Monthly Archives: December 2018

How to secure your Instagram account using 2FA

With our archives full to bursting with stories of hijacked social media accounts, it’s a very good idea to set up two-factor authentication (2FA) on all the platforms you use. 2FA combines your password with something else – a text message to your phone, a code generated by an authenticator app, or a physical key.

Although Instagram is part of Facebook, and Facebook supports several 2FA methods, the 2FA setup process isn’t exactly the same as it is for Facebook, so if you need a bit of help on how to get two-factor authentication on your Instagram account, we’ve outlined the steps in detail below.

While you can browse Instagram and use some Instagram features from a web browser, it’s really meant to be accessed within the Instagram app. To follow the steps below, you’ll need to be logged into the Instagram app on your smartphone or tablet.

    • Go to your Profile by tapping the person icon in the bottom right of the app.
    • Open the “hamburger” menu in the top right of the screen. Tap Settings at the very bottom of that menu.
    • Scroll down to the Privacy and security section and open it up.
    • Under the Security section you’ll find the Two-factor authentication option.
    • Instagram will now show you a screen with a basic introduction to 2FA and the methods they support: Text message-based 2FA and app-based. Again, since Instagram is primarily app-based, authentication methods that play nicely with smartphones are what Instagram supports. (USB key-based 2FA devices like a Yubikey wouldn’t work in a mobile context.)
    • On the next screen, you can choose the method(s) you’d like to use for two-factor authentication. While you can choose to enable both Text message and Authentication app-based 2FA, it may make things needlessly complicated for you – unless you’re confident you need both options at once, it’s best to stick with just one of these methods.
    • The more secure of the 2FA options is to use an Authentication app. You’ll need to install a free app like the Google Authenticator or Duo Mobile app to complete the initial 2FA setup on Instagram, and you’ll also need to keep it installed to log in to Instagram afterward. So if you don’t have an authenticator app installed, go ahead and install one right now.
    • Back on the Instagram 2FA setup screen, select the Authentication app option and tap Next, and you’ll be prompted to have Instagram work with your authentication app automatically – which takes care of some of the annoying setup legwork for you, so hit yes. You can use whatever trustworthy authenticator you prefer.
    • Your phone will then switch you over to your authenticator app, and you’ll be asked if you want to add the token attached to your Instagram user name. Hit yes, and you’ll see your Instagram account name within the authenticator app, and a 6-digit numerical code underneath it. That code is your authentication token, and it will change at very frequent intervals. So you’ll next want to copy that numerical code and quickly go back to Instagram, where it is waiting for you to input your confirmation code (the numerical code you just copied).
  • Paste the code in and you should get a confirmation from Instagram that app-based 2FA is now set up.

You’re not 100% done just yet. The next screen will show you your Recovery codes, which are sort of like an emergency escape hatch if you can’t get 2FA to work – say if you lose your phone and can’t use the authentication app, but need to log in to your account.

In the wrong hands, these codes would also let someone bypass your 2FA protections, so you want to keep them confidential and in a safe place. Some people take a screenshot of the codes and email the screenshot image to themselves, save it in their cloud photo storage, or they even print them out and put them in a locked safe — whatever works for you, as long as the chances of it falling into the wrong hands are minimal.

Once 2FA is set up on your account, Instagram will also send you an email confirming that this new security measure is in place, or if 2FA is ever disabled on your account.

from Naked Security – Sophos

Happy 9th Birthday, KrebsOnSecurity!

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request).

Many of you have requested a redesign to make this site more mobile-friendly. We’d targeted for that to happen in 2018, but multiple unforeseen circumstances conspired to delay that project this year. Rest assured, that long-overdue change will be coming soon in 2019. Thanks for your patience.

Below are some of the most-read and commented-on enterprise stories throughout 2018, a year marked by a relentless onslaught of data breaches, data leaks and increasingly sneaky scams. It seems unlikely that 2019 will be any different, and while I will endeavor to keep readers abreast of the latest threats and trends, I’m also interested to hear what you would like to see more of in the coming year. So please sound off in the comments below or drop me a note.

By the way, if you’d prefer to keep up with KrebsOnSecurity posts via email, please consider signing up for the newsletter (expect ~3-4 emails per week).

Thanks again for your readership, encouragement and support. Happy New Year!

A Chief Security Concern for Executive Teams

What the Marriott Breach Says About Security

Half of All Phishing Sites Now Have the Padlock

Voice Phishing Scams Are Getting More Clever

Hanging Up on Mobile in the Name of Security

Google: Security Keys Neutralized Employee Phishing

Plant Your Flag, Mark Your Territory Leaks Millions of Customer Records

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers

Don’t Give Away Historical Details About Yourself

This entry was posted on Saturday, December 29th, 2018 at 10:51 am and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

from Krebs on Security

How to secure your Twitter account

Intrusions into your Twitter account might range from mild annoyance, to a serious PR fail, to an international political gaffe.

Regardless of how you use it, there’s no need to make it easier for someone who wants to hijack your Twitter account. It’s quite easy to improve the security of your Twitter account and it only takes a few minutes.

Enable two-factor authentication (2FA)

Having a strong, unique password is an important first step to securing your account, but passwords can be easily guessed or generated by an attacker, so by themselves they’re not enough to stop someone in their tracks.

Your best bet to keep someone out of your account is to also enable two-factor authentication, which means you’ll need a second factor – like a numerical code or physical key – to prove it’s you when you log in to your account. It’s extremely unlikely that someone trying to break into your account has both your password AND access to your unlocked phone, so it significantly reduces the chance of an account break-in by enabling two-factor authentication.

How to do it: To enable 2FA on your Twitter account, log in and click your profile icon, then go to Settings and privacy. Scroll down to Login verification, which is what Twitter calls two-factor authentication.

Twitter begins the setup with a text message (SMS) code, but once you have 2FA set up you have the option to stick with an SMS code, use a physical security key, or use a mobile authenticator app. Many people prefer to use SMS as it’s easiest, but this method has its own security flaws, so we recommend using an authenticator app on your phone.

For good measure, you may also wish to enable password reset verification, which will require you to confirm your email or phone number if someone (hopefully you) asks to reset your password.

Screen who can contact you

Twitter is great as a big, open platform where anyone can join in the conversation. But that openness can also be a bit of a pain, as harassers and crooks love the platform’s openness too. There’s a very simple way to make sure you aren’t bothered by lazy spammers who are just out to blast Twitter accounts with links to malware as quickly as possible: Screen who can contact you via direct message or by public reply.

You can opt to only allow people you have opted in to follow to send you a direct message (a private message that does not have a character limit, unlike standard tweets), and you can also opt to enable quality filters on regular tweets that you receive, so tweets by profiles of “low quality” will never reach you. This means that if someone with a phony account tries to send you a potentially phishy link – which can and does happen on Twitter, so always click with caution! – they’ll have to do a lot more work just to set up their account and get past basic quality filters, and most spammers won’t bother.

How to do it: To only allow people you follow to send you a direct message, go to Settings and select Privacy and safety from the left-hand menu, and then deselect Receive direct messages from anyone.

To enable the Twitter quality filters, go to your Settings and select Notifications from the left-hand menu. Under Advanced, select Quality filter.

On this page you can also opt to Mute notifications from people who have a default profile photo and haven’t confirmed their email address, which will filter Twitter accounts that haven’t finished their basic profile setup.

Check your connected apps

Do you remember which apps you’ve authorized to have full access to your Twitter account? It’s painlessly easy to sign up to a service using Twitter, but how long do you want that service to have that kind of access? It’s worth reviewing your connected apps to see what’s still lingering in there, and if you see something you don’t remember authorizing or haven’t used in a while, it’s time to revoke its permission to your account.

How to do it: In your Settings, select Apps and devices from the menu and take a look at the apps that are listed as connected to your account. Hitfor any app that you no longer need or want.

The nuclear option: protect your tweets

While the idea behind Twitter is that the conversation is public and open to everyone, you can opt to protect your account, which makes your tweets visible only to people that you’ve opted to follow.

Twitter itself notes that if you have tweeted publicly and then later change your account to “protected,” it’s very possible those initially-public tweets will continue to live on publicly in perpetuity – so protecting your account is not an “oops” button for erasing tweet you’ve regretted sending, but it is a good way to make sure you know exactly who’s reading your words. It’s the nuclear option for sure, but if you want control over who’s reading you, it’s the right option for you.

How to do it: In Settings, select Privacy and safety. Under Tweet privacy check Protect your Tweets. (You can always un-protect your tweets and make your tweets public if you ever change your mind!)

from Naked Security – Sophos

How to protect your Facebook account: a walkthrough

Those of you who have joined team #DeleteFacebook may avert your eyes. There are some of us – okay, many of us – who remain on the ubiquitous social media platform, and if you’re one of them, there are some things you can do to make your account more secure from prying eyes.

Here we walk you through the important settings you can change and behaviors you can implement to lock down your privacy on the social network.

Note: To change many of the settings below, Facebook will ask you to input your password. It’s a good reminder that if your password isn’t strong or unique to the site, now is the perfect time to change it!

Enable 2FA

If you only do one thing on the list in this article, do this: enable two-factor authentication (2FA). This means someone trying to break into your Facebook account needs more than just your password, they also need a second token that you own, be it a code or a physical key. The chances of someone having this in their possession are pretty small, so this step will stop most intruders in their tracks.

Facebook will walk you through the steps to enable 2FA on your account to help you get set up. You have a few options available to you for how you want to authenticate: you can choose to use a code sent to you by text message, which is easiest but not completely secure, or to use a code generated by an authenticator app on your phone, which takes a little more setup work.

If you’re really savvy and browsing using the website on a computer, Facebook also supports U2F keys like YubiKey, which is a physical key you plug into your computer’s USB port as your authentication token.

How to do it on your desktop: Go to your Facebook Settings and select Security and Login from the menu on the left. Next to Two-Factor Authentication click Edit and then Get Started.

How to do it in the app: Open Privacy shortcuts from the hamburger menu in the bottom left. Scroll down to the Account Security section and tap Use two-factor authentication. Choose whether you want to set up SMS 2FA or use an authenticator app.

You can turn on 2FA for your account from either the website or the app, you don’t have to do it in both places.

Get login alerts

If someone does manage to get into your Facebook account, you’ll want to know about it as soon as possible. If requested, Facebook can alert you to any strange-seeming logins to your account. You can be alerted via email, text message, Facebook message or even a Facebook in-app notification. It’s a little peace of mind and a very simple measure to set up.

How to do it on your desktop: In your Facebook settings, select Security and Login and scroll down to Setting up Extra Security. Hit the Edit button on Get alerts about unrecognized logins and customize how you’d like to be notified.

How to do it in the app: Open Privacy Shortcuts from the hamburger menu in the bottom left. Scroll down to the Account Security section and tap Receive alerts about unrecognised logins.

Check your connected apps

That quiz you took years ago about your star sign that you promptly posted and forgot about? All these years it’s had permission to see your profile, posts, and friends’ posts into perpetuity, so why does it still have this access?

You could have any number of apps like this quietly sniffing your information in the background. There’s an easy way to check what apps you might still have enabled, and disable them if you like. It’s best to have as few apps enabled as possible – and definitely remove permissions for any apps that you don’t recognize or remember using.

How to do it on your desktop: In your settings, go to Apps and Websites. Check the apps in your Active and Expired categories and remove any or all of them.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Scroll down to the Security section and tap Apps and Websites. Open Logged in using Facebook and check the apps in your “Active” and “Expired” categories and remove any or all of them.

Note, there is also a Business Integrations section, separate to Apps and Websites, that you might want to check for connected services too.

Be discriminating in how people find and contact you

The whole idea of Facebook is to reach out to friends and family and grow your network, but spammers and fake profiles seem to be some of the most enthusiastic users of the platform lately.

If you’re tired of getting suspicious Facebook friend invitations, or would rather not invite the risk of getting a phishy or malicious link on your Facebook wall, be discriminating in who you befriend. We suggest limiting who can contact and find you on the platform to “Friends of friends,” and to limit email and phone lookups to “Friends of friends” as well.

How to do it on your desktop: In settings, select Privacy. Modify your preferences for how you can be found on Facebook under the How people can find and contact you section.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Scroll down to the Privacy section and hit Privacy settings. Scroll down to How people can find and contact you. 

Call for backup: Choose friends to help if you’re locked out

If you’ve had issues in the past with your account being compromised – say if you’re a public figure or just very unlucky – Facebook has an option to let you select three to five people in your friends list who you can call on to help you gain control over your account if you’re ever unable to log in (say, because someone else has locked you out.)

This is not a feature that everyone will need, so if you don’t think it’s going to be that big a deal if you’re locked out of your account, feel free to skip this one. But if Facebook is your primary means for earning a living, or communicating with customers or your fanbase, this setting is worth your consideration.

The people you choose to be your backup – which Facebook calls your “trusted contacts” – should be people you know will be tech-savvy enough to know how to help you quickly (so, ideally someone who knows how to use a smartphone), and they should also know ahead of time that you’re choosing them to be a trusted contact, as Facebook will notify them that you’ve tapped them for this ‘honor’.

At no point will any of your trusted contacts have access to your Facebook account personally, nor will they be able to commandeer it at any time – they will be able to send you a code and a URL to help you log back into your account in case of an emergency.

How to do it: In Settings, go to Security and Login and scroll down to Setting up extra security. Hit edit on Choose 3 to 5 friends to contact if you get locked out and follow the instructions.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Under Security, tap Security and login and scroll down to Setting up Extra Security. Hit Choose 3 to 5 friends to contact if you are locked out.

Face recognition and tag privacy

Facebook maintains that it has face recognition capabilities for our own benefit – so we can know if we’re in a photo but haven’t been tagged, and someone can’t impersonate us by using our profile photo (we’re wise to your tricks, spambots!). But many of us also find this kind of tech creepy and intrusive. If you don’t want Facebook to proactively find you and identify you in photos, you can disable face recognition.

How to do it on your desktop: In Settings, select Face Recognition and then choose No.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Scroll down to Privacy and open Face recognition. Select No.

Note that face recognition isn’t the same as when people you know tag you in photos. If you don’t want people to tag you in photos or posts without your approval first, there’s another setting you’ll want to enable.

How to do it on your desktop: In Settings, go to Timeline and tagging and then choose On for both options in the Review section.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Scroll down to Privacy and open Timeline and tagging. Scroll down to Review and ensure both are set to On.

Keep your posts friends-only

You wouldn’t leave your front door open all the time. Why make the details of your personal life open and public for all the cybercriminals in the world to mine? Leaving your posts all public-facing is a gold-mine for criminals looking for details to try and guess security questions, or impersonate you to scam friends or family.

There’s a really easy solution here: Keep your Facebook posts out of the public eye and make the default privacy level friends-only. That way only the people you have approved and friended can see what you’re up to.

How to do it on your desktop: In settings, select Privacy. Under Your Activity set Who can see your future activity? to Friends, and click Limit past posts to retroactively make all your previous posts Friends-only as well.

How to do it in the app: Open Settings from the hamburger menu in the bottom left. Scroll down to Privacy and open Privacy settings. Under Your Activity set Who can see your future activity? to Friends, and also go back a step and turn on Limit who can see past posts too.

Be discriminating in what you do

Unfortunately, the risks to Facebook users are no longer just from external forces trying to break their way into your account. Unfortunately, we’ve learned in the last year or so that there have been a few Facebook-approved data miners, like Cambridge Analytica, that were given unfettered access to what Facebook users were up to behind the garden walls.

So the steadfast internet advice applies here as anywhere: Mind what you post, and remember that the internet is forever. Even content you post behind the friends-only filter on Facebook is not an ironclad guarantee of privacy, so use discretion and if your gut is telling you to not hit that “post” button, it’s best to listen.

from Naked Security – Sophos