In Second Factor We Trust

You hear of so many security compromises and hacks these days. There are major security breaches happening, with millions of passwords being stolen and used to steal or damage your stuff. So what can you do about it?

With so much of our lives now being lived in online spaces, losing a password, losing an account, having someone get into your stuff online,  would be a nightmare. What would happen if someone got into your Google account? Your Facebook? Your bank account?

I lost my original Twitter account (betchaboy) last year after a password breach and have never been able to get it back. These security breaches DO happen.

The best thing you can do to protect yourself is to turn on Two Factor authentication. Sounds complicated? Its not. It basically means that there are two passwords required to get into your account instead of the usual one… there is the normal password that you usually use, plus a second one that changes every 30 seconds or so. Even if the bad guys were to get your password, without the second factor – which only you know because it’s generated on your phone, in your presence, on demand – the first password is useless.

It’s a bit like having a door with two locks on it. You’d need both keys to open the door, not just one. Either key on its own won’t open it.

But wait, what? A second password that changes every 30 seconds? That sounds like a lot of messing around! I know it sounds like a hassle, but it’s actually not. Most Two Factor systems form a trust relationship with the devices and computers you use often so most of the time you don’t need the second factor for the computers you use regularly. It’s just needed when you log into a different computer or phone that you don’t normally use. Just like the one that a hacker might be trying to use to log in as you. Even if they discover your password, unless they have YOUR device they only have half the password.

I’ve been using Two Factor authentication on my main Google account for a while now. I resisted turning it on for ages because it all sounded too hard. I eventually relented and decided to give it a go. It’s something I should have done a long time ago. And it’s something that you, if you haven’t already, should do too. Right now.

I spent some time tonight setting up Two Factor authentication on all my Google accounts (about 5 of them), plus my Facebook, Evernote, WordPress, PayPal, Dropbox, Lastpass and Apple ID.  Here’s a good article on how to do it.

For most of these, the second factor can be generated by an app on your phone called Google Authenticator, available for Android, iPhone, Blackberry and Windows Phone. It uses Google’s open source token generation algorithm, and it spits out a new code every 30 seconds, specific to each account. Just log in to these sites as usual, but have your phone handy to generate the second password. It’s very straightforward and easy to use, and well worth whatever minor inconvenience it might cause (which honestly isn’t much)

If you haven’t set up Two Factor yet, can I strongly encourage you to at least give it a try. You can always turn it off if you hate it, but really, you should be using this! There was a report of a password breach for Dropbox users yesterday and it was such a relief to think that it didn’t really bother me as even if they got my password it didn’t matter. It was useless to them anyway.

Do it. Do it now. Seriously.

In None We Trust

I wonder how many teachers would be prepared to gather all their students together at a school assembly sometime and say the following to them …

“Look, we just need you all to know that we do NOT trust you. We’ve talked about it, and we think that given the opportunity, you will all get up to no good and make poor decisions. Because of this, we plan to closely monitor your every move and to make sure that you don’t get away with anything, ever. We plan to prevent you from doing common tasks that are probably perfectly fine and safe. However, since we are, after all, assuming that you won’t be able to make your own good decisions about those things, we have taken the liberty of making those decisions for you.

Essentially, we think you are all a bunch of thieves, cheats and liars with no sense of morals or ethics, and you probably spend all your time looking at pornography anyway. We have no intentions of assuming anything other than the worst… as I said, we really just don’t trust you.

Thank you, that is all. You may now go to class.”

Nah, we’d never do that to our kids, would we?

Now, here’s your locked-down school-supplied laptop. Have a nice day.

Dirty Rotten Scoundrels

If there’s one thing I hate it’s when people assume I’m an idiot and try to rip me off.

So when I got home today I opened the mailbox (yes, the real one!) to find this letter from a company called the Domain Renewal Group.  Their letter – which looked very much like an invoice –  was addressed to me as the owner of the domain betchablog.com and kindly informed me that this domain was due for renewal soon and that I should pay this as soon as possible.  The wording on the letter said that “the domain name registration is due to expire in the next few months“… and that… “Failure to renew your domain name by the expiration date may result in a loss of your online identity.”

All of that is true.  Betchablog.com IS coming up for renewal, and I DO need to renew it. The problem is that Domain Renewal Group are NOT my domain registrar, and they never have been.  I happen to have all of my various domains registered with GoDaddy, and I’ve never even heard of this other mob.

A closer reading of the letter reveals that all of the statements in their letter are technically correct, but written in such as way as to be misleading and underhanded in their deceptiveness.  The letter reads just like a regular renewal notice, but is in fact a transfer and renewal notice.  By signing it and sending it back with payment it would authorise them not just to renew the domain, but to take the domain away from the current registrar and move it their overpriced services.  How overpriced?  Well, I just took a look at GoDaddy’s site and it seems the going rate for a new .com domain is USD$10.69.  Their price for a domain transfer with 12 months renewal is only USD$6.99.  For the same thing, the Domain Renewal Group were about to charge unsuspecting or careless domain owners AUD$45 (about USD$41.50).

The thing is, there are many organisations where the bills are often paid by a different department to the ones that register the domains, that wouldn’t even question such an invoice when it arrived. The wording is sneaky enough, and the format looks enough like an invoice, that many people would just pay it without even questioning it.  I find this notion of trying to trick people into doing things they don’t mean to do is an appalling business practice.

There happened to be a Toronto-based phone number on the form so I rang it using Skype. The guy who answered asked what he could help me with, so I told him that I was very unimpressed with this deceptive and misleading way of doing business.   He sounded both surprised that someone would bother to call just to complain, but judging from his tone this was not the first time he’d had a complaint about it.  His response was a careless, “Like, whatever”, but he incorrectly assumed that there is nothing I can do about it other than complain.

He forgets that we live in an age where everyone is a publisher. He stupidly neglects to consider that the very customer base they are trying to mislead – those domain owners who own blogs and websites – are the exact same people who own their very own “personal printing presses” in the forms of blogs.  If you’re going to pull this scam-like crap on people, how stupid do you have to be to do it to people who can publicly tell the world about it?

My advice?  NEVER do business with the Domain Renewal Group.  Tell your friends never to do business with the Domain Renewal Group. And if I did have any domains registered with them I would be immediately transferring them elsewhere.