DAVEY WINDER
Davey has a stark warning for gamers who don’t take security seriously, before providing his own game theory for two-factor authentication
Davey has a stark warning for gamers who don’t take security seriously, before providing his own game theory for two-factor authentication.
The problem with two-factor authentication (2FA) isn’t that it’s fundamentally flawed, because it isn’t. The problem is that it’s not yet the de facto login security baseline for every site, service and application. Some of the biggest firms, such as Activision in the gaming sphere, are also the biggest offenders.
When talk about a possible data breach involving hundreds of thousands Call of Duty accounts surfaced a couple of months back, Activision was quick to pour cold water on the reports. In the official statement provided to me, Activision said that it recommended “players take precautions to protect their accounts at all times”. The “Keeping your Activision account secure” page the statement pointed to offered some excellent advice to gamers: use a strong password; don’t use passwords that are used elsewhere; don’t share account credentials. What was missing? Yep, that’s right: there was no mention of activating 2FA on accounts because they don’t have that option available. I’ve chosen a gaming company to illustrate my point on this occasion for a good reason: gamers are prime cyberattack targets.
According to research conducted by Akamai for its late 2020 Gaming: You Can’t Solo Security report ( pcpro pcpro.link/315aka), gamers have never been so popular amongst the cybercriminal classes. Partly this has come about courtesy of Covid-19, with accompanying levels of lockdown around the globe. More time indoors means more time to play games. I’ve even got a PlayStation 5 and Xbox Series digital console on preorder to cover all my boredom bases.
Yet the trend of a steady barrage of criminal activity in the general direction of gamers started before the world changed. The Akamai analysis covered a period between 2018 and 2020, during which time there were a staggering ten billion credential-stuffing attacks detected against gamers. To put that in perspective, that’s a full 10% of the total credential-stuffing attack volume seen by Akamai during that time. There were some 152 million web application attacks against gamers picked up by Akamai as well.
In all, the researchers found that more than half of frequent gamers admit to having an account compromised at some point. That’s bad enough, but it gets worse: only 20% were very worried, or even just plain worried for that matter, about this stark security reality. Of course, they should be pulling their hair out (assuming they’re not old fart gamers like myself without the luxury of such plumage), considering that in-game assets have a resale value that will surprise many.
During the summer, I looked into the Epic Games big-hitter Fortnite. Not for the same reason as most reporters, the legal fight against Apple and Google, but from an account-hacking perspective. At the top end of the cybercrime game, some criminals are making almost £20,000 per week trading in stolen Fortnite accounts.
The research by Night Lion Security ( pcpro.link/315viper 5viper) revealed that criminals can make that magic million in a year by charging silly money for account access that comes complete with skins, especially the rarest of character skins. Someone sold a “Recon Expert Skin” for £7,500, for example, and the most profitable stolen account went for an astonishing £28,000 8,000 in a private Telegram channel auction. Yes, these are extremes, but the point is that gaming accounts have a value – even if that value is more often in the £20 range for a “linked” one with average skins. An account not already linked to a PlayStation Network account will double in value. Throw in the associated hacked email account and it trebles.
Where the gamers in that Akamai research got it right is in thinking that account security should be a joint venture, a shared responsibility between the player and the game developers. Which brings me nicely back to 2FA: if the developer or platform upon which a game is being played doesn’t offer a 2FA option, the security onus shifts entirely to the player. That simply isn’t on – and it isn’t on in any industry sector, not just the gaming one. Gamers are usually very engaged in social communities, tend to have a disposable income and are likely to spend it on their gaming experiences by way of loot\\ boxes, character skins and weaponry. Throw in the latest McAfee research ( pcpro. link/315mca), which concluded that 60% of 16 to 24-year-olds have been scammed online, and you can see why the typical gaming demographic is targeted so much.
The problem with 2FA
Regular PC Pro reader Luke emailed me to ask if there was a solution to the big problem he had with 2FA. Such a big deal, indeed, that he told me he had given up using 2FA until such time as it was rectified. Here’s what he had to say: “I followed the advice from security experts, including yourself, to activate 2FA on every account, using Google Authenticator, that I could. Which turned out to be a big mistake as the result of doing so was as problematic as getting hacked would have been in my opinion.
“It worked okay until I upgraded to a new phone and then discovered that I was locked out of all my accounts, including Google. I made the mistake of not keeping my old number and I traded in the old phone when I got the new one. I had to jump through hoops to regain access to my Google account, and even if I’d known this in advance I would have to had disabled and then re-enabled 2FA for every service I used. You always say that security has to be easy to use in order to get people using it. 2FA doesn’t meet your own criteria.”
There’s a lot to take in there, so I’m going to start with the fact that being locked out of your own accounts by a
security measure is most certainly not as bad as that account being compromised. Your data, and the other accounts and data it could lead to, remains safe if inaccessible while you restore access. If the account were to be compromised, you’d find yourself locked out and, while you’re trying to restore access, the attacker will be exfiltrating data and likely using what’s found to compromise other accounts and services.
Security cannot come at the cost of usability, I agree, but without wanting to come across as condescending, the user has a part to play in this. By which I mean that the problems Luke relates could have been mitigated had he followed the recommendations when first setting up his authenticator app and, indeed, 2FA on the various accounts he sought to protect.
As we’re talking about Google Authenticator here, let’s start with getting back into the Google account under such circumstances. The most obvious routes to recovery would be with the use of one of the backup codes that Google prompts the user to generate when setting up 2FA. These can be printed out and then kept somewhere safe or, better still, kept in an encrypted file – and, for the sake of banging on about another of my security essentials, a password manager is ideal for this. Anyway, with a backup code Luke could have just hit the “More options” link when asked for his verification code and entered one of them. That would have been the easiest way, but there are other options as well, including having a secondary phone number in the 2FA settings or signing in from another trusted device that doesn’t require verification because you’ve ticked the “Don’t ask again on this computer” option.
Luke does, however, make a point that’s very valid indeed and is deserving of more attention: the portability of 2FA authentication apps. I’ve written about this before, and Luke tells me it’s been more than a year since he gave up on 2FA. The thing is that a year is a long time in authentication technology. Indeed, in May 2020, Google announced it was introducing portability to Google Authenticator codes for Android users. Aptly, it chose to make the announcement on World Password Day (the first Thursday in May).
The portability concerned is the transfer of the “secrets” that are used to generate the 2FA codes. When you add an account to an authenticator app, you most often need to scan a QR code, which is generated using a secret key that’s stored locally on the authenticating device. The mistake most people make is to think that you can just install the authenticator app on a new phone and carry on. However, once the app has been set up on a new device, a new secret key is required for each registered service. You could switch the app but not the keys. That all changed when Google introduced a dedicated key-transfer feature, which is only for Android users currently.
This wouldn’t have helped Luke because he’d already lost access to the original phone and you need both to use this functionality. If he had, it would have been a simply matter of exporting accounts in the app “transfer accounts” menu on the old phone, then “import accounts” on the new one. A QR code is generated on the old and is then scanned in on the new – it’s simple as that.
So is Luke still right about 2FA failing the real-world usability test? After all, changing phone handsets is hardly an uncommon thing, and nor is trading in the old one, or even losing a phone. The changes to Google Authenticator are a step in the right direction, but I’d argue others have already cleared the usability hurdle by some margin. And by “others”, I mean Authy. If you want to wave goodbye to the time-consuming process of disabling and enabling 2FA across multiple services whenever you change device, it’s probably the app for you.
Authy (authy.com) is 100% compatible with any sites and services that say they can use Google Authenticator for 2FA. Better still, it comes in Android, iOS, Chrome, macOS, Windows 32-bit and 64-bit flavours. You have all device bases well and truly covered. Authy enables the user to back up and restore encrypted 2FA account tokens to another device, while ensuring that decryption only takes place on the local device itself with passwords not being stored in the cloud.
There’s an argument – and it’s a good one– that having your chosen authenticator app installed stalled on multiple devices dilutes your
security posture with every installation. But this sits right at the heart of what Luke was talking about: the balance between the additional risk of having authentication codes available on more than one device and the usability factor when you switch devices.
The Authy backup is an optional feature, so it can be kept disabled if you prefer. I’d use it to add a secondary device such as your laptop: install Authy there and it will synchronise with your phone app. Here’s the important bit, though: to ensure your best security position, you should prevent any further devices from being added. This means disabling the Multi-Device option from both phone and laptop. As Authy itself says: “The rule of thumb: install Authy on at least two devices and then disable Allow Multi-Device.” This is vital as otherwise an attacker with your username and password, or a SIM-swapped device, would be able to add a device and sync your 2FA data.
The usual rule of thumb about passwords applies to the Authy backup one, of course, so keep it long and random. Have I mentioned password managers already? Your Authy password will then be hashed (1,000 rounds) and salted. Your authenticator key is encrypted with AES-256 in cipher block chaining mode, and a different initialisation vector for every account.
As it’s only the encrypted result, salt and initialisation vector that Authy gets to “see”, with the actual key never transmitted, any breach at the Authy side won’t impact you. In the new phone scenario, you just need to install Authy on it and provide verification from your backup device. Authy will then sync your accounts in a matter of minutes.
Of course, there’s an even simpler way to deal with the problems of 2FA codes when switching phones: don’t use an authenticator app, use a hardware key instead. These have come down in price over the years, as well as becoming much easier to configure and use. I’m a hardware key kind of guy myself, but do make sure you have a spare to cover a lost key nightmare situation.