If we find online safety measures like multi-factor authentication (MFA) irritating, we probably need to adjust our levels of expectation and trust for the internet of today. The longer we put off proper level-setting, the more likely we will fall for the scams and frauds that are rampant on today’s internet.
That’s one of the messages Roger Grimes shared on The Cyber Crime Lab Podcast recently. In this article, we’ll go deeper into his reasoning and share some of the best practices he advocates.
Roger has been in computer security for over three decades. He started in the virus space, fighting Apple and DOS viruses, before spending the 1980s as a network technician, rising through the ranks.
Roger has written 1,200+ articles and 13 books, and has been interviewed on shows like “All Tech Considered” by NPR.
He now consults with hundreds of companies on security reviews, attack responses, and advanced persistent threats.
One of the things Roger is known for advocating is MFA. When he gets push back on it, it is usually in terms of “it’s too much trouble.” This indicates that some people are still thinking about the internet in the same way as real-life scenarios.
Roger gives the example of ordering a pizza; We call a number and have no idea who is answering. We may even give them a credit card number. Then some stranger comes to our residence and hands us food that we haven’t inspected and we give them money. When it’s framed like this, it sounds like a lot of trust is involved, and it is! But that’s because there are safeguards in real life, not least of which include the police who can help you in case of a potential attack.
Now consider that same scenario on the internet: You want to purchase a pizza. Is it strange that your bank or credit card company or even the pizza place want to double check that it’s a real person ordering and not just a bot?
So once we understand that it’s unreasonable to apply our default real-world levels of trust and expectation to the internet, we’re approaching the right mindset for keeping safe online.
Four Signs You’re Being Hacked
But you can’t question every experience, right? So once a reasonable level of security expectation is established, what are some warning signs to put you on high alert for fraud? Roger lists four:
An unexpected communication — this could come from a person or organization that you know or would be reasonable for you to know.
Being asked to do something for the first time — this could mean filling out a form or sending an email or providing particular details.
A stressor event — this is a demand that the thing you are being expected to do needs to be done in a short time window.
Could be malicious — this is recognizing that whatever you do might expose you. This might include sharing your bank details or home address, or part of an identifying document, such as a partial social security number.
Red lights would definitely be going off in your head if all four of these signs happened at once. But Roger stresses that if any one of these occurs, you’re at risk. If all four do, you’re almost definitely being scammed.
Roger shares an example where a candidate was applying for a posted job offer whilst working at his current role (he was a chief marketing officer). He was asked to fill out an application in Microsoft Word format that had active fields in it. These active fields served as vectors for malware to capture his passwords and gain access. The scam cost his firm quite a bit of money, to say nothing of his embarrassment that the compromise happened because he was looking for new employment. Even worse, this person regularly read Roger’s columns and still fell victim to a scam.
This doesn’t mean that you can never trust a situation where there is a stressor event. It just means that you need to be vigilant, even in a scenario that you think you’ve initiated.
Roger believes that sharing stories is a big preventative measure. But sometimes people disregard the evidence that they are being scammed.
Roger says this is most prevalent in romance/dating scams. Even when someone has been shown they are being scammed out of money, they still want to pursue a “relationship” with the scammer. “The heart has a mind that the mind knows nothing of,” Roger says.
It’s Not About Intelligence
It’s not “stupid” people who get caught up in these scams. One of Roger’s clients has a Nobel Prize in quantum physics — not someone you would classify as “stupid.” Yet he still got scammed out of two million dollars.
It’s not about intelligence, it’s about awareness. Keep up with the scams that are out there, be aware of the four warning signs in your personal interactions, and advocate for proper security measures to be taken in your professional environment.
Passwords and MFA
The average person logs into about 170 websites a year, but only tends to use three to seven passwords across those 170 sites, often without the help of a password manager. This goes back to the mentality shift Roger advocates.
We aren’t asked to remember dozens of passwords in everyday life. But instead of realizing that online there are methods in place to keep us safe, we rely on our memory and gut and then act surprised when we get hacked.
That doesn’t mean MFA is a cure-all. One of the last things Roger mentioned to us on the episode is about the class of MFA you are using. He advocates for phishing-resistant MFA. Just like viruses adapt to overcome treatments, criminals don’t just give up when confronted with MFA. They try to find a way in, starting with getting your password.
If they can find a way to hack your password, they can find a way to intercept your text messages, a one-time password, or answers to your security questions.
Roger refers to phishing-resistant technologies outlined in a White House document: FIDO2 WebAuthn and PIV smart cards, which use a third piece of technology to verify that the person requesting access is actually the right person.
Remember that if your reaction to this is that it’s overkill, it’s because you haven’t sufficiently shifted your mindset to what is normal on the internet. Until you do, you’ll be susceptible to attack.
If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support.
Click here to learn more about how we can help secure your business data!