SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 160: What If You Lose One Factor?

Posted on October 24, 2019

On this week’s Checklist, we’ll look at how to prevent an authentication apocalypse. We’ll talk about a government proposal to curb drunk driving that may have digital privacy ramifications. And we’ll tell you why you might not want to search for scandalous snaps of your favorite celebrities.

Here’s this week’s Checklist:

  • Seriously man — What happens if I lose it?
  • Security and privacy behind the wheel
  • People who watch people are the riskiest people in the world

A 2FA FAQ

We’ve talked quite a lot about two-factor authentication, or 2FA, on the Checklist. And by now you know that we recommend it as one of the best security and privacy measures you can take—especially in a world of data breaches and website hacks. But many people still have questions about two-factor authentication.

One of the most common ownership factors used in 2FA is, of course, something we have on us at all times: a cell phone. But this raises a very basic question for many people: What happens if I lose my cell phone?

The prospect of being locked out of your account forever due to a lost phone is pretty scary. But as we’ll show you, there are a number of ways that you can prevent an unfortunate event from becoming a major headache.

First of all, let’s talk about the one case when you don’t have to worry. If you’re just switching phones, and you’ve been using SMS for two-factor authentication, there’s no problem: Your text notifications will just come to your new device. 

However, SMS notification is a less secure than other methods, so you may not want to set 2FA up this way. A good alternative is to use an authentication app. Google Authenticator and Authy are two popular apps that work with most major services. You can turn on 2FA with these apps in the settings areas of your various services. You can also designate multiple devices as 2FA authentication factors—so if you lose one, you can still access your accounts with the other. If you know you’re going to be changing phones, you can change the designated two-factor authentication device in Authenticator or Authy before you switch so that you’ll have uninterrupted access. Again, note that you should do this before you get rid of your old device. 

Many of the major services also allow you to create a number of single-use backup codes in case you get shut out of your account. You can generate these codes ahead of time and print them out or write them down. When we say “print them out or write them down”, that’s exactly what we mean: a hard copy. Storing them in a text file on your laptop or device is not only insecure, it’s also not going to help you if your computer or mobile is lost or stolen! 

Of course, you should keep these hard copies somewhere extremely secure (we’re not talking about the classic “password on the Post-it note” here). While it’s generally not advisable to write down sensitive data, there is a time and a place for it in digital security—for example, in digital estate planning or in the case of these single-use backup codes. These sorts of things can be kept in a bank safety deposit box or in a home safe.

Of course, if you haven’t prepared backup devices or printed out one-time codes, then you may be in a bit of a pickle if you lose your phone. The major services offer recovery options, but these can be difficult and time-consuming to use—not exactly ideal if you need to get into your password manager or email account in a hurry. 

All of this might be enough to put some people off two-factor authentication, but it’s essential to remember that cybersecurity is largely a matter of risk assessment…along with a bit of preparation. 

If you’ve set up 2FA using an authenticator app, designated backup authentication devices, and printed out your one-time codes, then you’ve made yourself extremely difficult to hack—and there is very little chance of losing access to an important service. 

On the other hand, if you decide to roll the dice and forgo two-factor authentication altogether, you may not have to worry about a lost phone locking you out of an account, but you’re almost certainly increasing your overall security risk. 

In the end, like so many things, it comes down to a personal choice. But 2FA, used with authenticators and proper backup precautions, is still hands down one of the best things you can do to keep yourself safe online.

Preventing DUIs: a privacy risk?

Last week, CNET reported that US lawmakers were calling for mandatory anti-DUI technology to be installed in all new cars.

Such technology could take the form of embedded devices that would measure a driver’s blood alcohol content before they were able to start their car. Proposed implementations include infrared sensors capable of measuring BAC through a driver’s fingertips, as well as eye-movement scanners and breathalyzer-type devices.

While we applaud efforts to reduce drunk driving, we also feel compelled to point out the potential privacy implications of this proposal.

Onboard sensor devices would generate data about when drivers tried to start their cars…and when they failed due to intoxication. What would happen to this data? Would it be stored? Transmitted to law enforcement authorities or insurance companies? Could there be penalties for attempting to drive drunk? Fines? Increased insurance premiums? Facebook ads for Uber and Lyft?

No one knows. 

But these are the possible ramifications of a system which gathers personal data about people’s drinking habits.

From a legal point of view, there may be some reason to hope that privacy-protecting precedents are already being set. A recent ruling by the Georgia Supreme Court found that personal vehicle data was protected under the Fourth Amendment, and thus could not be seized by law enforcement without a proper warrant. This lines up with legal precedent around digital data generally, as personal data on computers and mobile devices is already protected from warrantless search and seizure.

However, while personal data collected by our cars may be safe from police overreach, that’s not the only consideration. Vehicle data may one day be subject to the same sort of sharing with advertising and marketing companies that we already see from our apps and web browsers. With driverless cars on the horizon, this is definitely something to keep an eye on.

Nothing new under the sun

So often when talking about cybersecurity, we focus on the new: the latest jailbreak, the zero-day vulnerability, the never-before-seen malware.

But a recent story reminds us just how many threats are simply the same old thing all over again.

McAfee research has put out their 13th annual list of celebrities who generate the most dangerous search results (top of the list this year is TV star Alexis Bledel).

Turns out that certain celebrities are favored by hackers looking to set up malicious downloads and links, presumably because they’re extremely common search subjects. So if you perform a search for Ms Bledel, you may find her IMDB page—but you may well stumble across a fraudulent website infested with malware.

So why is this news…old news?

Because malicious actors have been doing this since the early days of the Internet. Way back in 2000, a 20-year old Dutch student wrote a computer worm called “OnTheFly”, which was also known as the “Anna Kournikova virus”. 

The attack was relatively simple: Send someone an email with an attached file. The file purportedly contained a JPG image of the famously photogenic Russian tennis star Anna Kournikova. The “JPG”, however, was really the file “AnnaKournikova.jpg.vbs”. The “.vbs” extension is a dead giveaway that the file in question wasn’t a JPG at all, but something else: a Visual Basic script. When clicked, the script would access the target’s contacts and send all of them a copy of the original email.

In this sense, the virus wasn’t really all that malicious: It wasn’t meant to erase files or steal personal information. But because it infected millions of computers around the world, all of them sending out multiple emails, it ate up system resources and caused serious problems with a number of email servers. The young hacker behind the worm eventually turned himself in to the police and apologized for the damage he’d caused (he was sentenced to some community service and offered a job by the mayor of his town).

So what can we take away from this?

Well, other than being a little dispirited that people have been falling for the same online scams for decades, this story is an excellent reminder that our search results aren’t always safe. However, there are a few simple things we can do to protect ourselves online (even when searching for juicy gossip on our favorite stars).

First of all, don’t click on suspicious links or download anything that isn’t from a trusted source. Secondly, be on your guard whenever a site asks for personal information. If you have any doubts at all about a site’s trustworthiness, don’t give them your information! Third, use a reliable, regularly updated scanning app (like our very own MacScan 3). And finally, remember that a lot of malware is built to take advantage of known vulnerabilities in OSes—vulnerabilities which Microsoft and Apple try to patch as quickly as possible. For that reason, it’s essential to make sure your OS is kept up-to-date.

Do you have questions about digital security and privacy? We have answers! Write to us at checklist@SecureMac.com and we’ll do our best to answer your question in an email or on a future edition of the podcast.

Join our mailing list for the latest security news and deals