3 Security Solutions To Prevent Phishing Attacks
It’s well-known that phishing attacks are a huge threat to all online accounts, both business and personal. To review, here are a few disturbing facts:
- 30% of phishing emails get clicked, as reported by Verizon
- 76% of companies have experienced Phishing attacks (The Wombat “State of the Phish 2018”)
- Attacks can cost a mid-sized company an average of $1.6 million according to a study by PhishMe
To fix the problem, let's take a look at the main issue. What is the main goal of a phishing attack? Hackers want to steal your user name and password so they can take over your account. This means that at its root, the vulnerability lies in the username and password system of authentication. It’s a static system; it never changes. Once the information is stolen or leaked, it’s in the hacker’s hands to do as they like.
But this doesn't mean you can't take steps to protect yourself. Here are our top three security solutions to keep your information safe, counting down.
#3: SMS One-Time Password (OTP)
If you've ever been asked to input a series of digits sent to your phone via text message in order to verify your login attempt, then you've used SMS OTP. Implementing SMS OTP creates a dynamic password. If the phishing attack is successful, they may get your password and your SMS OTP but the SMS OTP changes based on a time frame set by the company. This could be anywhere between 30 seconds and 1 hour. If the hacker uses it outside of that time frame, then it's invalid. This can help protect your account by preventing the hacker from accessing your account since if they miss the window, the password they've stolen is useless.
While SMS OTP stops several types of attacks, it’s still vulnerable to many other kinds. If it’s a live or real-time attack, then the hacker will be able to obtain and use the stolen information immediately to gain access. SMS messages can also be hacked and redirected. In addition, malware on your phone can allow SMS OTP codes to be easily stolen. If you're receiving the code on your phone to access an application on that same phone, it defeats the purpose of two-factor authentication. Plus, in terms of convenience, messages can be delayed or not delivered in areas with bad service (hello AT&T, no service). As a result, you might get locked out of your account if you often work in remote areas.
The bottom line is, SMS OTP is a simple and convenient way to introduce extra security to accounts that don't contain anything too critical. If you're looking to protect banking or company information, however, you might want something more secure.
Security Score: 5 out of 10
Convenience Score: 5 out of 10
#2: Physical One-Time Password Tokens
Physical or hardware OTP tokens are similar to SMS OTPs in that they create a new code every 30 to 60 seconds. Unlike SMS OTPs, though, physical tokens aren't susceptible to the same vulnerabilities as SMS like malware or redirected text messages. It also makes sure that the device you're signing into, be it your phone or your desktop, is completely separate from the device generating the OTP. It isn't dependent on whether or not you have cell service, making it perfect for anyone who travels a lot or works in remote areas.
While hardware OTP tokens have a leg up on security compared to SMS OTPs, it still has its vulnerabilities. The OTP is valid for 30 to 60 seconds, which allows hackers a window to access the account. It can also be a little inconvenient to carry around a token everywhere. Each token can only be used to access one account, which means you might have to carry more than one. They're a great choice for someone who only has one or two accounts they really want to secure, but if you're looking to secure multiple accounts, you may want a device with more storage capability.
Security Score: 7 out of 10
Convenience Score: 6 out of 10
#1: FIDO U2F Security Keys
FIDO U2F Security Keys are a great marriage between the convenience of SMS OTPs and the high security of physical OTP tokens. In fact, it's actually more secure than a physical OTP since it doesn't use a passcode that can be stolen. Instead, it uses an open-source protocol designed by the FIDO Alliance called U2F. To use it, you sign in with a username and password, then simply press a button to prove you're a) physically there and b) have the right key. This means that if a hacker gets your information, they can't do anything with it unless they physically obtain the security key you own, too. This makes it a great choice to combat real-time attacks.
Google has put out internal studies reporting the effectiveness of changing over to FIDO U2F Security Keys and it’s impressive. According to the report, Google has "had no reported or confirmed account takeovers since implementing security keys at Google."
Services like Gmail also allow you to add a computer as a trusted device so that you only have to use your key to sign in once every 30 days. Since you can store multiple accounts on each key, you won't need to juggle between several different ones. In addition, because of the extra security it provides, you won't have to rely on long and complicated passwords. FIDO U2F seems poised to help reduce the concerns and frustrations associated with having to rely on complex static passwords for security.
Best of all your application could already be supported. The ever-growing list includes popular services such as SalesForce, Google, Microsoft, Dropbox, Github, Duo, Dashlane, Facebook, RSA, Twitter, IBM and many more.
Security Score: 9 out of 10
Convenience Score: 9 out of 10
If you want to get your hands on some samples of U2F Security Keys or physical OTP tokens, click here.