Time to shut down logins amid breaches
Leaking of credentials on internet mean modern security is needed
If you have an account with a popular web service provider you should change your password now. Actually, it doesn’t matter who the provider is, just change your password. There are data breaches almost daily, and chances are your login details are in the wrong hands.
If you can remember which provider. Oh, and if you can keep up with the frequent data leaks. Last week 711 millionplus login credentials leaked on the internet. Facebookowned Instagram made a coding error, which meant leaked emails and phone numbers for up to six million accounts, but not the account passwords apparently.
A determined hacker who knows the email address and phone number associated with users will try to get account passwords reset through them, especially if they belong to celebrities.
How do you keep track of all your accounts then? Even with a credentials manager, it’s quite a chore to remember where on the web you have accounts. Almost every single site you visit will ask you to create a login, for shopping, to receive newsletters, for whatever reason. People start to use credentials managers once they have so many accounts they can’t remember them all — by then it’s too late.
Even if you don’t re-use passwords, most people do not use different email addresses for the account usernames. It’s just too difficult when you have myriad accounts.
The whole system with logins using passwords and email addresses broke down some years ago as the internet grew massive. We still persist with it, and the problem’s growing. Changing passwords won’t fix it.
Now there are efforts to plaster over the cracks, such as authentication methods that don’t pass through user credentials, but they are hard to get right and have their own horrendous security bugs.
Then there’s two-factor and two-step authentication where you enter username and password, then through a sidechannel you’re asked to permit the login attempt, or you enter a code to authorise it.
It means jumping through more hoops for logging in and some people don’t enable 2FA/ 2SA for that reason. You should, because it’s literally a last line of defence since the chances are your username is out in the wild, and your password could be, too.
Not that 2FA/2SA is 100 per cent secure either, as Apple customers have found. For the past month or so, Apple users have reported their devices mysteriously becoming locked. People are asked to send an email to an address on the iDevice lock screen, and in some cases money is demanded — a ransom.
The reason for the lock-outs seem to be attackers working out how to abuse the Find my IPhone feature. They obtain usernames and passwords, the latter sometimes through brute-force guessing, and log in to victims’ iCloud accounts. If 2SA is enabled, attackers will be prompted for a code that they can’t enter and get in but . . . they can still use Find my iPhone and, through that, lock people’s devices.
I was able to confirm you can access Find my iPhone and through that lock iDevices and Macs tied to your account, without entering the 2SA code. This is apparently how it should work, so you can lock (and erase) lost devices when you have only your username and password available.
Apple did not respond when I asked them but it’s a case of damned if they do, damned if they don’t for them.
Either way, if your device is locked, don’t pay a ransom: try unlocking from another device, or go to an Apple service centre with proof of purchase for help.
All this shows why we need to move away from oldfashioned logins, to make all that leaked data that’s probably linked to each of us useless for hackers. Kill logins sooner rather than later, please.