In this digital age, it is more important than ever to protect your accounts. The issue is that users are limited to the security options that each site offers. Key important security configurations are Strong Passwords MFA and session expiry. MFA refers to the use of two or more methods of authenticating yourself to a website.
Session expiry refers to the amount of time that a logged in user’s session remains active before they are forcefully signed out. In this article we will look at why these are both so crucial for security, and we’ve put together a short ‘naughty’ list of large-brand websites that don’t offer MFA or have overly long session expiry periods.
Phishing and weak passwords are some of the most common methods/vulnerabilities exploited by hackers. MFA makes it significantly harder for someone to hack into an account, as the attacker would need to get both the user’s password and MFA token. Overly long session timeouts can lead to issues as attacker who steal session tokens are able to use log in as the victim user for as long as the session
remains active. So, starting with MFA, while any method is better than none, which is best?
The three most common methods of MFA are SMS, authenticator apps (such as Google and Microsoft), and hardware-based tokens (such as YubiKey). We have seen attackers circumvent SMS MFA by calling
telecoms and using social engineering to get victim’s text messages and phone calls forwarded to the attacker. The main problem with authentication apps is that tokens can be phished from the user just as
passwords can. To visualise how this could play out, imagine a phishing website that first requests the victim’s username and password, then displays a prompt requesting them input the MFA token displayed
on the app. By-far the strongest method is hardware-based MFA. A unique key is generated for each registered url, so even if the victim gets tricked into plugging in and activating their MFA dongle into a
phishing website, the url will be different than the real website, and the correct token will not be sent across the network.
As for session expiry’s, it really is dependant on each individual application. Take banking for example, which usually have session expiry’s of around 15 minutes. This makes perfect sense, whereas you’d get pretty annoyed if a site like Facebook destroyed your session every 15 minutes, forcing you to log back in. As a general rule for non-critical applications, we are flagging anything about 1 month as too long for
session expiry.
Seeing as hardware-based MFA is the most secure, and overly long session times are a security issue, you’d expect all the large websites to have them, though surprisingly this isn’t the case. We’ve put
together a naughty list of companies which don’t do either of these things. Remember that this is just a quick assessment of these three aspects of cyber security, and not a full security audit or anything of the
like.
Vertex Cyber Security Naughty List 2022
| No FIDO2 MFA | |
| No FIDO2 MFA | |
| No FIDO2 MFA | |
| Mailgun | No FIDO2 MFA |
| Dropbox | No FIDO2 MFA |
| Mailchimp | No FIDO2 MFA |
| Overly long session expiry | |
| ANZ | No FIDO2 MFA |
| Ebay | No FIDO2 MFA |
| Commonwealth Bank | No FIDO2 MFA |
| Overly long session expiry | |
| Westpac | No FIDO2 MFA |
| NAB | No FIDO2 MFA |
| Airbnb | Overly long session expiry |
| Ebay | No FIDO2 MFA |
We will come back and update this list as we identify more and hopefully able to remove some of these sites. Vertex Cyber Security would like to wish everyone a very safe and Merry Christmas. We will have team members available over the holiday period, so don’t hesitate to contact us if you’d like help or to talk to one of our cyber security experts.
