If you want to get your fellow employees to take the threat of phishing scams seriously, remind them that even the nation's top law enforcement officials can be almost tricked by clever phishing scams. Several accounts exist online of an incident in which the former Director of the FBI, Robert Mueller almost fell for an online banking phishing attempt that prompted his wife to ban him from doing their banking online. See this post on Cnet.
top of page
LITIGATION SUPPORT TIP OF THE NIGHT
The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
New tips for paralegals and litigation support profesionals are posted to this site each week. Click on the blog headings for better detail.
Search
Mobile phone two factor authentication (2FA) - where a mobile phone takes the place of a token and becomes the first factor - something a user has - (the second factor being something a user memorizes - a PIN or password) has serious drawbacks. Often a passcode of 4-6 digits will be sent to a smart phone via a SMS text message. Nearly everyone has likely had at least a few experiences with such authentication. While codes sent via SMS messages will expire after a short fixed time period, SMS messages can also be intercepted. The National Institute of Standards and Technology (NIST) Special Publication 800-63B on Digital Identity Guidelines highlights one potential vulnerability of sending passcodes via text messages:
"If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric to view). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device. "
The NIST guide further recommends that the SMS messages be sent to pre-registered telephone numbers associated with a specific device and mentions that number porting from one mobile carrier to another poses a potential security threat.
Smart phones also usually provide access to email accounts which are always logged in. If 2FA is applied to those accounts, SMS verification allows a cell phone thief to bypass the authentication process. The SIM cards in phones can also be cloned.
- Jan 8, 2018
American government agencies are currently rushing to meet the January 15, 2018 deadline for implementing the DMARC protocol. DMARC stands for Domain Message Authentication, Reporting and Conformance. It's a security protocol that allows for reporting between email receivers and senders in order to discourage spoofing - sending fraudulent emails which appear to come from a legitimate domain as means of facilitating spam and phishing.
DMARC was developed in the private sphere and came into widespread use in 2012. The authentication process allows a receiver to check if a message comports with what is knows about a sender. The owner of a domain uses either a DomainKey Identified Mail (DKIM) or Sender Policy Framework (SPF) mechanism. The receiver must confirm that the header of a new message aligns using DKIM or SPF with authenticated domain names.
You can confirm with if a domain is using DMARC on this site. It will determine if the domain has a DMARC policy in place:
. . . and also provide an overall DMARC score.
bottom of page