A solution is the two-factor authentication to keep hackers out of your personal accounts.

 

BY: Leona Lo

 

Have you ever received an e-mail from your friends and relatives asking for money because they are stranded abroad and their cash has been stolen? Such “lost in Algeria/Spain/any foreign country” e-mails have become so common today that everyone knows someone who has either received the e-mails or whose private e-mail account has been hacked.

The common solution is to disable the e-mail account and set up a new one, hoping the same thing would not happen again. But this is not the best solution. Setting up a new account with a new username and password is simply not enough to prevent hackers from accessing your account. The best way to prevent hackers from accessing your social networking and private e-mail accounts is to activate two-factor authentication.

 

Two-factor authentication

There are three methods of authenticating an individual’s identity, namely, “What we know”, such as a password or other common information like our mother’s maiden name; “What we have”, such as a security token or mobile phone; and “What we are”, such as a biometric like a fingerprint. Two-factor authentication or 2FA is a combination of two of the above methods. Today, all banks and, progressively, securities trading firms require 2FA over and above the basic username and password, also known as first-factor authentication, to verify their users’ identity. In a typical scenario, after you have cleared the first level of authentication, a One-Time Password (OTP) will be sent to your mobile phone or you could self-generate the OTP on a security token issued by the bank or securities trading firm. The same applies to your social networking accounts (such as Facebook) and private e-mail accounts (such as Gmail) should you decide to activate 2FA.   

Chai Chin Loon, chief operating officer of Assurity Trusted Solutions (Assurity), a wholly-owned subsidiary of IDA, said: “Preliminary results from a recent survey we conducted among executives at Raffles Place show that 2FA awareness is still relatively low among users of social networking and private e-mail services. Not many people know that they can activate 2FA for their e-mail and social networking accounts.” 

To activate 2FA for these accounts, you just need to click on your privacy settings and follow the instructions, which usually entail linking your mobile phone to the account. This would take no more than five minutes. Each time you access your account after having logged-on, an OTP will be sent to your mobile phone. You will have to key in the OTP in order to access your account again. This helps to reduce the risk of unauthorised access to your account.

 

Man-in-the-middle attacks

While activating 2FA with OTP may be sufficient to prevent hackers from accessing your private e-mail accounts, the same is not true of online banking transactions. Despite the widespread use of OTP in online banking, there are more sophisticated attacks that can bypass the OTP to conduct unauthorised financial transactions. Such attacks have already taken place.

For example, an individual logs into his bank’s online portal to effect a S$500 funds transfer. He keys in his username and password, followed by the OTP generated on his security token. At the end of the month, when he receives his statement of account from the bank, he is horrified to discover that S$10,000 has been transferred from his account to an unknown account holder. What he has experienced is known as a man-in-the-middle attack. 

Chai said, “Man-in-the-middle-attacks occur when a hacker intercepts the communication between you and your bank. This includes stealing your OTP from under your nose and changing the nature of the transaction.” To counter such attacks, banks are now deploying an additional layer of security known as transaction signing. 

He said, “Transaction signing is like signing an online cheque. The end user will be prompted to key in details such as his account number and transaction amount – details that only he will know, into his token.  This will help prevent man-in-the-middle attacks. As hackers become more sophisticated, the challenge is to build in additional levels of security. This often comes at the cost of reduced convenience for the end user, but when you consider the risk of losing your hard-earned money to cyber criminals, then the benefits far outweigh the costs.”

 

Leona Lo is the PR manager for Assurity Trusted Solutions.

 

** A series of 2FA awareness interactive exhibitions will be held at various libraries across Singapore in 2012. Surf onto http://golibrary.nlb.gov.sg/ or pick up the free monthly issue of “Go Library” at all 24 public libraries for regular updates. 

 

---