All Your Accounts Are Belong to Us

Last weekend my work phone suddenly stopped working. Not the phone itself, but rather all service stopped. I first noticed (of course) due to an inability to load any web pages. Then I tried calling someone and realized my phone was disconnected. In fact, when someone tried to call me, it said the line was no longer in service. It was Sunday, and my phone is a company device, so I had to wait until Monday to get things sorted.

It turns out someone called in to Verizon claiming to be me. The individual claimed his phone (my phone) had been stolen, and he wanted to transfer service to another device. He had enough information about me to pass whatever verification Verizon required, and if he'd been a little smoother on the phone, he'd have likely gotten my number. It turned out that the Verizon employee felt the call was suspicious and disabled the account instead of transferring service. (I know that only because the employee made a note on the account.) After a stressful day of back and forth, the company I work for was able to get my phone turned back on, and I still have the same phone number I've always had—thank goodness.

Kyle Rankin saw me tweet about my phone issues, and he immediately responded that I should check my online accounts, especially those with two-factor authentication. If other people had been able to get my phone number, they could use that as "proof" of their identity and reset many of my passwords. It hadn't occurred to me just how much we depend on our cell-phone companies for security, even on our personal bank accounts. That doesn't mean two-factor authentication (2FA) isn't important, it just means we need to consider our phones as a viable vector for attack. So in this article, I want to talk about securing your online accounts.

Call Your Mobile Provider

Before I talk about securing online accounts, I urge you to contact your cell-phone company. I use several providers myself, and after my experience with the company phone, I realized just how important it is to contact the provider and set up security. By default, your cell-phone company might have a few security questions for you to answer. It also might just ask for your date of birth in order to access account information. It's important to call and ask what sort of security you can add to the account to make sure a third party can't pretend to be you. What that security looks like will be different for every company, but really, call them. Anyone on Facebook can look up my birthday, and if that's all you need to make changes to an account...well, yikes.

Once you're confident that your phone isn't easily compromised, it's time to start looking at your online accounts. Not all businesses provide two-factor authentication, but more and more are adding the service every day. Even if your banks, email accounts and Spotify stations don't have extra layers of protection, having a good password is crucial.

My Name Is My Passport, Verify Me

I've written in the past about creating "good" passwords. Some of what I recommended is valid, and some was shortsighted. I was in good company with my shortsightedness, because tons of companies still require "complex" passwords. The problem is, password complexity generates passwords that are hard for humans to remember and easy for computers to guess. The famous xkcd comic explains the problem much better than I can (Figure 1).

Figure 1. This comic titled "Password Strength" from xkcd is so true it hurts.

(Note: Randall Munroe from xkcd made it fairly clear that occasionally reprinting his comics is okay as long as he is attributed. I'll go so far as to say not only is his work awesome, but you should go buy things from his store. Seriously, he's awesome.)

______________________

Shawn Powers is a Linux Journal Associate Editor. You might find him on IRC, Twitter, or training IT pros at CBT Nuggets.