Latest news with #2FA
Forbes
20 hours ago
- Forbes
Google Password Warning—50% Of Smartphone Users Now At Risk
Are you now at risk? Google is on a mission to push users to upgrade the security on their accounts. 'We want to move beyond passwords altogether,' it says, as a tidal wave of password attacks continues to make weekly headlines. Google's advice is to move to passkeys, which link your account security to your device security, meaning no passwords or even two-factor authentication (2FA) codes to steal. But the company's update includes a much more serious warning for most users. At a headline level, Google's new 'Scams and Protections' report, pulled together with Morning Consult, found that 'when it comes to online protection, U.S. consumers turn to traditional security practices such as unique passwords and 2FA.' But it's much worse than it sounds. When asked about 'security practices used for personal online protection,' it turns out that while 60% of U.S. consumers 'use strong, unique passwords,' less than 50% — across all age groups — 'enable 2FA.' In fact, while the use of passkeys varies materially across groups — 40% of Gen-Z and only 26% of Baby Boomers, the adoption rate for 2FA is between 46% and 48% across all generations. That's remarkably consistent and remarkably worrying. All of those users not enabling 2FA should consider themselves at risk. Scams and Protections (June 2025) There are now very few online accounts that don't offer 2FA, albeit there are some notable exceptions, such as Netflix. SMS codes are still the most popular and most persistent form of 2FA, but also the most dangerous. Open to on-device interception or more sophisticated SIM jacking or network attacks. There are better options — but even using SMS is better than not using anything at all. The stats suggest more than half of U.S. consumers do not enable any form of 2FA and rely on just User IDs and passwords. That's the equivalent of leaving your front door unlocked, with a sign saying 'please don't come in.' Relying on passwords alone — given the scale of password breaches and attacks — is almost akin to no security at all. Yes, those passwords are strong and unique and maybe even updated on a regular basis, but once there's a breach, there's a breach. And if an attacker has your combination of User ID and password, then they can hammer other logins with the same. The 2FA adoption rate has stalled. It increased from 33% to 45% between 2017 and 2023, but now remains stuck below 50% even as it's made mandatory on many accounts. Even at an enterprise level, where Microsoft has consistently said 2FA blocks more than 99% of attacks, 'only 57% of global organizations have fully implemented 2FA.' As for what you should use — passkeys are best, given the ease of use and linkage to your device. An authenticator app is next best, again linking to a device but with some risk of interception or socially engineered trickery to get users to share codes. Use whatever form of 2FA is easiest — even SMS if you must, but use something.
West Australian
02-06-2025
- Business
- West Australian
‘Days are limited': Macquarie Bank makes huge call on two-factor authentication, warns system is not secure
The fifth largest lender in Australia has highlighted the security risk of two-factor authentication models through texts, calling the technology outdated. According to Macquarie, traditional SMS two-factor authentication (2FA) – which is widely used in Australian banking – relies on insecure technology and often provides limited information. Macquarie Bank head of deposits Olivia McArdle said the lack of detail in these messages means recipients may not know what they are approving and can't distinguish whether the action was initiated by the customer or a scammer. 'We think the days of Australian banks relying solely on SMS to verify customer account activity are numbered,' she said. The warning comes a month after the major super funds announced cyber breaches, but have yet to make models such as the 2FA standard. In the March, hackers were able to gain access to five of the largest super funds in Australia through 'credential stuffing' – which involves stolen usernames and passwords which are sold on the dark web. The attackers exploit the fact that people often repeatedly use the same passwords for different accounts, with security measures such as multi-factor authentication (MFA) helping to slow down these types of cyber attacks. Super Consumer Australia chief executive Xavier O'Halloran said the breach follows consistent warnings from regulators and consumer advocates around superannuation funds lagging behind on cyber-resilience and fraud protection. 'Australians are legally required to put their money into super. Today's news is chilling when we know super funds aren't doing enough to protect Australians' retirement savings,' Mr O'Halloran said. 'When something goes wrong, too many people are being left without support, answers, or access to their own money.' Macquarie Bank said Australians are demanding more security than 2FA via a text message. 'The vulnerabilities are clear and customers, who are seeing the risks themselves, are voting with their feet,' Ms McArdle said. Five tips to watch when using SMS for 2FA Macquarie say while there needs to be more done, there are a few things Australians can watch out for to stay safe. 1. Check the detail: Due to the limitations of SMS 2FA, Aussies might not know exactly what they are approving and should not take action unless you have full confidence the 2. Impersonation scams: Scammers may impersonate your bank, urgently requesting authorisation codes via SMS to stop a scam but will actually use these codes to compromise a device. 3. Spoofing: Scammers may trick you into sharing personal or financial details via SMS. These fraudulent messages typically contain links to fake websites that prompt victims to share their sensitive banking data, with Australians urged not to click on links in a text. 4. Pop-up SMS: Scammers can deliver a pop-up or flash SMS to your phone. These appear directly on your lock screen and are not saved to your inbox to prevent them from being reported or traced. 5. Phone porting: Although this scam has reduced in prevalence, scammers can in some instances illegally transfer your phone number to another telecommunications provider without your consent. This enables them to receive all your messages and use this access to compromise your account.
Yahoo
29-05-2025
- Business
- Yahoo
The simple security setting everyone should switch on to avoid being hacked
Online hacking, cyberattacks and fraud are booming, with research from Britain's National Cyber Security Centre (NCSC) suggesting that 80% of fraud is now 'cyber-enabled'. But what can you do yourself to protect your devices and accounts from attacks? The protections on online accounts such as email and social media are often the only thing standing between people and a dangerous cyber attack – and these are often too weak to be effective Analysis by the NCSC of passwords leaked in previous data breaches (when criminals leak data online) found that 232 million accounts had used the password '123456', while the password 'Chelsea' was used 216,677 times and 'Liverpool' 280,723 times. The National Fraud Intelligence Bureau (NFIB) said that there was a 46% increase in offences referred by Action Fraud for the year ending 2024, due to rises in social media and email hacking offences and virus and hacking offences. So how can you stay safe from hackers? Setting up two-factor authentication, or 2FA – also known as multi-factor authentication, or MFA – on your accounts is an important first step, explains Darren Guccione, CEO and co-founder at Keeper Security. The UK's NCSC advises all individuals to use 2FA, particularly on important accounts such as banking and email. Indeed, research by Microsoft suggests that using 2FA can block 99.9% of 'account compromise' attacks where criminals steal passwords. Two-factor authentication is where you secure your account with another layer, such as having to receive a code via text message. This is significantly more secure than relying on a password alone, as it means that (for example) if your password is leaked, or someone guesses it, they still can't access your account. "2FA works by providing a critical second layer of security before someone can access an account," says Guccione. "This can be done through an authenticator app, SMS message, hardware security key or biometric verification (using facial scans, eye scans or fingerprints). These factors are often time-sensitive, losing validity after a set amount of time to ensure that they cannot be reused. "By reducing reliance on passwords alone, 2FA helps protect against phishing and other common cyber threats, making it a simple yet powerful tool for enhancing online security." Platforms such as email and social media will always offer an option to set up 2FA on accounts – look for it under Settings, Security or Privacy, says Guccione. It can work via either email, SMS or a dedicated app, so pick an option that will be easily accessible when you need to log in. 'Users may register their phone number or email address, which will receive an 2FA code when login is attempted, or link their account to an authenticator app to generate a code," he says. This means that users will receive a text or email to check who they are, or alternatively an alert where they may have to enter a code. This locks out attackers who may have access to someone's email, and thus deters many automated or mass attacks. It is much harder for cybercriminals to get into accounts protected with 2FA, Guccione explains, but not all 2FA methods are 100% secure. Text message codes are weaker than other protection methods, as criminals can sometimes intercept codes or create a SIM card with the same number by fooling phone network employees. "While 2FA offers an important layer of protection against credential theft and breaches, not all 2FA methods are equally secure – SMS-based codes can be intercepted by bad actors, so authentication apps offer stronger protection," says Guccione. It's still worth ensuring that all passwords are strong, secure and unique – particularly for your email account, as criminals can use this to reset other passwords. Guccione advises using a password manager app to store passwords, which makes it easier to use unique passwords for each account. And even if you use 2FA, stay alert, Guccione advises. "2FA alerts on a smartphone can serve as a critical warning sign that your account's credentials have been compromised, providing an opportunity to update your password before the account is breached." While some organisations like Google are moving to make 2FA mandatory across all accounts for services such as Gmail, many lag behind. Just 40% of British businesses had applied mandatory two-factor authentication, according to the latest NCSC Cyber Breaches Survey, published April 2025.
Engadget
22-05-2025
- Engadget
A huge unsecured credential database discovery is a great reminder to change your passwords
Today's report by security expert Jeremiah Fowler of a massive unsecured database full of usernames and passwords shouldn't necessarily frighten you, but it should spur you to action. If you have any weak passwords protecting accounts with sensitive information, or if you've reused the same password — however strong — on multiple accounts, now would be an excellent time to change them and set up two-factor authentication. Fowler reported on Website Planet that the database, which he found unlocked and without any encryption on an anonymously registered server, contained a little over 184 million records. These included usernames, emails, passwords, and direct links to the URLs for logging into the relevant accounts. While Fowler was able to get the hosting provider to lock the server, he couldn't find any hard evidence about who compiled the database, nor whether they had used or shared the information. There are a couple of reasons not to panic here. 184 million records exposed doesn't mean 184 million people exposed — it's just the number of rows in the database. If the info was gathered through malware, as Fowler believes, it's likely to have gathered multiple records from every infected device. That's obviously still bad, but fewer people have been affected than it may seem from the number alone. The database also contained no information that could be used for two-factor authentication, so anyone with a second factor set up has much less reason to worry. Don't forget, though, that one weakly secured account is a liability to the others. For example, a hacker could gain access to your email, then use that access to break through 2FA on your bank account. The potential consequences of having your password stolen are severe enough that it's worth taking common-sense steps. Since the database wasn't leaked on any of the usual dark web sources, its data likely won't show up on breach checkers like HaveIBeenPwned. However, Fowler did share with Wired reporters that he tested a sample of 10,000 fields in the database, and found passwords to the following platforms: Facebook Google Instagram Roblox Discord Microsoft Netflix PayPal Amazon Apple Nintendo Snapchat Spotify Twitter WordPress Yahoo Online banks Online wallets Healthcare web apps Government employee accounts If you have an account on any of those platforms without two-factor authentication, we recommend changing your password and setting up 2FA as soon as possible. Pay special attention to platforms like Roblox and Nintendo where your kids might have set up their own accounts and not bothered with 2FA. As Fowler points out in his blog post, even seemingly innocuous accounts might have personal information lying around.
Indian Express
15-05-2025
- Indian Express
89 million Steam accounts not hacked, confirms Valve
Valve, the company that owns Steam, the world's largest digital distribution platform for PC games has confirmed that its systems weren't breached. The statement comes after a dark web monitoring group called posted on LinkedIn that a threat actor going by the name Machine1337 was offering to sell user records of more than 89 million Steam users for just $5,000. The threat actor added that they had some 'sample data' as proof and shared a Telegram number to see if anyone was interested in purchasing them. Unsurprisingly, this caused a lot of panic amongst Steam users, following which numerous communities and publications advised Steam users to change their passwords and enable two-factor authentication for security purposes. In a blog post, Valve has now issued a statement and clarified that the 'leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with any Steam account nor did it contain any passwords, payment information or any other personally identifiable data. Valve also said that these old messages cannot be used to hack any Steam accounts and that users will receive a code whenever they try to change their email or password using SMS. In a recent report, Bleeping Computer claims that when they examined some of the leaked files that contained around 3,000 records, they found that some of the records are relatively new, with some messages dating to March. Valve also said that Steam users have no need to panic and that they do not need to change your passwords or phone numbers. The company also recommended users to set up the Steam Mobile Authenticator app as it enhances account safety. For those wondering where the leak originated from, Valve says that it wasn't a Steam leak. However, claims that the leaked data came from the cloud communications company Twilio, which may be handling the 2FA codes for Steam.
