Juha Saarinen: How to protect yourself from phishers

Plug one of these keys into your device to foil phishers. Photo / Juha Saarinen

OPINION:

One piece of feedback on my column about CERT NZ's advisory on how to create strong passwords was that the most effective defence we have against phishing is too complicated for most people to use.

That's hardware security keys. And it is true that plugging in what security geeks call multi-factor authentication or MFA, with a little USB, near field communications, or a secondary device to log in adds complexity.

Losing a key and trying to get back in through an alternative method if you don't have a spare security device with you can also be a lengthy chore.

Despite all that, now's the time to seriously consider adding that layer of protection.

The reason for that are four recent high-profile phishing attacks, three of which succeeded.

Network equipment vendor Cisco had some staffers successfully phished, ditto communications provider Twilio. In both cases, the phishing techniques used were really advanced, cleverly designed to appear as legitimate messages, with infrastructure like websites set up last minute before the attacks, to avoid detection.

Security journalist Dan Goodin of Conde Nast-owned Ars Technica was also hit recently.

Goodin's very experienced and knowledgeable about "business email compromise" or BEC, and other phishing techniques. Even so, he fell for a phish.

Whereas in the past phishing and social engineering attempts have been quite crude and relied on volume rather than sophistication, they're now really good. They have every chance to succeed,

What are the phishers after then? In the case of Twilio, the follow-up attack on a small number of the open source, encrypted messaging app Signal seems to have been one motive.

Signal is very security oriented and hard to break into, which is why it's popular with users in exposed positions. That includes politicians, activists, journalists, hell, even the occasional opinion columnist uses Signal.

In other cases, it could be someone either wanting to empty your online-accessible bank account or laundering money through it, after phishing your login credentials. Either scenario would cause you a world of pain.

Other phishing phun include getting access to social media accounts to dent someone's reputation, spying in general, or working out someone's whereabouts for a beating or worse. You can do lots with information gleaned from phishing and what attackers are after on any given occasion is anyone's guess.

Where the phishers' attack failed was against another company whose network you most probably have connected to without realising, one which is very security oriented too, namely content delivery network and reverse proxy provider Cloudflare.

Cloudflare was also hit by the Twilio hackers who had got hold of employees' phone numbers and sent them text messages to check new schedules on what appeared to be a legitimate site.

"This was a sophisticated attack targeting employees and systems in such a way that we believe most organisations would be likely to be breached," Cloudflare wrote in its post-mortem of the attack.

Even though some employees were fooled and provided their credentials to the phishing site, which was also able to capture short-lived two-factor authentication codes generated by special apps and relay them to attackers who could then try to log in to Cloudflare staff accounts.

Despite that well-thought out attack, they couldn't get past Cloudflare staff using hardware keys.

I wouldn't go as far as Goodin and say hardware keys are unphishable. However, as Google, which also provides them to employees and which uses the security devices for its Advanced Protection Programme for journalists, politicians and other exposed people says, no staffer who uses hardware keys has been phished yet.

Sensibly enough, Cloudflare did not penalise the staff who fell for the phish. Doing so is counterproductive as it can not only get in the way of legitimate communications, but can also deter people from reporting phishing.

So yes, while we still email and message each other links and attachments, adding that hardware, multi factor authentication protection is totally worth the additional hassle.

The threat landscape has shifted, and you need to move along with it.