USB keys are the next step in the back-and-forth between cybercriminals and those who try to foil them. Ken Colburn, of the Data Doctors, explains what it entails.
Q: How do USB security keys work, and should I get one?
A: Your online assets have long been one of the major targets of hackers, and, generally speaking, the only thing keeping them out of your accounts is your passwords.
Weak passwords are no match for today’s hacking technology: High-speed cracking systems can crack any 8-character password in just over a minute.
Even if you create a long, complex password, it can be compromised through data breaches at any of the companies you do business with online.
The black market for known passwords is thriving, because hackers know that people tend to use the same passwords across so many of their online accounts.
2-factor authentication, and ways to beat it
Since a password alone provides very little security these days, the addition of a second form of authentication became popular years ago as smartphones became ubiquitous. It’s akin to the two factors necessary when using your debit card at an ATM: You need both the physical card and the associated PIN.
Activating 2-factor authentication on all your online accounts means that whenever an online service detects that your username and password are used from a location or device that’s never been seen before, a special code is sent to the registered phone number that is required to access the account (the second form of authentication).
This means that a cyberthief needs to steal both your password and your smartphone in order to gain access.
The popularity of 2-factor authentication with smartphones has led to various exploits to usurp this extra layer of protection, including SIM swapping or SIM hijacking.
By taking over control of your phone number, hackers can have the special code sent to a phone that they have in their possession.
They’ve also become very good at fooling victims by calling them posing as an organization that claims to have detected a break in that wants to verify that the victim is the actual owner of the account.
They’ll tell the victim that they will be getting a special code on their smartphone that they need them to read back to ‘verify’ that they are the authentic owner. Of course, reading back the code allows the remote hacker into the account because they are at the screen that is asking for the code on their computer.
USB security keys
Since the bad guys have found easy ways to sidestep the security of 2-factor authentication, the USB key has surfaced to providence another form of higher security.
Instead of using a smartphone as the second form of authentication, you would use a special USB key on your computer, smartphone or tablet that costs $20 to $50.
Once you set them up, a USB security key connected to your device is required in order to gain access to the protected accounts. There are backup methods to allow you in should you lose your USB key, so be sure to set one up if you plan on using them.
To get more of an understanding of your options, checkout the various models from YubiKey, or Google’s offering, called Titan.