Think about all of your email accounts, social media profiles, online banking, payment processing, and accounting systems. If any of those got hacked, it could cost you a lot of time, money, and headache. But there is one simple tactic, two-step verification, that can stop hackers in their tracks.
This past weekend, I took my wife to Denver to celebrate her birthday. We had a fantastic dinner at Mercantile, enjoyed some amazing music at Dazzle Jazz, and had an overall wonderful, relaxing weekend until …
Sunday morning at 3:30 AM
I suddenly woke up panicked about something I had seen on my computer the day before. I had typed facebook.com into my browser, but wound up on faceusersurvey.com, a phishing site trying to get my personal info. I didn’t fall for it and chalked it up as just one of those Internet things.
What woke me up is that I finally realized why my browser was redirected. I use Google Chrome on a Mac. I have several Chrome extensions installed from highly reputable companies like LastPass and Google.
But I had also just installed a new extension called Awesome Screenshot. Dang, I knew nothing about those guys! I quickly discovered that Awesome Screenshot has a reputation as adware and was automatically redirecting my browser to other sites.
OK, lesson #1 … NEVER install a browser extension unless you know the company really well. I went through the process to remove Not-So-Awesome Screenshot from my browser, but then my brain really kicked into overdrive …
What if a hacker, through a malicious browser extension, website, or sheer brute force, could somehow figure out my usernames and passwords? What would happen then?
How to Use Two-Step Verification
Your first line of defense against hackers is to use strong passwords and always use a different password for every site. You MUST do this.
But your second line of defense is to use two-step verification — also known as two-factor authentication — for all of your critical online accounts. Two-step verification requires you to enter an extra piece of information when the site doesn’t recognize the browser or device you are using.
For example, let’s say that I access my Google account using a new device for the first time. I correctly enter my username and password into Google, but then Google sends me a text message to my mobile phone with a code. I must enter that code to access my account. This only happens the first time. From then on Google “trusts” that device and I only have to use my username and password.
So, even if a hacker somehow gets my username and password, they can’t access my account because they can’t see the text sent to my mobile phone.
The first accounts to secure with two-step verification are your email accounts:
- Google – This helps secure not only Gmail, but your entire Google account including Google My Business, Google+, Google Analytics, Google Webmaster Tools, and more.
- Microsoft – This helps secure not only your Outlook.com email account, but your entire Microsoft account including Bing Places, Skype, and more.
- Yahoo -Enabling two-step verification on Yahoo secures not only your Yahoo email, but your entire Yahoo account.
Next, enable two-step verification on your financial applications:
- QuickBooks Online – Uses a confirmation email for their two-step verification. This isn’t quite as secure as using a text message, but it’s still two-step verification.
- PayPal – Calls it a Security Key, but it’s still two-step and uses a text message to your mobile phone
- Square – Currently protects only U.S. customers and access to your online dashboard
- Stripe – Uses two-step verification, but also uses the free Google Authenticator mobile app where you can create emergency backup code in case you need to disable two-step.
- Chase – They don’t really promote two-step, but they do have it. Log in to your account at Chase and add a mobile number to your profile.
- Bank of America – Offers their SafePass system which is their brand name for two-step verification.
- FreshBooks – Does not yet support two-step verification.
- Wells Fargo – Does not yet support two-step verification.
Finally, be sure to secure the social media accounts for your local business:
- Facebook – Calls their system “login approvals” and you can verify via a text message code or through the Facebook app on your phone. You should do this for all of the administrators who have access to your Facebook page.
- Twitter – Has text message verification, but also processes built in to their iOS and Android apps.
- Google+ / YouTube – This is the same system used for Gmail. If you’ve already secured your Google account for Gmail, then you’ve already secured your account for Google+ and YouTube as well.
Not sure if a service you use supports two-step verification? Go to https://twofactorauth.org/ and find out.
Of course there always more security measures you can take. But if you use strong and unique passwords, and enable two-step verification for each online account, you’ll have a relatively strong security net in place and should be able to sleep a lot better than I did!