwords to Remember? Use a Password Manager.

Markus Jakobsson wrote an interesting article for Wired recently debunking some Cyber Lock common myths about password security. He argues that longer passwords that are easy to remember are actually more secure than the shorter, more complex passwords that many systems enforce. It’s worth a read:

Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong

I think Jakobsson’s argument misses one point: even if passwords are memorable, most people have far too many to actually remember them.

Password managers are the answer to this situation. These are programs on your phone, desktop or web that remember usernames and passwords for you. You only need to remember one password, the one for your password manager.

Let me describe how this works. When I come to a login form on the web, I press a key combination to bring up my password manager. If I haven’t already unlocked my password manager it will ask for the master password. Afterwards it looks up the credentials for the site I’m on, fills in the username and password fields and logs me into the site. Once the password manager is unlocked then I can log into any site with a single key combination. (Don’t worry, it’s much faster than it sounds!)

Some password managers are applications that run on desktops, tablets or phones. These usually store usernames and passwords in encrypted files on disk so that the information is secure in case the device is stolen. Other password managers are web based, storing that same encrypted information out in the cloud. Either way these products offer a great combination of security and ease of use.

I’ve been using a password manager called 1Password for several years on my Macs, iPhones and iPads (it’s also available for Windows and Android.) The Mac version is fantastic and logging into websites really is as simple as pressing a key combination. On iOS the experience isn’t quite as smooth and requires a copy and paste of the password. 1Password also isn’t cheap, desktop licenses start around $50.

Another very popular password manager around the Matrix office is LastPass.  LastPass is web based and should work on any device with intranet access. There is no cost to use LastPass, though a $1 per month subscription to the Premium service enables some additional features.

So take a look at the password managers that are out there, pick one and start using it. Not only will it make your online experience easier but more secure as well.

Have you used a password manager you love? Tell us about it.