Many media outlets covered the plight of Stefan Thomas, the man who, as of January 2021, had $250 million worth of bitcoin trapped in his Bitcoin wallet. He secured the keys to the wallet on an IronKey flash drive. I recall in one 60 tips presentation years ago noting the Mission Impossible feature of the IronKey that provides extra security by terminally encrypting the contents of the drive after 10 incorrect password entry attempts. Yes, the data does self-destruct. Mr. Thomas lost the paper with his password written on it and, after a few wrong guesses, now has two password attempts left. In his defense, when he received the 7,002 Bitcoin in 2011 as payment for making an animated video, the value of bitcoin was much less.

His IronKey now is in a secure location, and Mr. Thomas hopes some future cryptographers will one day crack it. I’m not sure you could outline a more severe case of pain resulting from forgetting a password.

There are ways to better secure your accounts without running the risk of locking them up “forever.”

As I’ve noted previously, I believe lawyers should be using a password manager to organize and use appropriate, complex and unique passwords for every login. I still believe that, but now there is more to consider.

PASSWORDS ALONE DO NOT PROVIDE ADEQUATE SECURITY

You read that correctly. Passwords alone are no longer sufficient protection for the most important accounts you log in to.

Originally, it was believed that it sufficed for a user to memorize two different items, the username and password, and log in using those. But now, most websites (and people) use their email addresses for their username. This has the advantage of being something the user won’t forget and the disadvantage of being easily discoverable in most situations.

So, the password is the only remaining “secure” information in the login process.

According to some online security services, 90% of passwords can be cracked in less than six hours. That number sounds high to me, but I have little doubt about the significant risk. Today, there are powerful hacker tools that can test millions of passwords every second. Longer passwords containing characters and numbers are more time consuming to crack. And those who do not use a password manager tend to use the same password for many sites, which means when one account is cracked, the criminals may have the password for many.

So, you need another secure bit of data, another factor.

THE NEED FOR TWO-FACTOR AUTHENTICATION

Most readers are familiar with two-factor authentication (2FA). Hopefully, you are already using this with your bank account and other financial accounts. The more accurate term is multifactor authentication, but I am going to use 2FA in this article just because it is more readable than MFA.

A common shorthand way to describe the additional factor used for 2FA is something you know, something you have or something you are (biometrics). Something we have with us almost all the time is our mobile phone. The most common method of 2FA is by SMS text messaging. When you enter your username and password into a site, the site responds by sending you a code via text message that must be entered to complete the login process. Sometimes this can be done by email, which is also not secure.

This basic form of 2FA means that even if a hacker got into the online service and pilfered all the usernames and passwords, they would still not be able to access your account because they wouldn’t have your mobile phone to receive the required code via text message.

You should already use 2FA for any financial accounts, any online shopping service you have allowed to remember your credit card number, medical portals and confidential client information. If you have social media accounts, using this method will likely mean you will never have to post, “Please do not accept any invitations from me. I’ve been hacked.”

A critical account to secure with 2FA is your Microsoft 365 account. If a hacker steals your password, it grants them the ability to send out emails pretending to be you, view and change your calendar and access all documents you have stored in OneDrive. In many ways, this is the “keys to the kingdom” hack.

But sadly, using SMS text messaging for 2FA, this simple and most common method, is no longer the best practice.

Although I cannot stress strongly enough how much more secure SMS text messaging is than not using any method of 2FA.

SMS TEXT MESSAGE AUTHENTICATION IS MUCH MORE SECURE THAN SKIPPING 2FA ENTIRELY, BUT SMS TEXTS ARE NO LONGER THE BEST 2FA METHOD

Unlike end-to-end encrypted messaging, such as WhatsApp or Signal, SMS is built on an infrastructure with known security weaknesses. Apple’s iMessage is encrypted, but that only applies when transmissions are iMessage to iMessage. So, normally the code is sent via SMS and therefore not encrypted.

The risks of using SMS text messages for authentication are somewhat technical. One risk is your cell phone carrier can be scammed into giving someone else access to your codes. It is easier to “steal” a cell phone number, transferring the account to a new device than one would hope, especially if the bad actors have the number and other personally identifiable information, such as the last four digits of your social security number. A data breach at any employer could easily provide that information. Malware can be unknowingly installed on users’ phones that scans for these SMS passcodes and sends them to a wrongdoer. Interception of SMS messages is another additional insecurity, even if it is uncommon.

Phishing exploits can also trick people into compromising their SMS.  Forbes contributor Zak Doffman profiled an Iranian SMS 2FA attack named Rampant Kitten.

Check Point warned of an SMS 2FA attack just last month, “an Android backdoor that extracts two-factor authentication codes from SMS messages, records the phone’s voice surroundings and more.” The “Rampant Kitten” operation, attributed to Iranian hackers, intercepted 2FA codes for otherwise secure Google and Telegram accounts. The attack was brutally simple, Check Point told me, an app pushed out to users via social engineering that asked for permission to read SMS messages.

For more in-depth technical information, refer to National Institute of Standards and Technology Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management. Section 5.1.3.3, Authentication using the Public Switched Telephone Network, provides, “Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret.”

PSTN is essentially the telephone network, wired and wireless.

One should secure all financial accounts properly not only to avoid today’s risks but to prepare for tomorrow’s increased risks.

Executive Summary

Using 2FA is very important. The SMS texting method is simple, even if not totally secure, although compromises of SMS seem relatively rare right now. If you have a bank or retirement account you access online, that is a vulnerability. A single compromise could cause some life-altering pain. A 2FA system that doesn’t use SMS is superior, but it is far better to use SMS 2FA than none at all.

WHAT ARE MORE SECURE AUTHENTICATION METHODS?

Some well-known services provide their own 2FA method. Some already provide a method that does not involve SMS text messaging.

If you have a Facebook account, that is a good opportunity to work through setting up 2FA. Facebook has made it very simple. See the Facebook page “Login Alerts and Two-Factor Authentication.” Facebook also provides a code generator that can avoid SMS entirely. See Facebook’s “What is Code Generator and how does it work?” Facebook will only require the code when you log in from a new, different device, so it won’t impact your use in most cases.

Two methods that provide a high level of security with 2FA are authenticator apps and physical tokens.

AUTHENTICATORS

Authenticators generate codes on your phone or mobile device.

Even if an attacker tricked your cell phone company into moving your phone number to their phone, they would not be able to get your security codes. The data needed to generate those codes remains securely on your phone. It never travels through the SMS text messaging system.

The first thing to know about authenticators is many password managers also include an authenticator service as a part of the subscription. LastPass, in particular, gets good reviews for its application.

Google authenticator is a popular, free and well-regarded authenticator. It is available for both Android and iPhone. It can be used with a broad number of services, including those provided by Microsoft.

Most reviewers recommend Authy. But I appreciate that most Android users will likely use Google authenticator. Similarly, firms committed to Microsoft 365 might decide to use the Microsoft authenticator.

There are certainly many options. See Gizmodo’s “The Best Authenticator Apps for Protecting Your Accounts” and Android Authority’s “10 best two-factor authenticator apps for Android”.

PHYSICAL SECURITY KEYS

I have not used physical security keys for authentication. These are currently used mainly by larger corporations. I do know you are never supposed to store the physical security key in your computer bag, and for most of us, the best option is to store it on our keyring. I also know there will be minor annoyances and major annoyances (“I left all my keys at the garage because my car is getting repaired”) when these security tools are implemented. It’s not a key you want to misplace.

You can find lots of online articles about the various physical keys and key “families.” ZDnet’s “Best Security Key in 2021” is a good starting point. Your attention is also directed to “YubiKey, Google Titan, RSA SecureID, and More: Seven Authentication Token Families Compared” from the Plurilock Blog.

At this point, I predict we will mainly see physical security keys implemented by large law firms with IT departments to support them and tech-savvy solo practitioners or small firm lawyers who find managing this type of device to be the simplest solution for those who are not fortunate enough to have an IT department.

ONE SMS WORKAROUND

Some services may require SMS text messaging for 2FA. One way to bypass this insecurity would be to set up a Google Voice phone number and use that for your 2FA because you can secure your Google accounts with 2FA. Then you log in to Google Voice to see the code. That method is probably too inconvenient for many frequently accessed accounts but is certainly an option for financial accounts that are not frequently accessed, like retirement accounts.

CONCLUSION

It’s time for two-factor authentication. In fact, it is past time. But 2FA will involve a few delays every day. It adds a bit more friction to your life – at least your online life. If all you want to do now is to implement SMS text messaging for your financial accounts, Microsoft 365 account and other accounts containing confidential client information, you will have made a significant improvement with your digital security.

Many will decide it is time to set up a more secure authenticator service or purchase physical security keys. The fact that many have implemented authenticators at this point should reassure you that implementation will not be overly challenging. Hopefully, this article and the sources cited in it will allow you to confidently move forward with your options for implementing 2FA more securely.

(Originally published in March 2021 Oklahoma Bar Journal https://www.okbar.org/lpt_articles/the-rise-of-two-factor-authentication-and-the-authenticators/)

Attorney@Work posted Takeaways and Tips From ABA TECHSHOW 2021 today.

I was happy to contribute, along with several legal technologists and practice management advisors. If you know me, you know I love ABA TECHSHOW. The takeaways on this featuree are wide-ranging and cover a diverse set of issues. I hope it will inspire you to attend the next ABA TECHSHOW, which will be held March 2-5, 2022.

Most who take the time to read this post will find something they can put to use right now and also some items for future planning.

Lawyers are trained to consider the negative implications of anything new. When the idea of chatbots on law firm websites first surfaced, many were concerned about the potential for malpractice liability based on poor advice from a chatbot. But giving legal advice is not something your law firm would ever want a chatbot to do.

Where a chatbot can excel is assisting visitors with quickly navigating your website, routine questions or directions on how to schedule an appointment, e.g. “You mentioned bankruptcy. Our law firm’s bankruptcy resource page is xyzxyz.com. Would you like to schedule an in-office or virtual appointment to meet with one of our bankruptcy lawyers? I can do that for you.” Hopefully that example shows how a bot can be valuable for the firm. Another response might be “You mentioned criminal law. Our firm does not do criminal defense. The Oklahoma Bar Association hosts a site called OklahomaFindALawyer which lets you search for lawyers doing that type of practice.”

Several lawyers in private practice who spoke at ABA TECHSHOW recently mentioned that they believed their law firms’ chatbots assisted them with getting website visitors to schedule an appointment to discuss a new matter, often using no staff time. Some law firms allow potential clients to schedule appointments right on their websites.

If your firm doesn’t offer that feature yet, the chatbot can say “Let me put you in touch with someone to schedule your appointment.” But that person will need to communicate by text. If the potential new client wanted to talk to someone on the phone, they would have placed a phone call. I also note one of the ABA TECHSHOW’s Start Up Alley Competition three winners in 2020 was a law firm intake qualification system featuring an AI-powered chatbot.

How to create a chatbot that works for you and your customers is an interesting read about one company’s development, initial failures and fine-tuning of their now-successful chatbot.

As most of you know, beginning with the March lock down I started posting daily tips and did that for all of 2020.

The most popular tip of the year was a fairly basic tip about reformatting Word documents and it pointed out how many Word users don’t know what all of those choices and buttons they see every day actually do.

So I am sharing this one once again. Feel free to share the link below with someone you know who might need to know this.

Removing Formatting from Word Documents (April 17, 2020)

Most lawyers now appreciate that an online presence and online marketing efforts are important for client development for most law practices. Your marketing efforts typically cost both time and money. Our latest Digital Edge podcast is How to Win Clients Online for Free! Our guest is Gyi Tsakalakiss, a former lawyer and the founder of AttorneySync, an online legal marketing agency that helps lawyers be where their clients are looking.

Gyi Tsakalakis
           Gyi Tsakalakis

Gyi stresses that some of the best ways to gain clients won’t cost you anything but time.

Personally I am always surprised at how many small  law firms have not claimed their Google My Business Page. But Gyi has many other budget-friendly tips.

Today you need a consistent and persistent ,marketing effort. These tips should help.

 

ABA TECHSHOW 2021 will be held March 8 -12, 2021 and will be virtual. But a virtual venue means it is much more affordable with lowered registration fees and no need for travel and lodging expense.

As you know, ABA TECHSHOW 2021 brings together attorneys, legal technologists, thought leaders, law professors and many legal tech vendors. The educational sessions are top-notch, whether you want to learn more about Microsoft 365, cybersecurity or Artificial Intelligence in legal work. Registration is $295 for ABA members (and Oklahoma Bar Association members too.) The non-member registration fee is $350. That is much less than previous TECHSHOWs, but of course there are no luncheon or drink tickets.

Every year ABA TECHSHOW has so many topics that are of interest to a broad legal audience, but particularly those in medium-sized or small firms. Some of those interesting topics include Cloud Based E-Discovery for Small Firms; Automation Tools for Transactional Attorneys; Proofreading and Writing Automation: Brief Catch, Microsoft Suite, and G Suite; and Creating Client-Centered Marketing. I’d encourage you to review the online schedule of programming. The online brochure of the program schedule is very well done.

You can also listen to our new Digital Edge podcast, ABA TECHSHOW 2021 Goes Virtual! featuring ABA TECHSHOW 2021 co-chairs Allan Mackenzie and Roberta Tepper.

A virtual ABA TECHSHOW 2021 also solves that frequent TECHSHOW challenge of two programs happening simultaneously you want to attend. I am told that videos will be recorded and available later. I’m uncertain if MCLE credit is available for the replay as it is for the live sessions. I can’t claim to be completely unbiased about ABA TECHSHOW 2021. I served on the TECHSHOW planning board for several years and was honored to serve as ABA TECHSHOW planning board chair years ago. But I can confidently say you will find a great group of smart and dedicated faculty and an amazingly diverse lineup of legal tech educational programs when you register for ABA TECHSHOW 2021.

Oklahoma Bar Association members, using OBA discount code EP2109 when you register reduces your registration fee to $295 as noted above. It you have never attended before and have an interest, this should be your year.

That helpful person calling from Microsoft Tech Support is most likely a scammer. The odds go up to 100% if they tell you they noticed a problem with your computer and are calling to help you fix it. You can easily test that premise by telling them they have just reached an FBI agent and asking for their real name.

Such surprise phone calls from Microsoft tech support are always scams. A legitimate call could result if a user initiated something with Microsoft in the preceding hours and is expecting a return call. The legitimate tech support phone call will be following up on the specific issue that was raised. The scam callers will try to learn a victim’s password or credit card information or to trick them into surrendering access to their computer.

Real tech support: “OK, please reboot your computer and see if that helped.”

Fake tech support: “OK, I’m going to send you something that will solve the problem, just log into it with your username and password.”

For more information see Avoid tech support scams from Microsoft. Share this information with your relatives and clients. It is good content for a law firm newsletter.

Let me stress this is “ten top” tools, not a ranked Top Ten list. But these ten types of tools should be on the agenda for implementation in most solo and small firm practices.

Here’s the quote I’d emphasize from the column.

The most significant observation I have distilled from the past year is the practice of law has bifurcated into two “branches,” if you will: people law and business/corporate law. With each passing year, each branch looks a bit less like the other in terms of the operations and business processes. We will be exploring those distinctions more throughout 2021. This month’s article focuses on tools for those in smaller firms primarily doing people law.

Most smaller law firms should now be using most, if not all, of these tools. I hope you enjoy (and share) 10 Top Technology Tools for the Small Firm Lawyer.

Lawyers deal with confidential client information and we have a duty to secure that information. No matter who you are, you wouldn’t want to donate, give away or even discard a computer or phone with information still on the device. No one would want to transfer a computer or phone without making certain the personal information on it is wiped.

In the old days, I could confidently send lawyers off to Darik’s Boot and Nuke at https://dban.org/ after warning them to be cautious with whatever media they installed the tool on, lest they accidentally nuke something they did not intend to destroy. DBAN doesn’t work on SSD drives, so the company now sells a commercial product to wipe those drives.

The respected tech website Wirecutter published an excellent guide How to Securely Wipe Your Computer, Phone, or Tablet. You may want to bookmark this guide so you will have it handy when you need it.

So, what about a dead computer? If a computer is operational, you can reformat the hard drive. But if not, a simple solution is to do an internet search to find instructions how to remove the hard drive from your model of computer and remove it before recycling or discarding the computer. Then you can physically destroy the hard drive. My son and I used to have some fun figuring out creative ways to physically destroy retired hard drives.

The “On Tech” newsletter from The New York Times typically has great content. I encourage people to subscribe to this. The current edition is Why Your TV Spies on You, which is a fact of life for most smart TV’s and streaming services. But while some lawyers may find that discussion interesting, I want everyone to scroll down to the next feature, “Three must-have apps for every smartphone” by Brian X. Chen, the personal technology columnist for The New York Times. I would guess few lawyers have all three of these apps and many do not have any of them.

Brian’s three must-have apps are 1. A password manager, 2. An ad blocker and 3. An encrypted messaging app, like Signal.

I’ve written several times about how a password manager is an important security tool because it allows one to use long and complex passwords without having to remember them. But there are many other benefits. See my video and post on selecting a password manager with legal tech expert Tom Mighell.

According to Brian X. Chen, “Many online ads are loaded with scripts that collect your personal information and suck up your phone battery; some even contain links to malware. Until the ad industry comes up with a better way, our best bet is using an ad blocking app like 1Blocker to prevent ads from loading in the web browser.” He also notes that the Google Play store does not allow ad blockers to be downloaded. Google loves online ads. Android users who wish to install the apps need to use a method known as sideloading. Chen directs us to 5 best ad blocker apps for Android!

Encrypted messaging using tools like Signal or Telegram is very secure. But these tools only function if both parties download and use the app. At ABA TECHSHOW 2016 I attended a panel that included the lead attorney for NSA leaker Edward Snowden. The panelists recommended Signal. Afterwards I wrote You Are Not Paranoid If They Really Are Watching You Attorney-Client Privilege, Confidentiality and Cybersecurity in the 21st Century for the Oklahoma Bar Journal.

If you visit The New York Times website frequently and are not a subscriber, you may find this content blocked by a paywall. Just save the link for later.