Changing pace from what I posted previously, I hope that, much like the Chinese New Year has an animal, cybersecurity in 2024 finds a mascot in better authentication measures. With all the focus on AI and things that are a more interesting buzz, I am not holding my breath for this. However, the uptick in incidents relating to poor authentication measures and lack of multi-factor authentication (MFA) is not to be scoffed at.
Multi-Factor Authentication (MFA)
The @SECGov has been compromised. An unknown Threat Actor has compromised the account.@GaryGensler has tweeted, confirming the breach, stating the SEC has not approved listing and trading of spot Bitcoin exchange-traded products
— vx-underground (@vxunderground) January 9, 2024
This is yet another high profile Twitter breach pic.twitter.com/p0ynCFc9Dm
What prompted this post was the recent breach of the Securities and Exchange Commission (SEC) X account, which falsely posted that Bitcoin ETFs were approved. This caused a lot of movement in the cryptocurrency market while raising some alarm bells regarding security. How could a government agency’s social media account get popped so easily? If X’s Safety team is anything to go by, a SIM swap or something of the like happened, and to make matters worse, two-factor authentication was not enabled on the account. Regardless of if the attack vector means anything to you, it is still crazy to think this happened in the first place.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
While outlets were reporting that X had been hacked (see below, it was not the case as far as I am aware) and other information was stirring around Bitcoin, it raises a point: why wasn’t two-factor authentication enabled? Whether or not this was a legitimate breach or simply an early posting of information followed by a hasty C.Y.A. (Google it if you don’t know) by X and the SEC, if 2FA was truly not enabled, I have concerns.
.@CNBC incorrectly states that X has been compromised. They do not understand (or seem to acknowledge) that it was an individual account, not the entire platform. pic.twitter.com/I9AKKu7PmJ
— vx-underground (@vxunderground) January 10, 2024
Regardless, this incident could have been spun as the reason to have two-factor authentication rather than simply stirring the Bitcoin pot, so I am going to do the former. Before that though, let’s first understand two-factor authentication or 2FA henceforth. 2FA is, per the Cybersecurity and Infrastructure Security Agency (CISA), a “layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login.” This means that when you log into a site, you not only have to present a password (something you know), but you also must present either something you have (generated token, phone, USB token, etc.) or something you are (biometrics). With this, if your password is compromised, the attacker still can’t get into the account, as you would need to give up the second authentication factor.
This is what makes SMS 2FA worse than app-based authenticators or other 2FA means, as an attacker could nab a password and then perform a SIM swap. Therefore, the attacker would have access to your text messages, where you might get a 2FA code, which would nullify 2FA for you. Despite this pitfall, there are other options, and barring that, something is better than nothing. Obviously, though, go for the best 2FA solution you are humanly capable of, which should be an app-based authenticator or 2FA Token.
With a rough outline of 2FA established, why is it important? Data breaches are a matter of when, not if, so having an extra layer of protection if your password or other sensitive data is stolen is a big win for your personal security. Further, phishing scams are only getting better, as I alluded to in my post about AI which you should read, so that too is a matter of when, not if. Thus, if you lose or give up your password, that is not necessarily the end of the world with proper 2FA.
Of course, look out for MFA fatigue attacks, where an attacker will spam you with 2FA notifications until you approve a login. If you don’t fall for it, it is a good “red alert” that you should change your password. If you laugh at this, thinking, ‘I am not that silly’, I have done it against folks. It definitely works.
TLDR: Use 2FA that isn’t SMS-based preferably, and read up on MFA while you are at it; it’s worth your while.
Passkeys
I have limited experience or knowledge regarding passkeys, so I will keep this brief. Passkeys are the up-and-coming replacement for passwords based on a private/public key cryptographic system. If that went over your head, think like a lock and key system, where you hold onto and keep your key private while the lock, which can be viewed publicly, only receives your key to open a door. While this isn’t a perfect analogy, it more or less gets the job done.
In any case, passkeys are a means by which you can unlock an account by using a pin, biometric, or other form of authentication to unlock an account using the private key stored on your device. Every site you have an account with will have a separate private key and lock (public key) combination that uses the master access method (biometrics or otherwise). Ultimately, this is sort of like rolling a password manager and 2FA into one secure bundle that is better than simply having a password and ought to be easier than using passwords outright. This also helps to prevent phishing and credential stuffing attacks that would be more viable with username/password combos.
TLDR: Dig into passkeys; most major players, like Google and Apple, are moving toward them. Better than plain ol’ passwords, and easier to boot!
Whether you have a fat crypto wallet and diamond hands but poor security, or juicy personal data ripe for stealing, you should be aware of ways to protect yourself. Good cybersecurity hygiene starts with enabling and using proper multi-factor authentication and/or passkeys, as the latter is the way of the future.
Editor’s Note: If you have a problem with the blog, please reach out at blog@nordsec.dev and we will get it fixed!