Why Humans Continue to be the Weakest Link in Online Security
Since you’re a very diligent computer services user (right? right?) you’ve without doubt followed the recommendations of your service providers and enabled a thing called “2-Factor Authentication” (“2FA”) wherever it is possible. Typically, this means using a password and a specific app or messaging service that sends an authentication request or code to your mobile phone whenever you try to login.
That’s how the typical implementation of “Multi-Factor Authentication” looks like. In more broader terms, this type of authentication tries to establish your identity by asking you for something only you may know (e.g. a password), something only you have (e.g. your mobile phone, although that is quite a shaky assumption), or something that you are (e.g. an iris or fingerprint scan).
These authentication techniques are quite sophisticated, but they of course can be defeated if the attacker goes after the weakest link in that chain: Your brain.
This article reminds me of a story I’ve been told once: A company introduced 2FA to protect against cyber attacks and had multiple working sessions with C-Level managers to explain how the system works and that they now have to enter their password to login and also hit a confirmation button on the newly installed app on their phones whenever they were asked to do so.
If you read that last paragraph carefully, you might have noticed the problem. The message was not: After you try to login, you will get a message on your phone you need to confirm. If you get such a message without trying to log in, you should notify IT.
The message was (I’m paraphrasing here): Whenever that thing pops up, just tap “ok” to make it go away.
And that’s just what they did. Authorising a login caused by a hacking attempt, because the app asked them to authenticate a login, and they just tapped “ok”.
The Infrastructure of the Internet Remains Brittle
Do you remember six years ago, when a humble package called “leftpad” was pulled from the npm repository, rendering millions of software products unusable? (Well, technically, uncompilable)
While this was an accident, many people worried about supply-chain attacks in software projects. Now, in the context of Russias invasion of Ukraine, this is exactly what happened: An unidentified attacker changed the code of a software library used by thousands of products to damage computers located in Russia or Belarus.
This incident shows a real danger in the open source and free software movement: The dependency file of one of my projects is over 17.000 lines long, yet I installed only 39 packages myself. Is one of those many thousand other packages targeting me? Maybe there is no reasonable way for me to find out.
Want to use Your Phone Less Often? Try This!
Michelle Drouin reminds us that although many technologies are designed in a way to make them maximally addictive, we still have the choice if we want to engage with them, or not. She calls for more deliberate decisions about the trade-offs we accept when we’re spending our time in front of our screens and taking action if we realise we’re not happy with them.
WTF Visualizations
In a thrilling miss of a plot-twist, this website is about visualizations that will make you go “WTF?”. (Thanks to Dani for the hat-tip)
Thanks for reading this edition of Let’s be Fwends - as always, if you found something interesting, please share it with someone who might find something interesting as well. ♻️
|
|