I know that as a person, who writes about security I should be aware of the threats that phishing carries and I should protect myself just to set an example. Unfortunately until now, I was “a shoemaker going barefoot” as a Polish saying goes. Although I try to remain open about how I protect myself, I’m aware that there are still areas worth improving. Luckily I’ve just changed this state and bought a Yubikey. As for now it’s enabled on my blog, email, AWS, Facebook, GitHub, GitLab and Twitter.
What is a Yubikey?
A Yubikey is a device used for 2-factor authentication. In this aspect it’s similar as SMS codes, or authenticator apps. But there’s one feature that makes them stand out, which is the protection they give against phishing. It is a small device that communicates with my computer or phone (I have a model with NFC so that I don’t have to plug it into my phone) and sends authentication tokens to a host we want to log into.
OK, but what is phishing and why should I worry?
Let’s tackle the first question first. According to this study:
- Nearly 60% of the data breaches are due mainly to human error. These include trained and untrained insiders who fell prey to phishing attacks. This resulted in $3.5m in losses in 2019 alone.
- Overall phishing is down by 42% compared to 2019, yet the success rate of whaling and spear-phishing is higher than ever before, suggesting that attackers are going for quality over quantity.
- An alarming 40% of employees with little or no phishing awareness training regularly failed during simulated phishing campaign and assessment tests.
- Most (90%) phishing emails were actually caught and verified by email security gateways, yet the 10% that remained accounted for over 170,000 incidents inside organisations’ premises. This caused losses of over $26bn in the period July 2016 to July 2019 in the US alone.
To put it short: phishing is a problem because it’s efficient and its impact can be huge. That’s enough to get worried if you ask me.
A typical phishing attack requires tricking the victim into logging to a website, which looks like a place they normally log into. It can be an email account, accounting application, bank, a place where critical resources are stored, like code repository etc. The victim thinks that they have a legitimate website in front of them, but in fact it’s controlled by the criminals, who log the credentials (login and password) and use them to log into the actual website. This means that even without a data breach you can loose the control over the website. If you have 2FA enabled, you also pass the token, so it also gets stolen. It doesn’t matter whether you use SMS, push notification, or whatever, those methods do not help. Except for one…
Yubikey for help
What makes those hardware devices special is that they are associated with a website. So if you enable one for, say facebook.com, and the attacker sets up a website with an address of, say fakebook.com, and you do not notice the difference and try to send the credentials, the Yubikey won’t detect this as a valid host it’s associated with and it won’t send the credentials. This device isn’t prone to simple typos, and other techniques used to trick users to log into malicious websites.
Of course you should notice from the description above that in this scenario you still loose your password. Yubikey doesn’t help for this. The solution for this problem is resetting the password and storing it in a password manager, so that you can easily have different passwords for different websites. This will stop the attackers from logging to site A with credentials they stole for site B. Maybe I’ll show an example attack in next technical post.
Of course the Yubico’s keys are not the only ones available on the market. Here you’ll find link that will help you find another manufacturers. If you enjoyed this post, consider subscribing to the newsletter, so that you won’t miss next ones.