Wednesday, June 22, 2016
Taking a break
I am taking a bit of family time before starting a new job in mid-July. Barring any major security events, I will not be publishing any posts for the next few weeks. See you in late summer!
Wednesday, June 8, 2016
IRS level-ups consumer security: the good, the bad, and the ugly
On June 7, the IRS launched an improved online authentication process, adding a degree of two-factor authentication. The IRS disabled online tax transcripts last spring after a rash of fraud - criminals obtained taxpayer information from external sources and used it to access a tax transcript; the transcript had ample information to completely impersonate the person and file fraudulent tax returns claiming huge refunds.
The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.
But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.
The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.
The new system requires two-factor authentication: in addition to your password you receive a code via text message; if an attacker doesn't have access to the device on which you receive that code, they cannot log in.
But here's the rub: in order to set up two-factor authentication, you still must have access to your account. Since the IRS disabled the tax transcript service last year, it requires you to prove your identity again. and guess what information is required to prove your identity? The same information that may have already been stolen in the past.
The result is what is known in the security world as a "race condition:" access is granted to whomever can "prove" your identity first.
Thursday, June 2, 2016
TeamViewer Hacked? Maybe, maybe not - but take precautions
TeamViewer is a handy way to log into and control multiple computers from one location. I personally have used it and services like it to provide technical support for distant family from the comfort of my living room. Any computer that can be controlled over the Internet by me though, could potentially also be controlled over the Internet by a malicious hacker that knew the right access information.
It is not clear whether the TeamViewer service itself has been compromised, or if the crooks are simply taking passwords from the many recently-discovered breaches (LinkedIn, Tumblr, MySpace, etc.) and finding that the same password works for a person's TeamViewer account.
The latter is entirely plausible: over the past few weeks, somewhere close to a half BILLION email and password combinations have turned up for sale on underground markets. Many of these passwords are years old, from incidents long ago discovered and reported on - but password reuse remains common. If My LinkedIn password were stolen in 2012, and I changed it, but I used the same password for TeamViewer and never changed it, it is entirely possible a crook could discover my old LinkedIn password and use it to break into my TeamViewer account.
Regardless, a few precautions can limit the potential for harm.