Google has had none of its 85,000+ employees successfully phished since early 2017 when it was reported they dropped the use of its own Authenticator app and switched to a U2F model.
[Note: This is a guest article submitted by Marco Paez]
All Top Crypto Exchanges Currently Use Google Authenticator
The move was necessary as recent data released by the APWG reported that phishing attacks have tripled since 2013, with over 246 million user attempts being made to access over 1.2 million phishing sites in 2017 alone. All of the top 25 cryptocurrency exchanges currently use Authenticator for 2FA.
Google Authenticator was widely viewed as an improvement on the SMS texting 2FA model since the US National Institute of Standards and Technology (NIST) released guidelines stating SMS-based two-factor authentication should be banned due to serious security concerns. Authenticator and industry competitor Authy became second-generation 2FA models, which were built to address the vulnerabilities of mobile text codes being intercepted by hackers.
Both of these technologies require users to enter one-time app-generated codes onto websites, which bypasses the vulnerable mobile lines. However, this still leaves both employees and consumers just as open to phishing attacks via email links and spoofed sites. Unsuspecting users will enter the security code from the app onto a linked spoof site, which the hacker immediately takes and enters into the real site gaining access to the user’s account.
Phishing Attacks a Growing Concern
These sophisticated phishing schemes have become increasingly difficult to discern over the past few years. According to a recent Verizon Data Breach Investigations Report, 30 percent of phishing messages get opened by targeted users and 12 percent of those users click on the malicious attachment or link.
It was noted in PhishMe’s Enterprise Phishing Resiliency and Defense Report that phishing attempts have grown 65 percent in the past year. And with 1.5 million new phishing sites being created each month according to the latest Webroot Threat report, this leaves many users more vulnerable than ever.
Intel Security published a consumer knowledge study of over 19,000 people from 144 countries about their ability to detect phishing emails and found that an astonishing 80 percent of respondents got at least one answer wrong, which puts the odds handily in favor of the hackers.
These issues seem to be most dire in the cryptocurrency sphere. It’s estimated that $1.1 billion worth of cryptocurrency was stolen just in the first half of 2018, and which was relatively easy to do according to Carbon Black, an award-winning cybersecurity firm in the field.
An online search for any major cryptocurrency exchange and “hacking” comes back with results on Reddit and Twitter littered with complaints of accounts being completely drained — even with even Google Authenticator 2FA enabled.
Besides email scams, many cryptocurrency users are stumbling onto these spoof sites via google searches for their exchange (such as searching for “binance.com”), which led industry leader Binance to issue a statement to the public warning to keep their site bookmarked at all times and not to use Google search. Binance states their engineers are looking at new ways to boost security measures.
This past month a new third generation 2FA technology, the Hydro mobile app, was released to the market incorporating new anti-phishing measures that the current second-generation authenticator apps in the field do not provide.
The crypto-based hydro app was designed to have one time codes generated first by the confirmed real website and only then entered into the blockchain secured app on the user’s phone to authenticate.
This protects the user from entering any security credentials on a spoofed site linked by any convincingly looking official emails. The firm behind this technology, Hydrogen, winners of the “Fintech Start-Up of The Year” for 2018, have recently signed a long-term partnership deal with TD Bank, a top 15 world bank.
This third generation 2FA model, as well as the physical security key U2F model, are now the most secure ways of protecting sensitive information and consumer financial accounts. As 2FA technology evolves more financial institutions and crypto exchanges will be taking a look at these third generation models, which are more secure both in-house and for the billions of financial customers around the globe.
What do you think about cryptocurrency exchanges using Google Authenticator 2FA? Let us know in the comments below!
Images courtesy of Shutterstock.