Tuesday, August 9, 2016

News you Need Now (NNN)

    I recently received a letter from the SSA (Social Security Administration).  It provided instructions for me to finish setting up my online account.  As I've written in the past you can, and need to, create personal accounts on the SSA and IRS websites.  The key issue is that you need to reserve and establish your identity on these critical government websites before someone else does it for you!  This is ID Fraud is still a big issue.

   These accounts are straightforward to set up.  One thing you will need to do is go through an Identity Proofing process.  That process asks you for some personal information that, in theory, only you should know.  I list info about the irs.gov account creation process in this post.

   Here is some info from the ssa.gov website:
You can create a my Social Security account if you’re age 18 or older, have a Social Security number, a valid email, a U.S. mailing address, and a cell phone that can receive text messages. You’ll need to provide some personal information to confirm your identity; you’ll be asked to choose a username and password; and then provide your cell phone number. You’ll then receive a security code via text that you will be required to enter when you first create an account. We’ll send your cell phone a new security code each time you log in with your username and password. The security code is part of our enhanced security feature to protect your personal information. Keep in mind that your cell phone provider's text message and data rates may apply.
   Now SSA has increased their security by offering two-factor authentication (2FA) on their site.  We've written about 2FA a number of times in the past.  SSA had said this was coming and now it's available.

   I highly recommend that you create accounts on these sites and use 2FA where available.  Here are the instructions for SSA.  Here for the IRS.  You can enable 2-factor authentication on the SSA site when you create your account.  Here's a link to a previous post looking at other sites where 2FA is available.  Double up wherever you can!

And speaking of 2FA, NIST just came out with new advice on the delivery of 2FA PINs.  In particular, they are recommending the use of soft tokens (via a smartphone app or other programs) or hard tokens.  They are recommending against the use of SMS/text message delivery of PINs.  The primary reason for this is the potential for interception or man-in-the-middle (MITM) attacks against the SMS system.  We talked about this a few months ago.

   Now, these SMS attacks are not trivial.  So the risk isn't huge now.  However, attacks on any system typically only get easier over time.  So at some point in the future this may become a bigger problem.

   The action plan for everyone is to look at the sites and applications for which you use 2FA.  If you have the option to use a soft fob app like Google Authenticator or Microsoft Authenticator, then those are good options.  If you are currently using SMS/text message delivery of the PIN, see if you can switch.

   If you work in Security or IT and are implementing 2FA, then be sure you consider the available options.

   Finally, I've covered password vaults many times in the past.  In particular, I've mentioned that my favorite password vault for personal use is LastPass.  A year or two ago, LastPass had a security breach through which customer information was disclosed.  However, no individual password vaults were taken.  I wrote about that here.

   LastPass was back in the news last week.  There were two issues identified.  Both were connected to the use of LastPass in browsers.  The first was fixed a while ago but the second, specific to Firefix, is just being corrected now.  I won't go into all the details but you can read about them here and here.

   The key point here is that these issues were quickly identified and fixed.  Password vaults are still the right way to go for all your personal password storage needs.

No comments:

Post a Comment