Be cyber, smart phone savvy with two forms of ID Published Oct. 10, 2014 By Lt. Col. James Trachier 60th Communications Squadron commander TRAVIS AIR FORCE BASE, Calif. -- Almost anyone who follows headlines will be familiar with the HeartBleed and recently-announced ShellShock computer network exploits. Although U.S. Cyber Command takes precautions to protect Department of Defense networks from such vulnerabilities, military members should still take steps to protect their personal online accounts from compromise. This includes not only changing passwords frequently, but also using two-factor authentication whenever possible. As the term implies, authentication is the means by which you prove that you are who you claim to be. There are three basic forms of authentication: something you know, such as a password or a personal identification number; something you have, such as a common access card; and something you are, such as a fingerprint or retina pattern. Requiring two or more forms of authentication is referred to as multi-factor authentication, and offers much stronger assurance that you--as the person requesting access to a computer network, bank account or secure facility--actually meet the requirements for access. Using a DOD CAC for network access is a form of two-factor authentication familiar to DOD employees. Members must have their CAC and know their pin to log in; having only one is insufficient. Multi-factor authentication is becoming increasingly popular in the commercial sector as well, which helps mitigate at least some of the impact of exploits such as HeartBleed and ShellShock. For example, a cyber-thief might use an exploit to steal a victim's email account credentials and then use the victim's email archives to make a list of their online accounts. The thief, impersonating the victim, could then request a password reset for the victim's online banking account be sent to the compromised email account. If the bank uses two-factor authentication, it might send an authentication code via text message to the real account holder's cell phone, simultaneously preventing the attempted account hijacking and alerting the victim to the thief's activity. While text messages are a convenient medium for receiving authentication messages, be sure to apply the same scrutiny to unexpected text messages as you would to an unsolicited email, especially if the message contains an unfamiliar hyperlink. According to a recent Department of Homeland Security report, cyber attackers can use text messages as an attack vector to spread mobile malware, including so-called "ransomware" that can lock the recipient's smart phone until the culprit is paid off. The current going rate for "ransom" is $300. DHS recommends the following best practices to prevent, mitigate and recover from a mobile ransomware infection: · Download applications or updates only from trusted sources · Ensure antivirus/antimalware software is installed and up-to-date · Back up the data on your mobile device regularly · Recognize that paying a ransom may not cause the device to be unlocked as promised, or that it may be unlocked only temporarily · Ensure mobile device permissions are set to prevent applications from being able to take control of the device · Review US-CERT security tips on safe browsing at https://www.us-cert.gov/ncas/tips Information technology, especially smart phone technology, makes our lives easier in many ways, but we must remain wary of the threats to our online privacy and security. Using two-factor authentication and sound mobile device security practices can help better protect the information systems and devices we use to help us manage our busy lives on a daily basis.