Your trusted device

18. June 2013 Security 1

With two factor authentication being offered now pretty much everywhere you’d be wise to use it. After all if someone offers you added security at no cost why wouldn’t you use it? Usually this means adding a trusted device to your account that can be used as an extra piece of the puzzle to unlock your account. So someone that has your name and password should not be able to log in to your account because they do not have your trusted device, your cell phone. While this is a good way to add another layer of security to your services it won’t do much for you if you let your trusted device broadcast the authentication code to everyone around it.
Names and passwords are not as secure as they once were, this is part of the reason two factor authentication was introduced. With most people using the same name/password combo almost everywhere still, these are fairly easy to obtain by a skilled cracker. Let’s say i have your twitter name and password. I obtained it from the published lists of name and passwords the last time they were hacked, i decrypted the password hashes and am looking for one target in specific, you. There is a chance you have changed your password since then and you may have enabled two factor authentication too so if i attempt to log in with your name and password you may get notified. This may cause you to freak out and change your password again etc. etc. i can’t have that. So… i steal your phone, run home, login with your credentials and find out that while you didn’t change your password, you did enable two factor authentication.

*ping* *ping*… I look at your phone and there it is…

IMG_0889
Thank you!

While that is just one of many possible scenarios, you get the idea. Having text messages previewed on your display can be a risk. By looking at someones display over the course of a day you can find out all kinds of things without having to unlock the phone. Emails, messages and notifications contain a lot of to the point and important info. “Your porn.com subscription is about to expire”, “message from hubby: i left the spare key under the mat”, “message from abby: we still on for 5PM?”, “279999 is your Twitter login code”, “brian sent you a photo (oh look it’s a sext!)”. You can think of a million other things.
Having all this info on your display without having to unlock it is very convenient of course but it can be used against you.

Keep your trusted device safe. Don’t leave it lying around and assume it’s safe because no-one has the passcode. Better yet, turn off this feature or reduce the amount of information it shows. On an iPhone go to Settings > Notifications > Messages (and e-mail etc.) and turn off “Show Preview”. You’ll still get a notification but it will look like this:
IMG_0890
You can still see who it’s from but the contents are hidden. Based on who it’s from you can decide if you want to unlock your phone now or look later, it’s not as inconvenient as it sounds. More and more are we asked (without realizing) to trade off security for convenience. Some day it my come at a price.

1 thought on “Your trusted device”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.