Attackers use domino effect to compromise your accounts

The two-factor authentication used to "protect" your accounts is often insecure and poses a weak link that can be exploited by attackers.

Data breach after data breach has illustrated just how weak and ineffective passwords can be for protecting accounts and sensitive information. Many sites and services have implemented secondary security protocols and two-factor authentication, but users frequently use information and email accounts that can be easily compromised--giving attackers a simple way to access your information.

One common secondary protocol is to have users supply an alternate email address. Sites and services will use the primary email address 99 percent of the time, but if something happens with that email account, or additional verification is necessary to prove you are really you, a message will be sent to the alternate email address. That alternate email address is often a weak link attackers can exploit.

People frequently use a "throw-away" email account created specifically to use for verification to unlock an account. Securing that account is generally not a high priority, though, because it's not being actively used for email. An attacker may be able to reset the password on that secondary email account, which will enable them to unlock access to your other accounts, and the dominos will start to fall.

The problem with many of the attempts at two-factor authentication or secondary security questions is they amount to little more than a digital equivalent of "hiding" the key to your front door under the doormat. The additional protection is trivial at best, and the false security fosters unwarranted confidence that personal accounts and data are secure.

"Using 'throw-away' accounts as a second form of authentication is about as effective in protecting your information as putting your password directly into the hands of a hacker," says Jason Hart, CEO of Identiv. "I would never recommend using one of those so-called 'anonymous' accounts and assuming your identity is safe."

TK Keanini, CTO of Lancope, has two pieces of advice for users. First he suggests using a password management utility to help store and maintain all of those complex passwords that are too challenging for you to remember off the top of your head. Second, Keanini recommends using false information to answer the secondary security questions. "If the question is 'What is the street you grew up on?' Make the answer something of nonsense like 'paparazzi strangers.'"

That is excellent advice. Many times the secondary security questions ask for information that you openly share on social networks. Things like your high school mascot or what city you grew up in are not exactly top secret. Using intentionally silly misinformation is a great way to use the secondary security questions to your advantage without making it easier for attackers to gain access to your accounts.

The important thing to remember is that it only takes one weak point to compromise your security. Make sure you give the same consideration to securing your backup email address and the answers to your secondary security questions as you do to protecting the accounts you're using those things to defend.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managmentpassword securityLancopesecurityIdentivExploits / vulnerabilities

More about Lancope

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts