Money transfer, online shopping, electronic registration for a doctor’s appointment – these activities are a part of our everyday life. We do them mechanically which takes only a moment. However, we remember that not so long ago the procedures were much more complicated and time-consuming. We are used that to perform mentioned operations it is enough to confirm your identity and provide data. But in times when we hear about so many data leaks, is this a safe enough way of verification? According to CERT Orange Polska cybersecurity report , special attention should be paid to the phishing threat. This form of attack constitutes a significant percentage of threats, and observations indicate that this tendency will grow.
Phishing is a method of cheating that involves tricking a user into providing confidential information by using fake websites. Hackers pretend to be some person or institution in order to obtain important information, persuade you to perform some action. To capture data, they rely on the weakest link of protection, the human being, and the power of habit.
A common phishing strategy is to use links leading to fake websites. The similarity can be huge and the sites may differ in small details. For example, sometimes it is only the diacritical mark which combined with the composition and colors of the page (almost identical to the original) leads to the user entering login credentials on such a fake website.
These types of attacks are also happening via email and even voice messages. How does it end? Taking over of the account, often many accounts – unaware of this practice users often use the same password in many applications. Sensitive data, private messages and bank accounts become easy targets for attacks. Cyber incidents happen to individuals as well as large organizations.
We live in the age of big data – they are more valuable than money in the world we live in. Identity theft and loss of important data is problematic for any user, but businesses in particular should be aware of this threat. A cyber-attack is not only associated with temporary downtime, production delays or losses related to the need to mitigate the damage. Image damage is equally severe and long-lasting as financial losses. A company that falls victim to hackers loses credibility and customer trust. The company’s competence is undermined, and if it cannot protect its own data, what guarantee of security can it give its customers? An image crisis resulting from a data leak can significantly damage the image of a company. Therefore, it is better to prevent it by using dedicated preventive measures.
There are notable voices in the cybersecurity discussion about preventing data theft. Industry experts claim that two-step verification is an effective solution. It can protect users from losing access to data (money in the bank or an email account with important information). The extensive authentication process requires more than just a username and password. It demands an additional element – code, confirmation from a mobile app or key pin. Let’s take a look at the most commonly used 2FA (two factor authentication) methods and trace their advantages and disadvantages.
SMS codes are the simplest, and certainly familiar to most users, two-step authentication method. During logging in to your account, after using your login and password, you are asked to enter a one-time code sent to your phone number via SMS. The main advantage of this popular solution is its accessibility. Nowadays, almost everyone has a cell phone. Entering the received code is not a demanding activity. Which will certainly be appreciated by the users of applications addressed not only to people fluent in new technologies. In addition, creating a software code that sends SMS codes is not complicated. Speed and accessibility of implementation are another advantage of this method.
Despite its universality, verification based on SMS code is not the most effective method of data security. Experts point to a number of system weaknesses. From losing or stealing the phone to those independent of the users of the application and its creators. Here it is worth mentioning the doubts about the weak security of GSM networks and the possibility of an attack using a duplicate SIM card. Attackers, using the phone owner’s personal data obtained from leaks, can order a duplicate SIM card from the mobile operator. Thus, there is quite a clear security gap that makes it possible for hackers to steal data.
The need to improve the method based on SMS codes led to the creation of one-time identity verification codes. This popular 2FA method is based on generating codes in an app on your phone. There are many applications that allow you to generate one-time passcodes – for example Google Authenticator. How does it work? When the server creates a profile for a user, it generates an 80-bit key. This key is presented to the Authenticator application as a few-digit code to be scanned. On its basis the application generates a hash based on HMAC-SHA1 algorithm. Part of this hash is then displayed to the user as a 6-digit code.
This solution has eliminated the concerns with the GSM network. The application generates one-time passcodes in the phone’s memory, without the participation of the network. An additional convenience is the lack of communication between the server and the code generator. After setting the initial configuration, it works independently. The advantage of the verification method based on one-time codes is also its availability. Today the smartphone is an object of daily use for most people. On the other hand, it seems that the smartphone is the biggest weakness of this verification method. The key is stored in the phone’s memory, which makes it vulnerable to getting leaked. Note that the ability to generate one-time codes does not protect against attempts to steal data. We are still not safe in case of classic phishing based on a “fake” website.
In the hierarchy of effectiveness, the U2F security key ranks highest. Key eliminates the drawbacks of previous proposals. FIDO U2F is a physical device that can connect to a computer using a USB port. It is also possible to connect to phone using NFC or Bluetooth. During the registration of the device, the user generates a random identification number. This number consists of the name of the and a secret key, stored permanently on the device. The device then creates a private key and a public key based on this number.
The private key stays on the device, and public one is sent to the server.
Logging in with the dongle involves the generation of a request by the site the user is using. Then, the U2F key checks whether the request comes from the page registered in the previous step. If a match is confirmed, the device signs the request with the private key and sends it back to the server. This verification process is much more efficient and secure and eliminates the disadvantages of previous solutions.
The undoubted advantage of this verification method is that the key is an accessible and easy to configure device. Communication is via USB, NFC, Bluetooth, which makes this tool easy to use. Additionally, the item is small in size and thus easy to carry. Consequently, you can always have it with you, for example, as a key ring. But what is more important, especially in the context of the initial issue, is the phishing-resistant device. The innovation of this solution lies in the fact that the key itself checks the correctness of the website on which you want to use it. What is more – the signing of the request lies only on the side of the key. It is not possible for malicious applications to intercept the private key, which is a guarantee of security of operations performed with its use.
Like any of the previously mentioned verification methods, the FIDO U2F is not without disadvantages. Users point out the tiresome need to carry this device with them and the need to get into the habit of moving around. Not only with a cell phone, but also with a security key. Like any item, a it can also get damaged. For complete security, it is recommended to have 2 devices of this type. Which will allow you to access your account in case of loss or damage of one of them. There is also the question of finances – getting such a device is associated with expenses. The cheapest FIDO U2F can be bought for about 40€, which is relatively small in the face of the advantages of this solution.
Although the ingenuity of data thieves surprises, they use standard attack methods that you can learn to recognize. It is worth implementing a few good habits into your daily Internet activities. That will reduce the risk of opening a fake message or using a phishy website. You will not fall into a phisher’s network by limiting your trust. Do not trust in suspicious links, messages with downloads received from an unknown source, or sites that force you to enter data. It is a good practice to use password managers. That are able to generate complex, unique passwords while reducing the need to remember them.
For users who care about security, we recommend using technical protection against phishing. At this moment the only solution that can effectively protect against data theft attempts is FIDO U2F. The cost of such a device is a small price to pay for the security of your confidential data. Security of your social media accounts, or bank accounts and the funds in them.
Thank you for reading our article. If you care about data security and do not want to expose your company to financial and image losses, consider working with specialists. We believe in Digital Orchestration, so we care not only about providing the cutting edge technology. But also about the complexity and security of the solution. We work on the security and quality of the code, we also deal with the software testing, which eliminates the risk of its malfunction. As a Global System Integrator we provide services in the field of technology implementation and business consulting – please contact us: contact@ttpsc.com.
Driven by technological advancements, shifting business priorities, and global economic dynamics, outsourcing is no longer just a cost-saving strategy but a critical enabler of innovation and competitiveness. This article explores the key trends in software development outsourcing for 2025, supported by research evidence from academic studies, industry reports, and market analyses.
Hiring Third Party QA teams to verify a product has become a common practice - find out what Third Party QA Testing is and how Transition Technologies PSC approaches its implementation using the Xray tool.
Transition Technologies PSC experts talk about the 'Go Academy' initiative and the benefits of learning the Go programming language in delivering efficient solutions to customers. Find out why Go is becoming the language of the future in IT.
IT staff augmentation increases the potential of your team. An additional specialist is support in completing daily tasks and meeting deadlines. The presence of this person allows to increasing productivity when new and challenging business opportunities arise.
Serverless cmputing still raises a lot of doubts, especially among those environments that are just starting to use cloud services or are just planning to migrate their systems to the cloud. We will try to answer the most important questions about this solution in this article.
6 of the most common myths and misconceptions around Scrum so you can spot and avoid them.
Scrum Guide – what has changed? 2020 November update With all the events that happened in 2020 worldwide it’s not difficult to miss the latest update to the guidelines of the most popular agile framework – the Scrum Guide. In this article I outline the most important changes and assess their impact on teams’ everyday […]
What actually is agile? How did it all start? What are the principles that characterise this working method, how does it differ from the traditional approach and how to manage projects in an effective (and agile) way? We present a set of information that every person associated with technology in any way should become familiar with. We hope you will find it valuable and recommendable. Feel free to comment or contact us if you have any specific questions
Imagine that you are a blind or visually impaired person and would like to log into your own bank account via a website or mobile app. You enter the password, select further options, go to the next page, but at some point you can’t do anything more... You don’t have access to the full functionality of the application. Why?
Now is a perfect time for a thorough analysis of our online activities while taking into account a broader perspective than before. Implementing WCAG standards, created with users at risk of digital exclusion in mind, can be a great place to start.
Have you ever wondered how blind and disabled people use websites? Standard activities that we perform on a daily basis on the Internet are difficult or even completely inaccessible for people with disabilities. That is why WCAG criteria for digital services are crucial. Making a bank transfer, searching for information on official websites or making an online medical appointment lasts only a while, but only if the page is accessible. What does it mean in practice? This means that the site has the appropriate features that allow each user - including people with disabilities - to navigate.
The Modern society is very computerized. We want to have access to our music, books or movies wherever we are, regardless whether we’re in dentist’s waiting room or on a bus. To satisfy this demand, private companies and public institutions offer their service on the Internet. Despite that, there are a lot of barriers in using the web for disabled or elderly people, preventing them from enjoying the benefits of Internet.
A lot has changed in Java. A few years have passed since the release of its most popular version 8. All the time version 8 is the one that developers use most. What is the reason for this? After all, Java 13 have been already released.
Today it is an imperative to be able to quickly build and deliver innovative and advanced software products not only to keep the business growing, but simply functioning just above the tide. The business virtually always demands the increments of the products to be delivered as soon as possible for many obvious reasons. In order to do that software development companies can use an old as dirt concept of outsourcing a part of the work to contractors.
The IT sector is one of the most dynamically evolving business industries. It is not only due to the technology it offers but also thanks to the wide range of services it is able to deliver to other businesses.
The current trends in developing and supplying individual software for companies have significantly moved towards the model based on outsourcing. This is a very convenient solution, as the customer (the ordering company) does not have to support the whole team of IT engineers.
We have been trying for a long time to devise safer and more effective ways of identifying a user than by using a login and a password. Along with the development of technologies such as fingerprint readers or retinal scanners, we can verify identity as well as with the use of a login with a password.
Just a few years ago, code review was perceived more as some kind of curiosity or idealistic programming practice than an element contributing an added value to the commercial projects. Although the term has been clear for both developers and managers, and most of them praises the idea of mutual code analysis by programmers, this […]
The rapid development and technological boom we have been experiencing in the last years has left many companies in desperate need of qualified IT specialists. With technology transforming the economy and the scope of IT roles constantly developing most countries are facing a serious workforce issue. And despite outsourcing and offshoring dating back to at […]
Let’s get in touch
Contact us