Security Breaches and Two-Factor Authentication

It seems the news has been rife with stories of security breaches lately.  As a past and present federal contractor, the OPM breach impacted me directly.  That and one other breach impacted my current client.  The lessons I took from these and earlier breaches were:

  1. Use a password manager
  2. Enable 2-factor authentication wherever it’s offered

To implement lesson 1, I use 1Password.  It runs on every platform I use (Mac OS X, iOS and Windows), and has browser plug-ins for the browsers I use most (Chrome, Safari, IE).  Using the passwords 1Password generates means I no longer commit the cardinal security sin of reusing passwords across multiple sites.  Another nice feature specific to 1Password is Watchtower.  If a site where you have a username and password is compromised, the software will indicate that site is vulnerable so you know to change your password.  1Password even has a feature to flag sites with the Heartbleed vulnerability.

The availability of two-factor authentication has been growing (somewhat unevenly, but any growth is good), but it wasn’t until I responded to a tweet from @felixsalmon asking about two-factor authentication that I discovered how loosely some people define two-factor authentication.  According to this New York Times interactive piece, most U.S. banks offer two-factor authentication.  That statement can only be true if “two-factor” is defined as “any item in addition to a password”.  By that loose standard, most banks do offer two-factor authentication because the majority of them will prompt you for an additional piece of “out of wallet” information if you attempt to log in from a device with an IP address they don’t recognize.  Such out-of-wallet information could be a parent’s middle name, your favorite food, the name of your first pet, or some other piece of information that only you know.  While it’s better than nothing, I don’t consider it true two-factor authentication because:

  1. Out-of-wallet information has to be stored
  2. The out-of-wallet information might be stored in plain-text
  3. Even if out-of-wallet information is stored hashed, hashed & salted, or encrypted with one bank, there’s no guarantee that’s true everywhere the information is stored (credit bureaus, health insurers, other financial institutions you have relationships with, etc)

One of the things that seems clear after the Get Transcript breach at IRS is that the thieves had access to the out-of-wallet information of their victims, either because they purchased the information, stole it, or found it on social media sites they used.

True two-factor authentication requires a time-limited, randomly-generated piece of additional information that must be provided along with a username and password to gain access to a system.  Authentication applications like the ones provided by Google or Authy provide a token (a 6-digit number) that is valid for 30-60 seconds.  Some systems provide this token via SMS so a specific application isn’t required.  By this measure, the number of banks and financial institutions that support is quite a bit smaller.  One of the other responses to the @felixsalmon tweet was this helpful URL:  The list covers a lot of ground, including domain registrars and cryptocurrencies, but might not cover the specific companies and financial institutions you work with.  In my case, the only financial institution I currently work with that offers true two-factor authentication is my credit union–Tower Federal Credit Union.  Hopefully every financial institution and company that holds our personal information will follow suit soon.

The App Store Economy Ain’t Broken (So Don’t Fix It)

I came across this article via Daring Fireball, and figured I’d post my two cents about it.  I disagree with the both the premise of the article and some of the specifics.

To the question of “why are so many of us so surprisingly cheap when browsing the virtual shelves of the App Store?” I’d say because quite a few vendors have conditioned us to expect high-quality apps for a fairly low price. It’s the same reason that the vast majority of people expect news to be free on the Internet.  Those news sources that went online with paywalls at the beginning (The Wall Street Journal and The Economist are two publications I read for example) are still doing just fine financially.  Those that didn’t are struggling financially (or going out of business altogether).

The idea that “we as cheap customers are having a negative impact on a lot of both real and potential businesses” is one I disagree with.  One, because the author doesn’t quantify the negative impact.  Two, because a potential business is a valueless unknown (and as such, can’t have any real weight in a discussion of what to pay for products from real companies).  I’ll certainly buy an app if I use it a lot (and/or get tired of seeing ads in the case of most games).  The benefit of the low pricing both to us as consumers and to app developers is that we can buy multiple apps that do similar things without having to think much about the cost (it’s why I own more than one photography app, for example).

I’m not a big fan of in-app purchases (especially after finding out how much my wife spent on a single game), but I don’t see much of a difference between that model and the licensing/subscription model that more and more software companies (Adobe, Microsoft) and others (Netflix, Hulu, Spotify, Pandora) are moving (or have already moved) to.  The author’s focus on social media apps and games leaves out more serious “service-backed” apps like Evernote, GitHub, Flickr, DropBox, Box, LinkedIn and Google Drive that let you use a limited set of functionality for free and pay more for additional features or storage space.

Companies who sell apps aren’t doing it for charity.  So if they’re any good at business at all, they’ll sell their products at a price that will keep them in business–or they’ll go out of business.  It isn’t our job as consumers to keep poorly run companies in business by buying their software.  And despite the author’s suggestion, paying for great apps now certainly doesn’t mean great apps later.

Recommended Listening: Derivative Dangers

If you want to know how long ago the seeds of the current financial crisis were sown, definitely listen to this episode of Fresh Air.  Terry Gross’ interview of Frank Partnoy reveals not just how derivatives came to be unregulated, but who some of the players were in making it possible.  What may disturb you is how many of the people who made the current situation possible are playing key roles in trying to fix it.  Partnoy also authored F.I.A.S.C.O.: Blood in the Water on Wall Street.  He first wrote this book 12 years ago–before the collapse of the internet and telecom bubbles, before Enron, and the subprime mortgage meltdown that triggered our latest financial calamity.

Mark Cuban, Keeping an Eye on the Bailout

If you’ve been listening to NPR’s Planet Money, you already know about  But in case you don’t, it’s a creation of Mark Cuban (owner of the Dallas Mavericks) to report on how the money allocated by the bailout bill is being used.

They’ve already discovered that we taxpayers won’t know how much the companies working on behalf of the Treasury Department are being paid because that information is redacted.

More Financial Crisis Info

I heard about this site on the financial crisis during an episode of the Planet Money Podcast.  They interviewed Simon Johnson (one of the co-founders) during “A Very Scary Cut–In The Interest Rate”.  The Financial Crisis for Beginners may be the best place to start.  Right near the top of that page, you’ll see links to both shows from This American Life I blogged about October 8 and May 28.

Understanding collateralized debt obligations

The best explanation of collateralized debt obligations (CDOs) I’ve heard so far comes from the latest episode of the Planet Money podcast.  I was driving to work at the time, so I don’t have the exact time index of it, but I think it starts at the 16 minute mark.  The whole episode is worth hearing too.

Wikipedia has something to say about CDOs too, but I prefer the Planet Money explanation because it does a great job of showing how just one CDO can connect widely disparate parts of the economy.

Bailout Price Tag Continues Rising

According to this story in the Wall Street Journal (it’s subscriber-only, sorry), AIG just got another $37.8 billion from the Federal Reserve.  That puts the price tag for just bailing them out at $123 billion.  This may be a sign that the $700 billion $850 billion may not be enough.

In other news, the national debt is now so high that the US debt clock has run out of digits.  I don’t know if the figure includes the spending on wars in Iraq and Afghanistan.

More Financial Crisis Education

The reporters who did the Giant Pool of Money story have followed up with Another Frightening Show About the Economy.  Like the first show, this one is well worth setting aside an hour to listen to–much more worthwhile than the same amount of time spent watching network or cable news on the same subject.  The explanations of precisely what frightened the U.S. Treasury and the Federal Reserve into begging for new legislation are especially worthwhile.

Other worthwhile stories on this topic include:

Having listened to a number of episodes of Planet Money, it’s proving to be a good podcast.  Each one is a lot shorter than the stories I mentioned earlier, so they’re especially convenient if you haven’t got a lot of time.