Impossible travel, MFA and making passwords easier

Small business cyber security risks, part 3:

In my last blog we discussed passwords, including their major shortcomings. In this next blog we'll dive a little further into passwords, particularly in a work environment, but firstly we'll discuss one of the most common mitigating controls for many of the shortcomings of passwords: multi factor authentication (MFA).

You'll almost certainly have used a form of multi factor authentication before, most likely your financial institution will send you a prompt on your phone or perhaps an SMS when transferring funds. The usual form of MFA is the concept that you’re using something you know (your password) and something you have (which is the SMS, or the mobile phone prompt), although there’s a little more to it which we’ll discuss later in this blog. It’s far more difficult for the attacker to get hold of both of those things at once to impersonate you and carry out financial transactions on your behalf. Not impossible, but very unlikely.

There’s less chance you have some form of multi factor authentication protecting other online systems unless you’ve specifically set it up that way. Financial institutions mandated those sorts of controls long ago, and stepped up their own fraud detection systems, because the risk of monetary loss at the time was mostly on their heads. This isn’t so much the case now, with many financial institutions taking the stance that by now, we shouldn’t be falling for scams. Regulatory action around the world will hopefully improve the odds of our banks refunding us if money was lost through no fault of our own. Victim blaming is not helpful to anyone.

What about your social media accounts, your accounting system, office software, Ebay, PayPal and other online systems you use almost daily? Many of these systems feature multi factor authentication, but often leave it up to the individual to activate this function. Here’s a simple exercise you can do right now – make a list of the online systems you use in your daily life, including in your workplace. Now put a mark next to any of them that you feel could be used by an attacker to cause you harm if the attacker could log in to that system as if they were you. For example, if an attacker logged in to your PayPal account and it’s linked to your savings account, they might be able to steal your funds. If the attacker logged in to your social media account, they could post defamatory comments on your behalf. I’m sure you get the idea!

You’ve probably put a mark next to most of the online systems you use, so for this next step you might want to prioritise your list according to “which ones could an attacker cause me the most harm, if they could log in and impersonate me”. You’re now going to visit the “account settings” or similar area in each of those online systems, to see if multi factor authentication is available and enabled. It might be called something else, such as “two factor authentication”, “2FA”, “two step verification”, or “security key”. It’s often quicker to Google this part, rather than poking around in the settings of your online systems – for example, a Google search for “how to enable multi factor authentication in Facebook” brings up “How two-factor authentication works on Facebook” for the very first hit. Also, the Australian Government’s information page on MFA has links to instructions for enabling MFA in common online systems.

This is a good segue into password management. Perhaps you’ve already written that list of “online systems you care about” after reading the last blog in this series, in which I suggested you implement a password manager. If you haven’t yet, jump back to the previous blog for more information. This is particularly important if you’re a small business owner, because now it’s time to level-up your password management and encourage your team to do the same. Why not talk about this in your next team meeting?

Most password managers allow you to set up a group of people, such as your team at work, to help them record and safely keep their passwords. In some cases, password managers are useful for sharing relevant passwords with your colleagues, noting of course that not all passwords should be shared.

In our hair salon example, perhaps you have an alarm code for the door. There’s only one code, and all members of your team require it, so you could create an entry for it in your password manager and share it with all of them. You probably also use social media to advertise the salon, and perhaps your most senior hairdresser also helps you with that, so you could create a shared password for Facebook in your password manager with just that team member and yourself.

When you’re deciding which passwords to share with your team, and which ones to keep individually, remember to consider the risk involved. If you share one password with all your team members for a particular online system, the system can’t tell who logged in and carried out actions! This could lead to fraud, for example if multiple team members use the same password for the point-of-sale terminal.

I mentioned earlier there’s more to MFA than knowledge (something you know like your password) and possession (something you have like your phone with a text message or notification). In the “possession” category there’s also physical security passkeys which you insert into your laptop, key ring tokens with a tiny screen that displays special codes, and other physical items.

Then there’s inherence which is something you are, such as biometrics (think fingerprints and face scans). Lastly, there’s location which is where you are. If you normally log in to a system from Dalby in central Queensland, and today you’re logging on to that system from Vegas in the USA, it could be suspicious – perhaps an attacker has your password, and they’ve logged in from Vegas. If you apparently logged in from Dalby at 10am and then again one hour later from Vegas, you obviously didn’t travel from Queensland to the West coast of the USA in one hour, so the system should raise an eyebrow, possibly even block the attempt to log in from Vegas. This is often called “impossible travel”, and some online systems use location in this way to prevent fraud. Many systems can email you if there’s been a login from an unusual location, like our Vegas example. When you’re looking in the “account settings” area of each of your online systems to check if multi factor authentication is enabled, it’s also a clever idea to see if any other options, like location alerts, can be enabled too.

By the way, a set of questions and answers are NOT a type of multi factor authentication! Many online systems use “secret questions and answers” to verify your identity particularly if you’ve forgotten your password, however this is still just something you know, which is the same category as your password. An attacker could still gain access to the system if they managed to steal that information. True multi factor authentication combines something you know with another form, usually something you have.

That’s all for now, hopefully by the time I write the next blog in this series you’ll have all your passwords stored in a password manager and championed its use in your workplace, along with MFA for the icing on the cyber security defence-in-depth cake!