If getting your online accounts hacked (email, social media, financial accounts, etc.) keeps you up at night, or worries you at least a bit, there’s a bit of good news for users and business alike!
The war against cybercriminals may never be won, but the results of a year-long study conducted by Google with New York University and the University of California, San Diego show some promising results on the effectiveness of two-step and two-factor authentication to prevent online account hijacking.
The Bottomline: Simple Two-Factor Authentication Goes a Long Way
Google’s research shows that having a text message sent to your phone with a one-time-use code to verify your identity can prevent up to 100% of automated bot attacks and 96% of bulk phishing attacks (more about what this means below).
News are ever better for authenticator apps (applications installed on your smartphone that prompt you for authorization when there’s an attempt to access your account), preventing 100% of automated bot attacks and 99% of bulk phishing attacks.
Security keys (physical USB devices you must plug into your computer to gain access to an account) are currently the most secure way of preventing account hijacking
Keep in mind that two-factor authentication might be an effective method against hacking, but must be used in conjunction with other protection like good and unique passwords, password managers and awareness of what phishing email attacks look like.
What is account hijacking?
Simply put, account hijacking or takeover happens when a cybercriminal gains unauthorized access to your accounts and uses it to “retrieve the person’s personal information, perform financial transactions, create new accounts, and ask the account owner’s contacts for money or help with an illegitimate activity” Techopedia
Can you explain automated bot and phishing attacks?
Billions of user names and passwords are available and cheaply sold in the back market every day. Since hackers can’t try passwords one-by-one, they use automated tools (called bots) that allows them to cast a wide net and attempt to access millions of accounts simultaneously.
Phishing attacks are those fake emails we receive on a daily basis that appear to come from legitimate and trustworthy sources (a bank, Facebook, Office 365, etc.) and that trick us to take a specific action, like clicking on a link, downloading an attachment, or entering user names and passwords on a website. Once a user falls for the trick, scammers usually gain access to accounts and are able to take over.
What does this mean for the average user? No Excuses
- Turn on two-factor authentication (2FA) on all accounts that support it, specially sensitive ones like financial institutions, email, social media and data storage
- While text message-based 2FA provides decent basic protection, consider using an authenticator app wherever possible
- 2FA is a must for business-related accounts including (and specially) email
- If you need help setting up 2FA on your accounts go to TwoFactor.Org for step-by-step instructions
- Unique and complex passwords are still a much needed layer of basic protection against hackers. To make life easier, sign up for a password manager service like LastPass or Dashlane (they both have a free option) to securely store and generate passwords