Leo Lintang, Getty Images/iStockphoto
Imagine waking up one morning to discover your email address and current password have been plastered onto a billboard on the side of a major highway. It’s a bit improbable, I know, but play along.
For some of you, that would be the end. Anyone could paw through your email history, steal personal identifying information, run password resets for other sites, and generally wreak untold havoc.
But, for others of you, the billboard would be a mere annoyance. You’d pick a new password and go on with your day. Nobody would have gotten into your account, your identity information would be safe, and havoc would remain unwreaked.
What is the difference between these two scenarios? Why would some people with exposed email addresses and passwords be hacked, attacked, smacked, and wracked — and why would others just merely be annoyed?
Multi-factor. It’s not just a compound word. It’s a defense strategy. The idea is this: In addition to something you know (your email ID and password), logging in requires something you have, or something you are. Usually, that’s something like an authentication key generated by your phone, or a fingerprint.
When you use multi-factor authentication, you’re requiring an additional factor beyond user name and password.
With that, I’m going to tell you about a new way some bad guys are phishing for authentication information. These nasty folks are trying to trick users out of their user IDs and passwords. And, in a lot of cases, they’re succeeding. The trick is relatively subtle, so even the most aware users might be tricked into falling for the ruse.