If you use your mobile phone or tablet for any kind of Internet application that requires authentication — Facebook, Twitter or online banking, for example — you’re setting yourself up to get hacked.
The unending march of the mobile device toward ubiquity is a rather astounding technological leap. Having the Internet in your pocket seems such a great idea on the surface, until you start to think about the design corners that have to be cut in order to make the interface simple enough to use.
Anyone who’s ever tried to code on a touch-based keyboard knows what a pain it is: almost every line of code requires a symbol like a dollar or semicolon or a square bracket, which are all on the second or third ‘pages’ on the virtual keyboard. This same design limitation may well undermine your choice of password.
Let’s say you use Facebook a lot on your mobile. You could employ a brilliant password and get the device to store it for you. But if something happens to your phone (e.g. it’s stolen, or you need to factory reset it, or a browser upgrade / crash destroys the file in which the password is stored) then you probably won’t be able to remember it.
If, on the other hand, you don’t get the device to store it on your behalf, then you need to type it every time, and the virtual keyboard makes it very awkward to do so.
When faced with this choice, one way out is to stick with a fully alphabetic password (or at least a mostly-alphabetic one, with symbols chosen from the primary page of the keyboard) because it’s quicker to enter on the mobile’s sucky keyboard. Using such a password is therefore, by design, simpler to crack unless you choose a long one of 25-characters plus. Incidentally, users of services such as Hotmail / Live / Outlook / Whatever-it’s-called-now can’t employ long passwords because Microsoft stupidly enforce an upper length limit. *slow hand clap*
Worse than using a short password, you might be tempted to reuse the password in more than one place. If you used the same password for your email system as your Kickstarter account, for example, then your email is now likely being read by someone else thanks to the bungling exposure of sensitive data during Kickstarter’s recent hack. Same goes for Adobe, btw, who were hacked late 2013 resulting in an alarming number of passwords being leaked, nearly two million of which were
123456. Yes, two million people really are that stupid.
2FA? More like sweet-FA
The second – and more worrying – problem with mobiles is the uptake of companies offering two-factor authentication as a means of securing your account. Hardly a week goes by without one of my email providers or bank “reminding me” at login that I must divulge my mobile phone number to them in the interest of security. I have several problems with that.
Firstly, it’s somewhere else my number is stored. I like to minimise my attack surface by never giving the number out to any companies unless I have a dire, overarching need for them to know it.
Secondly, the very idea that two-factor authentication (2FA) is more secure than single-factor authentication is flawed in today’s world. 2FA is the process of you supplying two methods of communication to a company; usually an email address and a mobile number. The idea is that you register with Facebook, for example, they send you a challenge / code to your email address which you click to verify you own the account. It then asks for your mobile number, sends you a text message with a code in it which you then supply when you first log in to Facebook to prove you also own the mobile. Thus, according to Facebook, you are who you say you are and if you ever lose your account password they have two channels of communication that they can use to authenticate you and aid the recovery of your precious WhineLine of posts.
Except they don’t have two channels, because you use the same damn device to read your emails as you do to retrieve your text messages and phone calls. So you register using your mobile, click the link in your mobile, give your mobile number, receive the message and browse to the login page all from the same piece of hardware.
So, I ask you, how is this any more secure than single factor authentication? If your phone is stolen, once the attacker bypasses the laughably limited ‘phone lock’ code or pattern, they have access to your email and text messages and can login to your account using the code sent out by Facebook to the mobile during the password reset procedure.
Remember those huge nuclear launch consoles where two people need to turn their keys at either end of the console at the same time to activate the strike? Imagine the keys are stolen by Mr. Tickle. That’s how good 2FA is under this circumstance. And that’s before we even consider the leaky sieve of sending data over GSM where information can be snatched from the airwaves in transit with comparative ease. Or that you can set up a forwarder on a mobile phone account by calling up customer services and impersonating the real owner using data readily available from social media. Then put the phone down and request a password reset so your forwarding number receives the one-time code.
So before you use your mobile to access your favourite must-have app, think long and hard about the method(s) of security you are asked to supply and at what level you choose to secure the information. And don’t trust any company who claim your details are safe or are stored in line with “industry best practices”. They’re either outright lying or don’t understand the risks.