Sophos Cloud Optix
Happy anniversary of getting the bejeezus hacked out of you, LinkedIn!
Maybe the timing is just a coincidence, but the career-toned social networking site got savagely hacked on 5 June 2012.
Cybercrooks stole about 6.5 million passwords, over 60% of which were cracked within the span of one measly day.
The attack resulted in a variety of nastiness, including a pump-and-dump stock scam and a $5 million class action lawsuit (dismissed in March).
On Friday, very close to one year later, LinkedIn announced that it’s now offering two-factor authentication (2FA).
Following in the footsteps of Twitter, which turned on 2FA in May, LinkedIn is now giving users the option of using something stronger than a password and user name to protect their accounts.
2FA, aka two-factor verification, requires users to type a numeric code when logging into their accounts from a new or unknown computer or device for the first time. LinkedIn sends the code to users’ phones via SMS.
LinkedIn points out that when 2FA is enabled, it’s more difficult for attackers to breach your account, given that they need both your password and access to your mobile phone to do it – i.e., two factors.
Not that 2FA is a surefire way to keep your LinkedIn account from getting hacked, mind you. Securing your account depends, as well, on how vulnerable you are to phishing attempts, which can result in man-in-the-middle attacks.
As Graham Cluley noted when Twitter turned on 2FA, the extra security won’t help in the event of a man-in-the-middle attack, which could intercept the six-digit passcode, along with your account password and user name, be it Twitter or LinkedIn or fill-in-the-blank online service.
That means we should all be double-checking that when we enter all those login crown jewels, we’re really on the genuine, secure https LinkedIn site.
LinkedIn offers both the option of using a secure connection to browse, alongside the toggle to turn on 2FA – both features offered under your account’s security settings.
When you turn on 2FA in LinkedIn, just make sure that the secure browsing box above it is checked as well.
This is a good move on LinkedIn’s part.
Lord knows that users need something stronger than passwords to protect them.
As Sophos’ Chester Wisniewski noted the day after the LinkedIn hack last June, SophosLabs determined that all but two of the passwords used by the Conficker worm to spread through Windows networks were used by someone in the 6.5 million user password dump.
Will those who used already-abused passwords be savvy enough to turn on 2FA?
Let us pray.
And, perhaps, nag, wherever nagging may pay off.
If you want to learn more about two-factor authentication, listen to the great TechKnow podcast that Paul Ducklin and Chet Wisniewski recorded on the subject earlier this year:
Listen now:
(15 April 2013, duration 16’25”, size 9.9MBytes)
For those not using SMS on their phone, you can use Google Voice as your 2FA phone number with Linkedin. The SMS will go to you GV account (and/or GMail). Just remember to secure your Google account at all times, such as your laptop (as shown in 'Gone in 2 seconds' video).
I still can't enable 2FA on twitter because twitter doesn't support my carrier yet…
I had no issues with LinkedIn though – it was very easy to set up.
Just a couple of days ago, I clicked on Linked In and " invited" a couple of friends to Link Up, mainly because I know they are computer savvy enough to NOT use FB. I then received A LOT of emails from Linked In saying so and so said yes. About 10% of the names I sort of recognized, but did not invite. Friends of friends of friends, maybe. Did the phishing flaw do this? What do I do now? Thank you. Identity theft is really getting me down.
It's about time. Finally people are starting to understand that username & password just are not good enough anymore. Also the idea of using your e-mail as a user name is pure idiocy. My question is when will the banks figure it out?