This post first appeared on my SAP blog on October 26, 2015.
In the past few years, the incidents of major data breaches as well as hacking into personal accounts for not only public people, but also not-so-public people, seem to be on the increase. In June, 2014, McAfee recently published a study indicating that hackers are costing consumers and companies between $375 and $575 billion… annually! Furthermore, losses connected to personal information, such as stolen credit card data, have amounted to over $150 billion. We’ve all had instances of unsubstantiated charges appearing on our credit card statements. These are usually handled by the credit card companies, with little or no liability for us personally. I am hoping that as contactless payment options and EMV cards become more ubiquitous, we will start to see the great reduction or elimination of these types of fraudulent charges and activities.
But, EMV cards and contactless payments don’t do a lot to protect our online persona – and think about it… we have many of them, with many passwords. Do you remember them all or are you using similar or the same passwords for multiple accounts? How many of you have credit cards or even banking information on file with an online retailer? How secure is your access to that account? My guess is that most of you use a user ID and password. Many banking and financial services (including credit card companies) offer two-factor authentication (or 2FA). Except for a few cases, most online retailers don’t offer 2FA as an option for logging in and other high-value transactions. If they don’t, they should. If you don’t, then you should. 2FA is one of the most simple, yet most valuable methods to help protect your identity.
Many banks have taken the initiative and provide 2FA capabilities to their customers if, for example, you log into your online bank account from an IP address that you haven’t used before. That’s a huge protection for you. Have you provided your mobile number – e.g. the number where you receive texts? Don’t be afraid to share that. Your mobile device is “something you have” – that is one of the factors in two-factor authentication. Typically the first factor is something you know – e.g. your password. An alternative might be something you are – like a fingerprint. My point is that if you are given options to set-up 2FA, then do not hesitate. You will be doing yourself a huge favor. If an online retailer or whomever does not offer it and relies on security challenge questions (which are problematic and not secure, according to Google research) along with a user ID and password, please ask them to consider supporting 2FA.
If you have a public persona – such as Facebook, Twitter, or some other social media, you should highly consider using 2FA if it is offered. Codes are sent to your mobile device if a login is attempted from a device or browser that is not recognized by the service. Therefore, should your user name and password ever be compromised, you still have some level of security, as you should still be control of your mobile device.
Two-factor authentication is simple and easy for the consumer. In most cases, it will be a multi-digit code sent to a mobile device – typically through SMS. Whatever website being visited will make it clear that they are sending such a code and provide a location to enter the received code within a short time limit. Too many failed entries will lock out the user. There’s no really good excuse not to use 2FA when offered. Sites where financial information are kept and accounts that offer users a public persona should always be protected – not only for the protection of the users, but the enterprise as well.
Personally, I am sick and tired of hearing about data breaches and identity theft when there are so many tools today to prevent. With so many enterprises being compromised, many times the breach was simply caused by lax security measures and not adhering to well-known standards such as 2FA (and of course PCI DSS) and it only takes one employee to enable a hacker to compromise accounts of millions.
What are your thoughts? Are you using 2FA when offered? If not, why not? If so, is it your choice, or does the organization you are working with (as employee or customer) mandate it?