Blog Feed
How to Transfer Google Authenticator to New iPhone
If you’re reading this, you have probably bought a new iPhone. Congratulations! Now, the question is how to transfer Google Authenticator to new iPhone so as not to lose access to all accounts you protect with multi-factor authentication. We’ll talk about Google Authenticator for iOS here, but the same works for Android smartphones. Though, if you need to move Google Authenticator from one Android smartphone to another, better use it’s in-built function Transfer Accounts. It allows you to switch Google Authenticator to a new phone in a few clicks moving all the tokens you use at once. Unfortunately, this function is available only on Android so far. And while we are waiting for the same update in the iOS Google Authenticator version, let’s figure out what methods of Google Authenticator transfer to a new iPhone are available to us now. The first thought of an average GA user is to simply delete the application from the old iPhone and set up Google Authenticator on new iPhone. However, it’s critical not to do this. Ensure you’ve moved all the OTP tokens to your new smartphone first. If you just delete the Google Authenticator app from the old iPhone and reinstall the application on the new one, your 2FA tokens will be deleted without the possibility to restore and you’ll have to face the complicated process of accounts recovery. On different websites, it’s a different procedure but don’t doubt that it is always long term and painful. Most likely, you’ll have to apply to the support center of every website and prove your identity. Use Protectimus Slim NFC token to backup Google Authenticator There is a simple way to transfer Google Authenticator to new iPhone, which is described below, but it works only for the 2FA token you use to access your Google Account. If you use iOS Google Authenticator to authenticate on other websites, you’ll have to switch off the 2-factor auth and then turn it on from scratch on these services enrolling new tokens in the new authenticator app manually. Of course, your old iPhone with Google Authenticator is required to login to all these accounts. Furthermore, sometimes you’ll be asked to enter the current OTP password to deactivate MFA. So don’t delete the app from the old phone until you transfer all the tokens from Google Authenticator to a new iPhone. How does Google Authenticator work At first, let’s understand the modus operandi of Google Authenticator for iPhone. This will help us to explain what to do to make the process of Google Authenticator transfer to new iPhone smooth and easy. And even more, knowing how the iPhone authenticator app works, you’ll understand how to backup Google Authenticator you use on iPhone. Google Authenticator generates time-based one-time passes using the Time-based One-time Password Algorithm (TOTP). It means that two parameters are used to generate the OTP code: a unique code, which is usually called a secret key or a seed, this code is shared between the token and the authentication server, and the current time interval. Time intervals are counted from UNIX time, which started at 00:00 on January 1, 1970. Thus, every 30 seconds Google Authenticator application divides the number of seconds from January 1, 1970, to 30, takes the resulting number, combines it with the seed,...
read moreRemote Work: How to Transition Team to Working From Home During the COVID-19 Pandemic
In this article, we’ve gathered everything you need to know about remote work. We share our own experiences and talk about how to organize remote access to company resources, how to protect the accounts of users who are working from home, what remote team working tools you can use for communicating and managing tasks, and how to keep in touch with your remote teams. Working remotely during the pandemic is not a mere trend. Today, with the number of people infected by the coronavirus that causes COVID-19 rising exponentially, and given that a cure or vaccine for the virus has yet to be discovered, the only means of fighting the epidemic is social distancing and learning how to work from home. Many countries have already implemented a quarantine. Airports, train stations, schools, restaurants, gyms, malls, beauty salons, and (in some cases) even parks and playgrounds have been closed. Concerts, lectures, and conferences have been postponed. In this situation, a majority of private and public entities have been forced to transition to having their employees work from home whenever feasible. We suggest that business owners view this transition to remote work as an opportunity to learn about new remote workplace software and optimize their resources. Facing an imminent economic crisis, we have to use all the means at our disposal to adapt to difficult market conditions and press onward. In this context, particular attention must be given to the topic of cyber security and risk management. Remote network connections are an additional avenue of attack for would-be intruders. We’ll tell you what you should be afraid of, what basic cybersecurity tips and rules you should implement for remote workers, and how to secure remote desktop connection to workplace computers. Two-factor authentication for Windows and RDP Table of contents: Where do I start?Setting up remote accessConnecting to a remote desktop over RDPSetting up two-factor authentication for VPNSetting up two-factor authentication for RDPEssential tools for remote workCloud services for collaborationMessaging appsTask managers and CRMVideo calling, presentation, and conferencing toolsIT security threats when working remotelyConfidential information can be leakedMalware can compromise corporate networksUnauthorized users can gain access to company networksCybersecurity when working from homeProtecting remote connectionTwo-factor authenticationChoosing OTP tokensSecurity policies Where do I start? Think about the technology employees will use to work remotely. If people use company laptops, they can take these home with them during the quarantine. If employees use desktop computers, you’ll need to set up remote access to these computers.Take care to protect remote connections and user accounts on company computers. Be sure that employees set secure passwords and activate two-factor authentication for all the services they use to do their work. Enable two-factor authentication for Windows and Microsoft RDP.Prepare a remote working software package for communicating, working with documents, tracking tasks, and holding presentations online. Most likely, you’re already using tools in most of these categories. If something is missing, you’ll need to choose team software and install it on all your employees’ computers.Maintain security policies for working from a computer at home. Hold mandatory training on the basics of IT security and come up with a remote work policy. Some of your employees may not know what phishing, malvertising, and social engineering are, why they shouldn’t connect to an unknown Wi-Fi network, and why they shouldn’t save...
read moreHOTP Algorithm Explained
HOTP algorithm, or HMAC based one-time password algorithm, was first published by OATH as RFC 4226 back in 2005. What is OATH? OATH or Initiative for Open AuTHentication is an organization which specified, put together and published the OATH OTP algorithms that lie at the heart of MFA (multi-factor authentication). It is time we look closely at these algorithms, specifically — OATH-HOTP. HOTP algorithm is what allows creating one-time passwords by utilizing a secret key and a counter. Today we will look at how OTP works, what role HMAC algorithm plays in it and look at both what is HOTP and TOTP. HOTP and TOTP tokens to your choice A table of contents for your convenience: What does OTP meanWhat is HMACWhat is hashWhat is MACSo what is HMACWhat is HOTPHOTP synchronization problemHOTP security problemHOTP vs TOTPProtectimus tokens with HOTP algorithm What does OTP mean First, let’s discuss the OTP meaning. One time or one-time password is usually a string of randomly generated digits that works for one login or transaction only. These dynamic passwords, unlike the static ones, are hard to bypass or hack, since the hacker will need access to both something you have (OTP generating device, like cellphone or hardware token) and something you know (like pin code). OTPs are the best protection against such common hacks as phishing, bruteforce, keyboard logging, man-in-the-middle attacks. Here’s an OTP password example: What is HMAC What is hash Hash is the mathematical algorithm used by HMAC-based one-time passwords. Simply put — it is a math function that turns one value into another, or condenses data to a specific size. Here’s an example. If this passage was run through a hashing algorithm: the result, known as a hash value (SHA-1, hex), would be this: 2faff97be86cbbf921b8e5b9e1c74b82af080016 At the same time, if we change the slightest detail in the source text, for example, remove quotation marks, the hash value will be completely different: D0f8e2703fb647ce0504f6222c04f473f9f88a94 No matter what the volume of the source information is, be it a Moby-Dick or just a phone number, its hash value is always a string of symbols of a predetermined size. Comparing a hash and the hash value is far easier for a computer than comparing original files. So the hash value from the example would be a convenient tool for a computer to compare, identify or run calculations against data and files. Hashing is used for a variety of purposes, among them is compression, cryptography, data indexing, checksum generation. Also, it’s impossible to decode the source information from the hash, what differs hashing from encryption. Thus, it is an especially good fit for cybersecurity purposes. | Read also: Identification, authentication, and authorization – what’s the difference What is MAC Message Authentication Code, or MAC, is a crypto checksum for data transferred through insecure channels. With MAC applied the receiving party can verify the authenticity of the message simply by establishing that the sender has the secret key. In case the sender does not have the correct seed, the MAC value would be wrong and the recipient would know the message was not sent from the legitimate sender. First of all, the sender and the recipient share a secret key (also called a seed) and agree to use the same MAC generation algorithm. Before sending the message,...
read moreTwitter Two-Factor Authentication in Details
With over 145 million active users Twitter is widely used not only for personal entertainment but for business and political agendas too. Yet, surprisingly (or not, considering that they did admit to using phone numbers for targeting ads) Twitter has been reluctant to forgo SMS to deliver one time passwords for their 2 step verification for a very, very long time. Until finally, in November last year, they gave in and allowed for Twitter two-factor authentication without requiring the phone number. In this post we will look into all the 2FA methods Twitter supports, show you how to activate each of them and how to make sure you are able to login even if you lose your 2FA Twitter token. Buy a hardware token for Twitter 2FA How to enable Twitter 2FA via SMS and whether it’s worth it As we’ve already mentioned above — we are decidedly against Twitter 2FA SMS based. As a matter of fact — we vehemently insist that using SMS to deliver verification code for MFA anywhere, not only in Twitter 2FA, is not safe and should be avoided if at all possible. Why are we so against SMS? While it is convenient and cheap to use, it is also astonishingly easy to hack. The ways to break into an account that’s protected only this way are numerous. Starting with a simple SIM swap and ending with more complex things like intercepting the passwords by exploiting the numerous vulnerabilities of the telecom infrastructure. We’ve talked about these and other SMS 2FA vulnerabilities like fake cell towers extensively before, you can read it here. Yet, while Twitter 2FA without SMS is the way to go, we do understand that circumstances might be demanding otherwise and one might want to know how to send Twitter two-factor authentication code via SMS. So here’s a simple guide on it: Go to your account settings (“More” → “Settings and privacy”) and find “Security” →“Two-factor Authentication”. Check the “Text message” box and press “Get Started”. Enter your user pass then press on “Verify”. If there’s no telephone number allied with the user, you will need to provide one now. Type in the Twitter confirmation code that was messaged to the provided number. Next you’ll get a Twitter backup code on the screen, make sure to save it, or make a screenshot and save that in a secure place. We’ll expand on why later in this article. Click “Got it” to finish. From now on to get into your Twitter account on any device, be it Twitter mobile or desktop, an authentication code will be required and that code will be messaged to your phone. | Read also: 2FA Chatbots vs. SMS Authentication Twitter two-factor authentication with code generator app So we’ve established that Twitter two factor authentication without phone number is much more preferable. But what are the alternatives? A 2FA code generator app for Twitter is a nice Twitter phone number bypass that provides more security than SMS ever could. A one-time twittercode is generated directly on the smartphone, which eliminates a good portion of vulnerabilities that can be exploited to gain unauthorized access to your Twitter account. A Twitter verification code hack is way harder to do if the password is not transmitted via GSM, or even Internet....
read moreTOTP Tokens Protectimus Slim NFC: FAQ
The first programmable TOTP tokens Protectimus Slim NFC were released just a couple years ago. Since then, we’ve received hundreds of orders, as well as hundreds of questions about how it works, how programmable security key differs from the classic one, how to program tokens, and whether or not using this kind of OTP token is secure. In this article, I’ll explain how classic TOTP hardware token and programmable TOTP token work, show you how to program the Protectimus Slim NFC OTP token, and answer all the other common questions we get. Order TOTP token Protectimus Slim NFC A table of contents for your convenience: How do TOTP tokens work? How does the authentication server verify one-time passwords? How are classic TOTP tokens different from programmable ones? Why are reprogrammable TOTP tokens better than the rest? How can I tell whether the Protectimus Slim NFC token is compatible with a service? How do I program the Protectimus Slim NFC token? Frequently asked questions How do TOTP tokens work? TOTP meaning is time-based one-time password. Correspondingly, there are two parameters used to generate one-time passwords using the TOTP algorithm: The shared secret. A unique code, generally 16-32 Base32 characters long. The current time interval (usually 30 or 60 seconds). Time intervals are counted from the beginning of UNIX time (which starts at the midnight between December 31, 1969 and January 1, 1970, UTC time). That means that for a TOTP device supporting 30-second intervals, the number of seconds that have passed since midnight on January 1, 1970 is divided by 30. The resulting number is used for generating a one-time password. The OTP device processes these two values according to the TOTP algorithm (RFC 6238). The result is hashed, and the hash is truncated, leaving only the last 6 (sometimes 8) digits. The result is shown on the token’s display. In this way, we receive a time-based one-time password. How does the authentication server verify one-time passwords? For the two-factor authentication server to be able to verify one-time passwords and allow or deny access to accounts, it needs the same information — the same time interval and shared secret. Time interval. Every server has a clock, which means it also has the ability to calculate the current time interval. Shared secret. There are two options here: The administrator can upload a CSV file to the server containing predetermined shared secrets (this is how classic tokens with hard-coded secrets are connected), or The shared secrets can be generated by the server (this is how one-time password generator apps, like Protectimus Smart and Google Authenticator, are connected, as well as programmable hardware TOTP tokens). This brings us to an explanation of the differences between classic and programmable hardware tokens. Classic TOTP tokensProgrammable TOTP tokensClassic hardware 2FA tokens come from the factory with a hard-coded secret key that can’t be changed.Programmable OTP hardware tokens don’t come with a secret key. The user can add one to the token after obtaining it from an authentication server, as when using a smartphone app for authentication. How are classic TOTP tokens different from programmable ones? Classic TOTP tokens Classic TOTP hardware tokens (Protectimus Two) are OTP tokens with predefined secret keys. To use classic OATH TOTP tokens, customers need the ability to upload the shared secrets...
read moreBest Protectimus MFA Features for Financial Services Cybersecurity
The financial services industry is inherently more at risk of cyberattacks than any other industry. Financial sector includes everything from investment consultants and stocks to insurance and banking; naturally, the money that floats within the financial industry is very tempting to hackers. In fact, according to Verizon’s 2019 Data Breach Investigations Report — 71% of recent cyber attacks were motivated by money itself, nothing else. Besides, as every other aspect of modern-day life, more and more financial services are moving online. It is inevitable that cyber attacks on financial institutions become more frequent and more viscous. As a response to this trend financial data security standards have no other choice but to evolve as well. This is why secure authentication has become one of the cybersecurity standards in recent years. 2fa service providers cater to banking cyber security standards specifically now. Protectimus is one of such 2-factor authentication providers, our financial security solutions are fine-tuned, affordable and easily applied. Today we will look closely into what financial cyber attacks Protectimus MFA can protect from and how exactly we achieve the best results in this endeavour. From what dangers does 2-factor authentication protect financial organizations The vast majority of financial services cyber attacks start with compromised (stolen) login credentials. The bad news is — there are numerous ways to steal credentials: phishing, vishing, smishing, pharmingbrute force attackskeyloggerssocial engineeringman in the middle attacks and many more. The good news is — add two-factor authentication to website login and you eliminate these threats. | Read also: The Most Common Ways of Credit Card Fraud Why one password isn’t enough We now know that the famous Yahoo hack back in 2013 affected an astonishing number of 3 billion accounts. The more recent Marriott data breach is estimated to have jeopardized about 500 million accounts. These numbers look terrifying, but these are a fact of the times. So much so, that an FBI agent who investigates cyber attacks told the Wall Street Journal that every US citizen can expect that their personally identifiable data (all of it) has already been stolen and sold on the dark web. Yet, “12345”, “test1” and “password” are still the most used passwords; one password is reused on average 13 times by employees; stolen and reused credentials produced 80% of data breaches in 2019. Terrifying, isn’t it? These are the reasons why information security in banking and financial industry has to be taken more seriously. Simple and easily stolen user password is by far not enough to create any semblance of financial cyber security. That’s why we must insist — 2FA adds the much needed second layer to the financial data security and has to be implemented by every financial service. | Read also: How to Choose and Use Strong Passwords Why Financial Services Choose Protectimus’s 2FA Solution There’s quite a number of financial institutions among Protectimus clients, so we had an opportunity to deeply understand the industry’s needs and fine-tune our solutions to cyber security in banking as well as to other types of financial cryptography and data security. Protectimus MFA solution will protect both the end-user accounts and the corporate infrastructure. We believe finance and cyber security have to go hand in hand, so we developed a feature for protecting transactions specifically (CWYS or Confirm What You...
read moreSophos 2FA with Hardware OTP Tokens
Sophos solutions allow for reinforcing Sophos 2FA (two-factor authentication) with Protectimus OTP hardware tokens with one of these two methods: Enabling ‘Auto-create OTP tokens for users’ feature. This automatic method allows for using our programmable Slim NFC token instead of the standard application for multi-factor authentication.Disabling ‘Auto-create OTP tokens for users’ feature. This manual method allows for adding classic TOTP tokens Protectimus Two or Protectimus Crystal to generate the Sophos one time password. Both methods have their advantages, but the second one is a bit more lucrative. Today we will provide you with a guide on how to implement each of the two methods for your Sophos 2 factor authentication and answer the most common questions on Protectimus OTP tokens for Sophos client authentication. Buy hardware tokens for Sophos MFA Definitions Let’s give a couple of definitions for a better understanding of what comes next, so you won’t have to google “What is OTP?” or “what is a token?” First things first — OTP stands for One Time Password. Once generated, one OTP is valid only for one single transaction. Now let’s move to the more complicated matters. OTP secret — a completely unique 128bit encryption key, used for password creation. Each user has his or her own secret.OTP code — a time-limited one-time code, usually consists of 6 digits and is attached to the user passwords to allow authentication.OTP token — an object that assembles each of the necessary authentication elements (User, OTP secret, OTP pass). | Read also: How does 2-factor authentication work? How to Enable Automatic Creation of OTP tokens in Sophos Note: To configure programmable hardware token Protectimus Slim NFC you’ll need an Android smartphone with NFC support. Virtually every Sophos product comes with this option (Sophos UTM, Sophos Central, Sophos XG Firewall and others). For example, Sophos Central 2FA can be done via SMS or a 2FA application, which allows for switching to our Slim NFC hardware token. And thus upping the Sophos 2FA security level to the highest. Let’s see the steps to enable this option. Go to the One-Time Password tab To do this go to the Settings section at Configure > Authentication > One-Time Password. Enable Auto-create OTP tokens feature To permit the OTP and Auto-create tokens features, simply switch both buttons to ‘on’, don’t forget the ‘Apply’ button at the bottom. Get the QR code with the secret key Go to the user login page at Sophos. Since we’ve turned the auto-create option on, the login page now offers a QR code. Configure Slim NFC for Sophos multi-factor authentication 4.1. Download and launch the Protectimus TOTP Burner application (available for Android only).4.2 Turn on NFC.4.3. Open the Protectimus TOTP Burner app and click on ‘Burn the seed’.4.4. Scan that QR code with the secret key using your Burner app.4.5. As soon as the QR is finished scanning, turn on your Slim NFC token. Hold the hardware device within the range of your phone’s NFC antenna, click “Continue” and wait for the confirmation message. Now your 2FA hardware token is ready to become your Sophos 2FA authenticator. Log in by combining your user password with OTP Return to the User Portal and log in by combining your user password with your Sophos OTP generated using the Protectimus Slim NFC token. The...
read more2FA Chatbots vs. SMS Authentication
In this article, we’ll explain what is a bot for two-factor authentication and how 2FA chatbots (two-factor authentication with messaging service chatbots) work. We’ll look at the pros and cons of this one-time password delivery method and figure out which is best: 2FA bots or SMS authentication. Table of contents: How did the Protectimus Bot token come to be? How does two-factor authentication with chatbots work? 2FA Chatbots: the pros and cons SMS authentication: pros and cons In summary: 3 reasons to stop using SMS authentication and start using 2FA chatbots How did the Protectimus Bot token come to be? One of our clients (a payment system with 2,000,000 active users) was spending about $30,000 per month on SMS delivery. They were using SMS to send out one-time passwords and system notifications (withdrawals and deposit notifications, informational messages, etc.). This client gave us the task of developing a one-time password delivery method that would be just as convenient for end-users as SMS authentication, but more secure and less expensive. The solution we came up with while looking for SMS two-factor authentication alternatives is using 2FA chatbots on messaging services. Additionally, the Protectimus 2FA chatbots can be used to deliver both one-time passwords and notifications of any kind. Now, our client is saving about $20,000 per month that they used to spend on SMS messages. 2FA chatbots in instant messaging apps solve the majority of problems associated with SMS authentication: first, it’s more secure; second, it’s FREE! What’s more, chatbots are virtually just as easy to use as SMS. Learn more about Protectimus Bot How does two-factor authentication with chatbots work? Currently, the ProtectimusBot chatbot is available on three messaging services: Facebook Messenger Telegram Viber Practically every smartphone user already has at least one of these free messaging apps installed. When a user enables two-factor authentication via Messenger, Telegram or Viber they: Choose one of the messaging services listed and find the ProtectimusBot on it. Request their unique ID using the /getid command. Input the ID they receive into the system they wish to protect. Then, the Protectimus two-factor authentication service will create a token and send it to the user via the 2FA chatbot. The user confirms that they received the one-time password by inputting it into the appropriate field. This also completes the token issuing process. After that, all one-time passwords and messages from the service will be sent through the 2FA chatbot. Two-factor authentication using chatbots in messaging apps for Android and iOS is free for both our clients and their end-users. You’ll find an example of how the Protectimus Bot token is issued in the video below. https://youtu.be/gvFl2AQqz94 Let’s look into the technical side. The chatbot-based software OTP token supports all two-factor authentication algorithms: HOTP, TOTP, and OCRA. Because of this, the ProtectimusBot 2FA chatbots also support CWYS (Confirm What You See) data signing functionality. Data signing involves generating a one-time password based on data from the operation the user is performing; for example, transaction data can be used: the amount, currency, recipient, time, etc. This feature is indispensable for payment systems and banks. It’s impossible to use the one-time password, generated on the basis of such unique data, to sign an illicit transaction, even if an attacker intercepts the OTP. Currently, only four Protectimus tokens...
read more2FA Security Flaws You Should Know About
Hackers are not lazy, they evolve fast, so relying on old security measures is a terrible idea. Today we will look into how secure two-factor authentication is in general, what methods are used to hack 2FA and up-to-date ways to protect yourself against those account hacks. Finally, you will get answers to the most recurrent questions on 2FA security. How secure is two-factor authentication? Is two-factor authentication safe? All accounts (emails, apps, online stores, etc.) are protected with a user password, it’s been done that way for ages. Unfortunately, passwords like “123456”, “qwerty” and “password” have been the most used ones for ages too. They still are, however mind-boggling that is. 2FA authentication adds a second layer to the common user password protection. The second security factor can be either something you have (your cellphone or hardware OTP token) or something you are (your fingerprint). In addition to something you know (the password), it creates another way for the server to confirm you are who you say you are. So an account protected with dual authentication is much harder to hack into, even if the user password is easy to compromise. The strengths of one factor surpass the vulnarability of the other. But is two-factor authentication hackable? It is if you let it. Let’s take a look at how. How would hackers bypass two-factor authentication system? 1. Real-time phishing 2FA was created to fight against phishing as a login weakness. Lo and behold … the hackers come up with a new two-factor authentication hack — real-time phishing. A fake website that looks exactly like its legitimate counterpart is set up. Then the hacker sends the target an email prompting them to login for whatever reason (account expiration, some action needed to be taken etc). The user goes to the login page, which looks and works exactly like the one the user expects to see, they log in using their user password. Then the fake website asks for the second factor, just like the legitimate one would, the user complies and enters the OTP (one-time password) and the phishing website captures both passwords. In the background, the hacker has a few seconds to use the combination to get into the real account. 2. Social Engineering This is a popular social engineering scheme — a criminal impersonates the target’s bank or a service provider, there have been accidents when a crook impersonated even a law enforcement agent and tricks the user to disclose the OTP. However, many warnings are issued, however often the account providers tell their customers to never trust such calls, social engineering attacks are still very successful. 3. Man in the middle and man in the browser attacks Man in the middle attack implies that the hacker inserts himself in the middle of the two systems’ communication. This can be done either with a fraudulent cryptographic certificate, inserting fake root certificates in the target’s browser database of trusted certificates, or by compromising a root certificate authority listed in the database. As a result, two connections are created — client-attacker and attacker-server, instead of a single client-server one. Once the connection is intercepted the hacker can read and modify the transactions done via the connection. Man in the browser uses a Trojan horse to intercept and manipulate the transactions...
read moreHow to Protect Yourself From Email Hacking
We have almost stopped writing paper letters, those on crispy brand-new sheets. The lion’s share of the correspondence is now sent via emails. And often it is not even personal correspondence. For personal purposes, we have different messengers and can have an interactive dialogue. Usually, emails are used for sending business letters, which contain sensitive information. Thus, the email data protection is extremely important and you should know how to protect yourself from email hacking. Forewarned Is Forearmed: How Email Hacking Is Usually Performed By the phone number. If your phone number is connected to your email account, and a hacker knows it, the following scheme can be used. Hacker contacts the mail service to reset the password and specifies the real user’s phone. The mail service sends a code to this phone number to confirm the password changing. The hacker, in his turn, sends the SMS as if on behalf of the mail service, requesting to specify this code. If the account owner does not notice the difference in the address of the two SMS senders, the hacker will get a one-time password and use it for their own purposes. Using the Trojan Virus. One of the most convenient ways of email hacking is to install a Trojan virus on a victim’s computer. The malware is usually sent in the form of the link in the Email. The only difficulty is to convince a user to follow this link. Since only the most naive people now fall for the freebies, which were so popular previously, the cyber hackers had to change their attack style. Now, the virus-infected email may look like a letter from the bank or internet provider: with seals, logos, and an offer to download a file with new rules or to install a client-bank software system. Trojans are constantly being improved. Unfortunately, antivirus software cannot detect all of them. By getting physical access to the victim’s computer. Having an opportunity to stay alone with the victim’s computer at least for a short time, the hacker can install a key logger or a password recovery program. In the first case, a special key logger hardware or software will record everything the user is typing (including passwords), and then the logs are emailed to the hacker’s address. With the help of the password recovery tools (which generally are not detected with antiviruses), the ready-made data can be received immediately. There is a simpler version of email hacking, even without special programs. Just copy the Cookies catalog and analyze it with the passwords search tool. However, this can only work if passwords are stored in the browser. And this is what the vast majority of users exactly do. Using social engineering. Hacking of the CIA director Brennan’s email account has become one of the most clamorous recent scandals. It is surprising that an email of the Head of the Intelligence Agency was hacked by a teenager who hadn’t deep technical knowledge. The young hacker contacted the mobile operator, introduced himself as a technical support employee and found out all Brennen’s personal information he needed. Then he called his email service customer support on behalf of the account owner and asked for the password recovery. Since the necessary information (account number, phone number, PIN-code, etc.) had been already received...
read more