We have mentioned the human firewall on this blog before. This week an NSA report on Russian efforts to hack the computers of U.S. election officials before the 2016 presidential election was leaked to the media. The findings in the report testify to the fact that users are still the weakest link in a company’s security plan. A security threat is real and should be taken seriously.
Even 2-factor authentication is no match for user errors. According to the report, even users that had 2-factor authentication implemented were hacked. Attackers realized that all they really need to do to get past 2-factor authentication was to ask the users for the code.
It’s actually incredibly easy for the hackers to obtain this secondary information. Say you receive a phishing email that looks incredibly convincing. You click on the link and are brought to a website that looks like Google but is definitely not Google. You proceed to enter your password into the fake site, which now gives that password to the attacker. But wait, there’s more. Once they try to use your password, which happens instantaneously, you are sent a code to your phone via a text message. The attacker, at this point, simply needs to ask for the code you were just sent to verify your account. After you enter the code, the attacker then uses the code to gain entry into your account, again instantaneously.
Trusting your instincts is key in these situations. When you feel like something is “off” with an email, and you are being asked for credentials always go directly to the source. For example, if you are trying to access a Google Doc, go to drive.google.com and access it from there. Don’t click a link within an email that feels suspicious, and definitely check the URL in your browser’s address bar. If it is not the right URL, run away fast, and definitely don’t give them your passwords.