Google’s Rapid 2 Step Authentication Option

Google Prompt is a fast second step authentication option on iOS and Android.  Whenever a login attempt is made on your Google account Google Prompt sends a login confirmation to the Google app on your  phone.  You open the app (via push notification) and tap “Yes” to confirm a login attempt is valid (or “No” to deny a login attempt).
This login method is quite a bit faster than using an authenticator app.  I use Authy which even with its widget in the notification centre takes some time to copy the number into the field.  I like Google Prompt for its speed and simplicity.  The slight downside is that it requires your phone to have a live internet connection to use.  This is only a slight downside because if you are signing into a Google service somewhere chances are that you have an internet connection available; with some exceptions.  But Google Prompt works parallel to the other second step options available including an authenticator app, so in the absence of an internet connection on your phone you still have offline options to fall back on.  Head into your Google 2 step verification settings to set it up.
Google 2 Step Authentication Options.png
Google 2 Step Verification Options


From a security perspective it is hard for me to say whether this is a better or worse method than an authenticator app.  I understand the methodology behind authenticator apps, but not this one.  That said, I trust Google with my information and I trust them to have built a reliable and safe second step with Google Prompt.  Furthermore I trust that they will be on the ball enough to keep it safe.  I say this because of the numerous articles and security updates that are the result of contributions that Google has made to tech security worldwide.
In summary Google Prompt is a system I am prepared to trust and it makes my login process a great deal more streamlined whilst maintaining its integrity.  I recommend this for anyone wanting the benefits of 2 step authentication with a bit of a faster workflow.

Upgrade your password security for Amazon now

Earlier this week my wife had the unfortunate experience of having her Amazon account totally hijacked.  The hijacker was able to take complete control of her account and lock her out. They then had the ability to place orders on her credit card but they did not have the ability to glean the details of the credit card itself.

This proved to be a serious wake up call to her about the need for excellent password security (especially where credit cards are involved) because until this incident she had been content with an easy to guess password.  All the hijacker needed was her email address, which is not hard to come by, and then to try several obvious password iterations.

Thankfully not long after the hijacker had gained control we realised what was happening and were able to take some action by cancelling our credit cards.  That was necessary because an Amazon representative made it clear that if they were going to do anything it would be within 48 hours, which was too long to sit around whilst someone spent money we wouldn’t get back!

IMG_5852After taking over the account by changing the registered email address and then changed the email address again to a second email address they owned, the hijacker then changed the password.  Lastly, and very cleverly, they created a new account using my wife’s email address and original password.

The point of doing it in that order seems to be that my wife received only an email to notify her that the email address had been changed, to a “burner” email address, but she didn’t know that her password had been changed*.  Amazon sends emails to confirm changes to account details, in this case the old email address and the new one. She also wouldn’t receive an email from Amazon containing the actual email address that the hijacker going to use with the account, just the “burner” address that would quickly be removed from the account.

*Doing it that way probably didn’t gain the hijacker much in real terms but maybe email address changes appear less threatening to account owners so they are less likely to act immediately? 

Once we realised what was happening I started trying to get into the account in browsers that were already logged into the account.  It wasn’t possible to change anything without the new password but I did find out the actual email address the hijacker was using when I was taken to the login page.  So when my wife was through to a representative from Amazon we could let them know the account was hijacked and the email address being used on the account.

I said above that creating the new account with my wife’s email address was a clever step.  That’s because once we were in contact with Amazon they sent her a link to reset her password, but the reset was being performed on the newly created account not the original!  Eventually the Amazon representative told us that Amazon would look into the issue but it would take up to 48 hours.  That’s a long time especially given that the representative said they could tell something was wrong from a cursory look (the missing orders going back a few years associated with my wife’s email address).  But at least we had found the email address that was associated with the account so Amazon could investigate.

This experience has lead me to these conclusions :

IMG_58611. Strong passwords are essential for Amazon.  They are important anyway, but in Amazon a hijacker can completely shut you out of your account with just your password.  I have recently become very impressed with 1Password as a solution for generating and storing strong passwords.  Their methodology is secure and their apps and browser extensions are excellent.

2. Amazon, and other companies with similar protocols for handling changes of account information, should update those protocols by sending a link within their courtesy email to override the change if it was not initiated by the account owner.  That function is already being used by Evernote (for example).  So below is an example of best practice from Evernote!

IMG_58503. Although I have been a fan of two step authentication for a few years now, this further highlighted the security benefits of using two step.  With this set up even if the hijacker knew my wife’s email address and password they would not have been able to break in.  Google Authenticator is an excellent app for generating new “random” codes (offline) every thirty seconds.

So please stay safe online – get your passwords strong now and enable the two step where you can!