A Quick Talk About 2FA, and How a Company Lost $95,000 on a Phishing Scam

The conversation below was transcribed from Tom Andrulis, the owner of ITS and Jesse, a business owner who wanted to ask some questions about IT Security, IT Services and IT Support and what it practically means to a business owner who wants to work on his business and not run an IT company.

Key Takeaways:

  • Use 2FA - Two Factor Authentication
  • Check ports or have your team check ports
  • Be careful when bank accounts of vendors "change."
  • Make sure you have solid backups
  • Security is trickier with people working from home.

Tom:

The big, hot topic stuff is ransomware which is still rampant. Phishing campaigns are also still rampant. People need to have like 2FA to protect themselves. So, or do you want me to tell you a story of, of some stuff that we've seen?

Jesse:

Yeah, I think like, for me, let’s make it practical…

Okay, I own a business. And I'm like, you know, maybe I, you know, Geraldine's on the team or whatever. And, she's not paying attention because she's on Facebook all day, you know, it doesn't do anything, you know who knows what she's doing.

And so then you say "Hey, let's make sure that everybody's following my protocols," but then she doesn't really pay attention.

What are the consequences? Why do I even care? Why do I want to make it such a priority I just wrapped everything else I'm doing. Because I'm already busy, of course.

Tom:

It's probably like talking about the ransomware stuff is the big one.

So ransomware… that's huge. I can tell you a company was ransomwared.  We know of a business that got ransomwared recently, and they're a small business. They we're paying for backups only and no management at all of their other infrastructure.

It turns out that they had a port open on their firewall to allow them to remote into their office so they could work from home.

Well, attackers are constantly scanning for those open ports all the time, and then got their system infected.

The server captured the administrator username and password ended up kind of sitting on their network and then looking around, found the backup device, cracked the password to the backup device, encrypted all the backups, stopped the offside backup jobs from happening on the software, and then encrypted all of their files and then left them a note.

This is over the 4th of July weekend, when everybody was out, just having a good time, enjoying themselves, enjoying their family and all that, left a note - come Sunday or Monday, like "Hey, you owe us $6,500 in Bitcoin if you want your data back." We went and looked into it and it's like yeah, they encrypted your backups. They turned off the outside backups. It's pretty dire, you know.

And a little side story, we had a copy of their data.

We had a seed copy that we had from I think it was a couple of months ago. We just had it. I don't even know where it was, but someone was able to dig it up. And we were able to get some of the information back they needed immediately, but they ended up having to spend $6,500 to decrypt all their data.

Plus the time and effort it took to just work on the whole thing. Just to get their data back mainly because they had a port open on their firewall to allow them remote in because everybody's working at home.

Jesse:

Yeah. And then I guess on that, like what I guess, you know, because you can always come up with the craziest story, like the 20 year old who got COVID and died.

So therefore, everybody needs to socially distance wash their hands and do whatever, but you still get all the 20 year olds who are like "Yeah, but that's, does it really happen? Like for real, you know, like, is that a thing that I should be worried about? Because like, because one person..."

Tom:

Yeah, they typically don't worry about it until it hits until it hits.

But the one, the one thing that, you know, for us, because we're managing so many clients, we're managing over 500 clients, we see the patterns when we take over a client base from somebody, or we have a partnership with an organization in another town we take on. We onboard all their clients, the ones that are having open ports on their firewalls to allow people to remote in those are the ones that are getting ransomwared.

And when we do all the back backtracking on it, it's 95% of the time it's coming from an open port. The reason why it's it happens is because there's no alerting mechanism and there's no process to automatically block people from just trying passwords all day long.

Tom:

So attackers will use automated software to sit there and you feel "Oh, I found a port's remote desktop. Okay. That's going to allow somebody to remote in here. Perfect. I'm just going to keep trying over and over and over."

And they use the brief, the brute force dictionary attack, and just hit every single password they can possibly come up with. And they're not doing it live right. It's all automated. Yeah, of course.

And as soon as they get the password, then the attacker's like "Okay, now let me log in. Now, let me see where I'm at now. Let me see what I have control over. Let me push down a few more applications that can stop processes, stop antivirus, stop backups, you know, capture passwords and do all kinds of really bad stuff in order to, you know, literally, you know, hold them, hold them hostage."

You know, they, if you don't have your data nowadays, your business much doesn't function for most of the clients (for our clients at least.)

Jesse:

Yeah. So that, okay, so let's say you have the 500 clients and people, and nobody listens to what you're saying. How many of them would you expect to actually kind of get hit by this, assuming like nobody's paying any attention?

Tom:

That's the thing. Right.

So we've had to design our own tools in order to think, like, you know, kind of these, these head attackers and, and then scan for ports that our clients have opened or might be open for more, whatever reason, and then alert ourselves to go shut it down.

You know, otherwise it's hard to say how many people would get infected. I mean, at some point, if you have a door that's just sitting out there and it's just inviting people to come try different keys on it all day long without anybody questioning it.

You know, if I just had a house in the middle of nowhere and you know, a million people around it with, you know, 10 million keys and no one ever said "Hey, stop checking keys on my door." Like, "Hey, no, get away from my house." And they don't have a perimeter.

Eventually someone's going to get the right key. The key is going to work and they're going to get in your house and they're going to steal your stuff or take it over. It's just a matter of when, I guess.

Jesse:

Yeah. Cause I've obviously I've done a lot of the reading too, but you see stuff and it's like, "How realistic is this?" And I think that's like it's a valid question. It can seem like … "Hey, you need to spend, spend all this money."

Tom:

Yeah. And it's the thing is, you don't need to spend money. That's the thing. And I kind of differ from a lot of companies out there because a lot of them will say "Hey you to buy this software and that software and this and that."

And, and yeah, like having a layer of security is good, but there's a certain series of best practices. And this is sort of what I'm referring to the best practices of, you know, closing ports that are open on the internet, the best practices of keeping things up to date, you know, the, the best practices of having a complicated password.

And then also having a second factor, a device that can, can be like a secondary check for someone that's logging in using your account. Those are all, those are all free.

Tom:

Those things are free or almost zero cost. It's just a matter of following the best practice. It's it's like we could all drive on the left side of the road if we want in the U S right. We can physically drive in the left side, but we're probably gonna run into something.

So probably better to drive in the right side of the road where it's a little safer, you can still get an accident. Stuff can still happen, but it's less likely, right. Best practices be on the right side of the road where everybody's in the right side of the road.

Jesse:

Right. And then like your what's your opinion on like, you know, you have like 500 people. How, how hard is it to get people to comply?

Tom:

It can be a challenge.

It's like one of those things like eating healthy. Everybody knows that eating healthy is the proper thing to do. If you want to live a long life, you know, eat healthy, you don't smoke, don't drink, don't drink as much, limit all these things, everything in moderation. Right.

And Geraldine's like, what don't drink. So she's like, "I just had a fast, I'll take that risk on, even to me." Yeah. So, you know, so there's some, like, there's some recommendations out there that if you limit smoking and drinking and you eat healthy foods and you exercise on a regular basis, there's are very standard things. Then you're going live longer than if you don't, but why don't people do that?

You know? Because it's like "I don't have heart disease. I don't have lung cancer. I don't have diabetes… yet." Right. So it's like, yeah. Like, well, when at some point you will, if you, if you don't follow the protocols that doctors are recommending because they're recommending it, not because they just want to control your life.

They're recommended based on all the other experience they have dealing with all these other people and all these other illnesses and all of the tragic outcomes of those.

So they're saying "Hey, if you don't want to go down that road and have all these negative consequences, at least follow these kinds of like standard tenants, you'll be better off."

I don't know. Cause it hasn't happened to them. That's it's like the standard thing. Right?

Jesse:

Yeah. It's kind of funny. Cause it's almost like you could make that same argument with "Why are the parents feeding their kids crappy food?" And they're probably going to say "I'm busy. I don't have time to make the sort of healthy food," and they're going to have their reasons. They're going to have things that in their mind makes sense.

Tom:

It's easier to not to put your seatbelt on, and it's more fun. It's easy, but every time we drive without a seatbelt, we're assuming a level of risk, you know, I'm no actuary.

So I don't know the exact percentage of risk that we're assuming somebody out there, but we're assuming a level of risk and we don't put a seatbelt on just like, we're assuming a level of risk when we use insecure passwords and we have open ports on our firewall and we don't patch our or monitor any of it.

Jesse:

Okay. So that's a good plan. Like you say like that, but that all sounds like a lot of work.

Let's say you know and believe all this you are saying, how much work is it actually for the owner? For the guy who thinks he's too busy, like how much work, how much actual time or energy is he or she  really need to put into it?

Tom:

Yeah. It's, it's pretty low, you know? I mean, somebody is going to take care of the technology at these businesses. So it's just a matter of having them check on a, on a semi regular basis just to make sure that these things aren't open, you know,

Jesse:

Equate more or less to like wearing a seatbelt. Do you think like, yeah, you put it on real quick. It's something you do, but it's not like it doesn't take up a lot of your time when you're driving. Like once it's on, when you're driving, you're kind of like whatever.

Tom:

Yeah, exactly. Like two factor authentication is kind of like a seat belt on your password, you know, you're, you're driving down the road. Okay. We got a password, you know, we've got a car around us. The car is going to add some protection, but there's a, there's a chance that we're driving too fast or you get inside, you know, hit from the side or whatever.

We don't have a seatbelt on and some big problem comes along, you're in big trouble, or if we don't have airbags in our car, something like that. Right. So same kind of thing.

If we have a username and password, even if it's complicated, someone could steal that somehow. There's a lot of different ways to do it. So we have this two factor authentication method set up to then, you know, doing our phone when we go to log in, sends us a little notification that asks "Hey, is this you?"

"Yep. That's me. Okay. Thanks. Let me in." That's really easy. That's as easy as like "Oh (click) I'm gonna tell him, I see a line and now I can drive down the road. It's I'm going to lock in (click).

I'm going to, to 2FA, you know, just accept my 2FA requests. Boop. Okay. I authorize my self to log into whatever system I'm in. Great. Now I can just do whatever I want, because I'm already authentic authenticated.

It's that simple from a recurring standpoint of like "Okay, this is going to happen over and over and over" that to 2FA is very similar to the seatbelt.

Other things, it could be like, the analogy would be "Hey, have a lock on your door or put your garage down." I mean, we could open up our garage and just lock our interior garage door. Sure. But someone's going to come by at some point and be like "Oh look, this garage door is kind of open. Let me go see what kind of stuff they have in their garage."

And then they will like, then they'll try to possibly try to break into the garage door, the interior door and then get into your house.

Jesse:

Yeah. Maybe they plan to put a key in the garage for the house.

Tom:

Yeah, exactly. Right. Cause they're already kind of halfway in.

So if you can keep them out or if you have a gate around your house, you know, maybe that's the other thing. Like you have a gate in a perimeter around your house and that thing's locked up probably properly. Then someone can't come into that perimeter and then, you know, picking away at all the other security that you have in place.

So having the gate is helpful. If you have a gate that's unlocked or it's the doors open, the gate's always open and just someone just has to drive by and be like "Oh, this, this gate's open. Let me go check their front door. Let me see the front doors open. Let me, I've got this group. You know, I have this pile of keys. Let me just try all these keys on their door."

Maybe they wouldn't even do that if the gate was up, cause nothing's a hundred percent secure. If somebody wants to really steal your stuff, they're going to do it. But there's a lot of ways to thwart that for a long time.

Jesse:

So when you talk to the business owners, you're talking to, do they care about this?

Tom:

They don't care until they hear a story they can relate to. Then they go "Whoa, okay. What do I need to do to, to not do that? What do I need to do to not lose a hundred thousand dollars?"

I had somebody to call me up and they're like "Yeah, I need you to help me out." I'm like, "What's up?" And they go "Well, my, my controller, my bookkeeper, you know, just wired $95,000 to somebody inadvertently two months ago. And it was all through a phishing attack through email. And I can give you all the details of that," and I said "Okay."

I started looking into it and we had, we had the FBI involved in that one and that money's gone. It's two months later, they're finally reconciling their books. They're trying. Then they realize like "Hey wait, there's $95,000 missing, but we still have our vendor telling us that we still owed that to them. What happened?"

I can dig into the details on this call or next call or something. But when I tell that story to another business owner, they go "Okay, tell me what I got to do to not do that," because they can't guarantee all of their people are going to follow all the procedures.

Jesse:

So how would that happen?

Tom:

Here's what happens. Again, it's the lack of two factor authentication. It's the lack of the seatbelt, right? They were driving around the internet on their email without a seatbelt line.

And so what happens is people are now putting their email in the cloud. They got Gmail, they got Office 365 and other media. And that allows people from anywhere in the world because the world is connected via the internet to then try to log in to different accounts.

So they sit there and they try to log in and they try to log in. They might send you an email. They might just blast out email to everybody who has a huge email list. They can buy on the dark web. They just start spewing out email lists and or emails to just people like, "Hey Jesse your password is incorrect. Click here to log into your OneDrive account." You go "What? My password is incorrect?" or "I need to log in," and you log in to verify your account.

So you click the login and it looks like Microsoft Office 365. It looks like OneDrive. You click the login. It redirects you to some other site that the attacker has, has put up and you go and put in your credentials, your username and password for Office 365. They've now captured that sometimes it's slick as they'll actually redirect you to Office 365. And it looks like you logged in and you're like "Oh, okay, I'm good now."

But what's happened is now they have your credentials. Now they can log into your account remotely. And once they're in your account remotely, they can log into your portal.

Tom:

And in this case, what they did was they started looking at this person's email, this bookkeeper's email. They just started watching their email. So then they see vendors that are sending her emails saying, Hey, here's your invoice for $95,000 for a part, or, you know, in their case, AC unit that they're buying. So here's the invoice for $95,000. And then they say "Okay, well, I see this mail from this vendor. I'm going to now set up another server and I'm going to impersonate this, this vendor."

This is getting complicated, but they create a rule on 365 that says "If I get an email from this vendor, redirect it to this outside server, that the attacker controls so that they can get the email." Then they look at that email. Then they send an email from their server back into the bookkeeper who's expecting to get the invoice. He is expecting to know what the exact price is.

They send an email back and they say "Hey, here's your invoice. Just to let you know, we've updated our banks. We've switched our banks recently. We're no longer with Wells Fargo. We're now with Chase" or whatever they say, right? "Here's our new banking information. So when you go to send us the payment, be sure to use this new, this new bank, because we don't have access to our old bank anymore."

So then the bookkeeper goes "Oh, this looks like it's coming from my vendor." I'm already expecting this $95,000 invoice. It looks like they've just updated their banking information. They don't even think "Hey, let me reach out to the vendor and verbally check." Cause that's one thing you should do. Definitely, when  people start changing their bank accounts, pick up the phone and just ask them.

So she just wires off the money and goes about her business, like we're good to go. Then 30 days rolls by the vendors say "You haven't paid us." 60 days goes by and the vendors say "Hey, you really haven't paid us. What's going on?" And they're like "No, we paid you."

You check your records and they're going now and check your records right now. Everybody's checking their records. And they realize "Oh, the bookkeeper sent $95,000 out to a different bank account that wasn't owned by the vendor. It was the attacker's account."

How do you stop that? Right? So what can somebody do to prevent that from happening to them? Because we're all getting inundated single day with phishing attempts. Everybody's getting an email today that says "Hey, click on this link. Hey, check out this video. Hey, your password is wrong. Hey, verify your account. Hey, this, Hey, that right." People are constantly trying to just hook us into giving them our username and password.

Well, let's say we fall for that because eventually we will. Cause it's just getting better and better and better. If we had two factor authentication set up. When that attacker tried to log into our account remotely, we would get prompted on our phone or our device, like our watch or phone or whatever we're using for the second factor of computation.

And we get that prompt and we'd want to say "Hey, hold on. I'm not trying to log into my account right now. Why am I getting this prompt? I should not be getting a prompt for somebody logging into my account." It should set off alarms and red flags left and right. Absolutely reject that logging, obviously, and then immediately go change all your passwords.

So she would've had that two factor authentication. She could have still been fooled into giving the attacker the username and password. But when they logged in, hopefully she would have realize "I'm not logging into my account. I shouldn't be getting this prompt right now." She should deny it and then go immediately change your username and password. And then probably alert her tech support company, or whoever's, whoever's doing the tech support for their company to say "Hey, this really weird scenario happened. Let's make sure my account isn't compromised."

Jesse:

Hmm. Yeah. And it's not really a matter of like people being smart or stupid. It's just a matter of them kind of being susceptible at a particular moment.

Tom:

It goes back to putting the seatbelt on. If she had a two factor seatbelt that she was putting on every day, then she could have had a near miss. She could have had it like in a minor fender bender, right. Someone would have stolen her password anyways. And she could've just driven her car into and scraped up against somebody.

But it would have been a lot less damaged than not having the seatbelt on and, and wiring $95,000 to somebody,

Jesse:

Is there any kind of shared liability?

Like if you helped these people, these 500 and you try to set up the two-factor and that stuff doesn't work and they fall for it. Do you guys take on any of that responsibility with them?

Tom:

Yeah. Yeah. So we're not an insurance company. So what we recommend is that every business, including our own obviously is, is to have cyber cybersecurity insurance.

So having cybersecurity insurance for your business is like one of the five main types of insurance that insurance people recommend. And if yeah, they would have been covered in that instance, you know, I mean, obviously it depends on the coverage and all that, but that's what it's there for.

So we can't sit there and talk about all the different aspects of insurance, but there's the different types of insurance. Like there's cyber liability, there's first and third party theft. There's, you know, obviously general liability insurance and, and, you know, errors and emissions and things like that.

So every kind of insurance plays its part, but it’s like when people ask “Why do I have insurance on my car?” Well, because something might happen. Things happen. Insurance is in there for no reason, you know, we're, we're using it. People use it.

So yeah, it's highly recommended to have to talk to their insurance broker or insurance person about what kind of insurance they would need to get to protect themselves from these kinds of scenarios.

Jesse:

What do you guys have?

Tom:

So we have all the big five. We have cyber liability insurance for ourselves. We have a first party, third party theft insurance. So, you know, one of our people stole something from a client. Then, then we have insurance to cover that we have, we have insurance.

Like if, if somebody else steals something from us insurance to cover that we have employee liability insurance, which doesn't really tie into this at all, but I'd highly recommend that to the, an Arizona missions insurance.

So if we make a mistake, it's kind of like a doctor's malpractice insurance. Yeah. So we don't, it's not called malpractice on our side. It's called errors and emissions, you know, but we have quite a bit of coverage for that.

Jesse:

If you were doing like a backup on a server and you screwed it up and wiped out the server on accident, or like, what would that be?

Tom:

Yeah. Just like all those things, like we're, we're, we're doing something and, you know, we make a mistake and then we lose data. Most of the time it's like loss of data. That's really the value. Right?

Jesse:

Yeah. Because like you said, people lose all their data. They're kind of hosed.

Tom:

Yeah. I think how much I know our business would not be, would not be working very well if we can, if we didn't have access to our data.

Jesse:

Well, yeah. We don't even know who to invoice. So it gets kind of ugly. If you lose all your data, you don't really have a business.

Tom:

Yeah. Yup.

Jesse:

I think for a lot of people, even myself, when I hear some of this, you own a business, and every time you turn around, somebody's having a hand in their trying to take all the cash back out.

Are any of these more important, that you're just ultra passionate about, or is it like, you just kind of want to build an extra margin to pay for all these things?

Tom:

Yeah. I'm a big proponent of solving actual problems.

So sometimes people come to me and they're like "Hey, we need to buy this tool. We need to buy that tool or this software, that software." And I'm like "Okay, well, what problem are we trying to solve right now? Like, let, let's talk about the problem that you're trying to solve."

And sometimes, there's no problem. There's just a lot of fear and they just go "Hey. Yeah, no, I mean, I'm just really worried, you know, if something were to happen, I really want to have this thing."

And it's a little bit of the same kind of thing, like a seatbelt analogy. It's like "Okay, well, how often does something happen? Have you seen something happen before? Like, did it happen to your friend at having somebody, you know, like how did it happen? What is it all about?" It's so we can make rational decisions.

So I think like a lot of stuff that I'm talking about today is like, again, it's free like two-factor. It's pretty much free nowadays. Like people give it away on every platform. It's a standard.

I could also talk about the whole SIM swap thing. And why do you want to use a two-factor authentication application instead of your text message as your second authentication method? Because I personally got hacked like that, and another one of our partners got hacked on the same day. That was pretty crazy.

Jesse:

How does that happen?

Tom:

I'll tell you because there's another story, but so, so the, the thing about what we're talking about is putting the perimeter around your place, right? Closing the ports. Don't allow people to, just to walk into your property, make them, check them up at the gate first using VPN connections that says it's low cost or no cost.

You know, if you want to have remote access to your network two factor authentication, it's low, low cost, no cost type of thing. And having a password that's that's that's pretty lengthy and hard to get us. It's low cost, no cost. So all those things don't cost a lot of money.

Now there are tools that do cost some money and there's management of it. Right. And you know, part of our value proposition is somebody should be paying somebody to monitor what's out there.

Like we let's say we check the gate, make sure it's not open, but the gate's open. We're going to tell you "Hey, your gate's open." How do we get the gate locked up?"

Like, can we work on getting this thing locked up or what? But if nobody's checking the gate and someone leaves a gate open, this is a potential issue.

So, you know, there might be some, some time or effort or money spent on having somebody monitor the perimeter, if you will, to make sure everything is operated on best practices as much as possible. So there's that, but there's other tools that sit on the network and they look for infections that are sitting on the network as well.

Tom:

And you know, a lot of, a lot of what's happening with the ransomware nowadays is that attackers are getting access to the network. They're not immediately encrypting things. They're not immediately deleting files. They're not, they're not trying to make themselves known right now.

What they do is they get into a network and then they start doing reconnaissance and they are looking around. They want to know: What do they get access to? What's the opportunity? It's kind of a sales opportunity, right? Like they're in there, they're in an opportunity. How big of an opportunity is it? What's the potential payout? How much time should we spend on this?

And you know, you see, you'll read in the news. You know, I think like the city of Atlanta got ransomware last year, a couple of years ago, that was multi millions of dollars that they wanted in that ransom.

Somebody was in that network probably for a long time, if I had to guess. And they were just looking around, looking around, looking around and then creating a plan to stage how they're going to attack this network and encrypt as much data as possible so that they could get the biggest pile possible. That happens all the time.

So there's software out there that literally just looks for hooks or connections into the network. That's saying “Hey, well, I see somebody, I see something that I recognize, why is this process running? Why is this connection, you know, open? What is it doing here? Let me have somebody look into this a little further.”

So it's an automated way of just notifying a real human being to look into it and just investigate it. And sometimes they look into it. It's totally fine. It's just a normal process. That's running the script that someone created, you know, whatever routine. Other times it's actually an attacker. It's malware, it's a virus. It's something that's sitting there, lurking, that's just waiting for the opportunity to cause more, cause more damage.

Jesse:

Okay. What I think I want to try, this might be kind of fun, is I'm going to object to some of the stuff you're saying, like maybe some standard objections. Then you tell me why I'm wrong. Does that sound reasonable? Yeah. Okay. So I don't really have a server. All my stuff's in the cloud.

Tom:

Yeah. Do you use usernames and passwords to access it? So then if someone stole that password or username and password and locked you out of those accounts, would that cost you a lot of money?

Jesse:

Doesn't Microsoft take care of that or, you know, somebody, whoever?

Tom:

So Microsoft, yeah. Microsoft like, Hey, I put a seatbelt on your car, but they're not buckling it for you every day.

Jesse:

So what, what would be like the, like, let's say email liability, for example. So you just got into my email, you hacked it, you took it over, you changed the password. I don't know if that costs me money or not. When I just get a hold of Microsoft and then they'd help me change it once I proved who I was.

Tom:

What if they changed all your identity information? Cause that happens all the time.

Jesse:

How would they do that once they're on you mean?

Tom:

Yep. So they're in there, right? So then, you know, like the SIM swap attack. That's a good example of “Hey, I want to hack into your Gmail. If I could take over your cell phone number and get your text messages, I can go to Gmail. I know your email address. I don't know your password yet.”

I say “Hey, forgot password and emails” like “Hey we can text you a code to verify that, you know, that we know it's you great.” Cause I steal Jesse's cell phone SIM card and I didn't even have to physically steal it. You know, there's a lot of these, these attacks that are just happening, it's all digital.

So someone copies the SIM card, you know there's been numerous articles where employees from Verizon and other places like T-Mobile we're in on a deal, and they would identify a victim and then they would have the attacker. They'd basically sell the SIM card information to these attackers.

And the attacker goes to, let's just say Gmail for that instance, “Hey, I forgot my password.” They send me a text message. Great. I got Jesse's SIM card. I got a text message. I get the text message. I verify that I'm Jesse, not you anymore. I'm Jesse.

I log in, I change your password and immediately log into the account. And now I say, Oh, you know what? I actually live at this address and I have this phone number now, and this is my backup email address and everything that you have put in there to make it your own to claim that email address I've changed all of that.

And how are you going to call up Google or Microsoft and prove that that is yours?

Jesse:

Okay. Well, if we're, let's take that another step, let's say they're smart. And they decide to do that at 3:00 AM. How would any of this help me?

Tom:

How do I help?

Jesse:

Two-factor, anything. I'm sleeping when the thing comes in and they can read my texts because they stole my SIM.

Tom:

So here's the thing, right? So I would highly recommend it as a best practice to not use text messages as your two factor authentication method. Because of that SIM swap attack, that's out there. You know, the cell phone company has never signed up to be authentication methods, but it's just convenient.

Cause everybody has a cell phone. Everybody can get text messages. So developers just default to using text messages as an authentication method because it's available. But cell phone companies never said, “Hey, I'm gonna make sure that that phone is always secure and that can never be taken over and all that.” That wasn't in their design.

So if you're still using text messages as a form of authentication or two factor authentication, there's a risk there, right? I mean, it's better than nothing. It's better than no password. It's better than, you know, a password without two-factor, but it's not as good as an authentication application where the code changes every 60 seconds or 30 seconds or, you know, there's no code at all. It just prompts me when I try to log in or if anybody logs in.

So at three o'clock in the morning, if I did get your password for some reason, you know, and I try to log in your phone is gonna go off. Like your, your authentication app is going to say “Hey, there's a login attempt. Do you want to accept or decline?” You're going to be sleeping, so it's going to time out and it'll automatically decline. And I won't be able to get in when you wake up, you go “Whoa. It looks like somebody tried to log into my account a few different times. That's suspicious. I better change my password immediately while I still have control of my account.”

Jesse:

What kind of software would exist for that?

Tom:

Which part? Authentication methods.

Jesse:

Yeah. Yeah. Yeah. I just heard, like, let's say for me, like I don't have whatever you're talking about.

Tom:

Gmail. Yeah. Yeah. So, Google authenticator, you know, is the defacto two factor authentication method for Gmail. I think Gmail actually will do the two-factor inside the app now. So if you have the ability to do it, do it.

Jesse:

So now I have like, let's say 15 different cloud things like, you know, personally, I'm just thinking of an example. Cause I mean, I need 15 different apps.

Tom:

No, Google makes a separate app called Google Authenticator where you can add in all those different accounts into that, into that app. I personally use another one called Offi that has some additional functionality and in iOS that can, you know, it's a little bit more feature rich, but you can use any, any Google or any authenticator app will pretty much do it.

So Microsoft makes their own, Google makes their own author. He makes one, Duo makes one, Salesforce. I even saw their own authenticator app for one of the sites I have to log into. So everybody, everybody has an app and, and most of the time you can add all these other accounts into that one app.

So you bring the one app up and you see all these rolling passwords, they all, all your passwords are changing every 30 seconds for each individual account that you have.

I personally, I personally like to have separate authentication applications because usually if, if I'm using Google authenticator for my Gmail, it just prompts me and says “Hey, is this you?” And I go “Yup, this is me.” I don't have to type in a code. It's a little more convenient.

But if I had to, if I use the Google authenticator with Microsoft, well now Microsoft doesn't have the prompt, you know, the problem method. They'll want me to type in the code. So it's a little bit more, you know, a little less user friendly.

So, just to continue that conversation like on Office 365, I use the Microsoft authenticator because it has the push notification. It has the PR push prompt that it sends out. I don't have to use the code. So I use the Microsoft authenticator for Microsoft. I use the Google authenticator for Google and everything else that doesn't have a specific authenticator I use Offi.

Jesse:

Okay. And then is this the new generation more or less of LastPass and what was it like? The robot one, I forget what that was called. Yeah. Is it kind of like the new version of that, right?

Tom:

Those are different kinds of things.

You know, I highly recommend we could probably do a whole nother thing on just password management as well. You know, best practice around password management is to create a separate password for every single site that you have.

And the question is, well, how do I keep track of all these passwords? And, you know, people want them to be like 12, 15, 20 characters long and symbols and letters and numbers. And, you know, it becomes almost impossible and there's strategies around, you know, typing in sentences, you know, for certain things or typing in, you know, different words that are easy to remember, but create a long password.

My favorite personally is just to use a password manager like LastPass or, you know, there's other ones like 1Password robo form passport holder. There's a bunch of different ones out there.

But you know, with LastPass I create a new password for every single site or every application that I have. And it's 20 characters, randomized, you know, separate for everything. And it, and it gives you the ability to like, if someone, if someone breaks into a particular site, let's say let's see, who's been hacked.

Like, you know, you got, I don't know, let's say someone, God forbid hacks into Amazon and they steal my Amazon password. Well now my Amazon password is different from my Microsoft password. It's different from my Gmail password. It's different from all these other passwords. So while they might have my Amazon, they can't take my Amazon and then log into all my other accounts and then take all my stuff.

Jesse:

So in this conversation, LastPass is basically a complicated key, more or less. And it's an authenticator. It's more like at the ring doorbell. So you see when there's activity by your door.

Tom:

Well, so the LastPass is just the password organizer. I think of it as like Windows Explorer for passwords, right? You have a set of folders, you put things in and you have, you know, the files, if you will, would be passwords for every different site that you have then.

And then let's say it's like a password cabinet. So you've got this file cabinet. And then you have these files and we're all these different types of passwords. Then you have the individual folder or, you know, piece of paper inside those, those folders for each of the individual sites. Well, that's all well and good. Everything's separated out and all that.

Then the cabinet needs to be locked up too. So LastPass has what they call a master password and that master password encrypts, the entire thing, encrypts, all the other passwords. So the most important password that you have to remember is just that one password that gets you into, into all the other passwords. And last has also ties into two factor authentication.

So if you go to log into it, then you get a prompt, they have their own app as well. You get a prompt that says “Hey, is this you trying to log in here?”

Jesse:

Yeah. So I have LastPass. I think, you know, you recommended this years ago. I use that and then they have the generated password, but I haven't thought about this other part of it, you know, which is interesting, as you kind of like are talking about the authenticators and whatnot.

Tom:

Yeah. Someone steals your LastPass password, that would be bad news. Right. And then they have all your passwords. Yeah, of course. How do you protect your LastPass password? You've got to first have a complicated password, then have two-factor authentication set up.

Jesse:

But the problem with that is like every time I try to use the thing, it wants me to re log in and the more complicated you make it, then you're like “Ah, now I gotta type in all these letters” is kind of usually the, you know, on the back end, what are you thinking?

Tom:

Yeah. For better or worse. I have my master password saved, especially on my phone, cause my phone is encrypted already. And if you have a password on your phone and your phone is encrypted then I use face ID to unlock my phone.

So when I bring up LastPass, it actually uses face ID, and the KB rather than the password, because I put the password in first and I said “Hey, from now on use face ID.” So when face ID checks out, it says “Yep, you're good.” And it basically automatically puts the password in it associated with my password, if you will.

Jesse:

So like, let's say now I'm the same business owner in Las Vegas. And I don't want to think about all this stuff. This is basically what you help us with is like trying to get all this stuff, working for like the whole staff or is it still...

Tom:

Our mission in life is to manage technology. To help businesses thrive on managing technology is literally what the mission statement is, right? Yes. So, you know, we want to be the team that is protecting people from all this stuff, monitoring it, managing it, you know, alerting you, creating those conversations when the landscape changes, which is constantly changing.

And we say “Hey, whoa, you know what we need to, we need to implement two factor authentication.” That wasn't a thing years ago, nobody had these little devices running around and, with two factor, we had like these little tokens, like way back when, as a physical token, that would have like a little LCD screen on it. And the number would change every 60 seconds, you know?

And before that, it wasn't even a thing. So, as technology changes and people invent new ways to protect ourselves, you know, our job is to bring that information to our clients and, and convey that to them. So they don't have to sit around worrying about what level of protection they have for their business. And, you know, are they gonna wake up Monday morning and have all their data encrypted?

Jesse:

So your big takeaway would be to work with a company like yours. It would be kind of a big thing. And then as far as like the one action item, would that be two-factor?

Tom:

I think the big takeaways get two-factor installed on as many accounts as you possibly can. That takes some effort, right?

The stuff I was talking about earlier with closing down ports, that doesn't take as much effort, you know, identify the things that are open you know, come up with a different way to give remote access to your, your network, like a VPN tunnel, you know, whether it's like a, you know, firewall the firewall for software, VPN, SSL, VPN. There's a lot of different ways to do it, but certainly setting that up and closing the ports, just basically, you know, it is four to five, the gate that fortifies the perimeter of, of somebody's business.

So again, there's nothing, that's a hundred percent perfect. But if our stuff is four to five, there's a lot less chance that we're going to have a breach.

Jesse:

Yeah. Cause sometimes it's not even about whether it can be breached because it certainly could be; it's how hard is it relative to everybody else?

Tom:

How much effort is it? Right.

So these people that are out there deploying ransomware and, and, and, you know, extorting businesses, they're lazy. They're lazy. So they have software that they probably haven't even written. They just had some dark web, you know, software that they downloaded and then it's just automated.

So it goes out there and just starts looking around, looking around, looking around, looking around, and then as soon as they get a hit, now it's like “Okay, well, what can I do here? How much money can I make?”

But they're, they're not actively trying to get past your gate. It's an automated thing. It's like, it's like having the Google maps car as the big camera on it. And it drives all around the towns, right? All the streets. And it takes pictures of everything.

Just imagine if an attacker had control of that car and that car would just drive around and it was constantly taking pictures of people's fences and gates. Then, it just compiled a list of all of the gates and fences that were open. And then it sent it back to the hacker and maybe it could go to the gate and you could try a bunch of keys automatically.

Maybe there's a little drone that flies in and tries a bunch of keys. And then one of those keys works and then it creates that smaller list. It sends out that smaller list summary to the attacker that says “Hey, I can get into this house here, the gate’s open, I got the key.” Now it's up to you just walk in the house and see what's what's in there. If that was the case, right?

Like, there'd be a lot of, there'd be a lot of damage out in the world, you know, physical damage. But that's essentially what happens in the digital world. Someone is trolling the digital streets, if you will, looking for gates that are open, trying keys that they know until they find one that works. And then they tell their master, whoever that is to go investigate further and try to try to extort some money out of people.

Jesse:

Yeah. And obviously like somebody could hear all this and then they could think, well, if it's this complicated, just basically hopeless. What would you say to that? I would say no matter what you do, you're still screwed.

Tom:

Yeah. I would say it's not that complicated. You know, just some simple things, like just making sure, just have someone check your firewall and shut down the ports that are open, if there are any, and switch to a more secure method, number one. And number two, you know, have two factor authentication set up on, especially the accounts that are in the cloud.

That's the big stuff, because that stuff can be accessed from anywhere in the world. So any website, any, any cloud service should have two factor authentication on it?

Jesse:

Is that available if the site doesn't offer it?

Tom:

It's. I mean, the site needs to offer it, you know, it's so prevalent nowadays that most places like any kind of major site that you might visit are going to support it, for sure.

You know, all your big ones like Google, Microsoft, Salesforce, you know, your banks, they all support two factor authentication at some level. Some are better than others. Right? Some might have an app like Office 365 that has the Microsoft authenticator app works really well. Same with Gmail. Gmail has their Google authenticator app. It works great.

Other sites, maybe they only support text messaging as the two factor authentication method. And I told you a little story about someone's stealing the SIM cards. So while that's very susceptible to that attack, it's better than nothing. You know, I would do that rather than nothing. Yeah.

Jesse:

So you are there to help companies make sure they are protected with the IT Services and Security?

Tom:

Yeah, exactly. Yeah. I mean, we're in business to help people, right. So we definitely want to get our services out there and help as many people as we possibly can. Absolutely. you know, what's the best way to do that?

Well, we've got to provide some value for, to build that trust up. And if we can, if we can do a free network assessment and show people “Hey, you know what, there's some gaps in their technology management that can be improved upon,” you know. They could take those, but not everybody buys from us.

So, you know, people take those reports all the time and they give them to their current guy or they fix the stuff themselves. And that's okay too, because it's one less ransomware attack that's for sure. Yeah.

Jesse:

Well, and if you get an assessment back with a bunch of things that are broken, who's to say that, whoever that is managing, I won't have another series of 20 things that they missed because they're not paying attention. Yeah. Yeah. Kind of the next year...

Tom:

Things change constantly. That's why companies like ours exist. Because if we could just fix it once and then call it a day, we wouldn't even be here.

But the reality is that, you know, we're all human beings, we're all using the data, manipulating the data, things are changing, the TAC, landscape's changing. All these things are changing constantly. And we have to keep checking up on it and monitoring and maintaining it for sure.

If you would like to have a conversation about security, 2FA, and how to save your company from a $95,000 mistake, give ITS a call!


Set up a productive, efficient, and secure remote team that can help you run your business anywhere. Download our free eBook today to learn how!Download here
+