Users of the GoToMyPC remote desktop software have had their passwords automatically reset ‘at the back end' by Citrix, the firm that owns the brand and the software behind the service. Hackers attacked the service, which has been previously criticised for failing to recommend complex passwords, two-factor authentication and advising against password reuse; three of the biggest security failings many users exhibit today. GoToMyPC has subsequently issued an advisory aiming to address some (but not all) of these exact shortcomings.
Admitting to what it labels a ‘very sophisticated password attack', GoToMyPC recommends that users take the following steps to ensure their security:
- Don't use a word from the dictionary.
- Select strong passwords that can't easily be guessed, with eight or more characters.
- Make it complex – randomly add capital letters, punctuation or symbols.
- Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”.
Extra protection, if you look for it
Although GoToMyPC has failed to use this opportunity to also recommend two-factor authentication directly, Citrix online support does explain here that this option is available to users who wish to enable this additional layer of security. To use the two-step verification method, users are prompted to enter a code sent as a text message to their mobile phone or a call made to their mobile phone after they enter their GoToMyPC account password.
Speaking to SCMagazineUK.com in line with this story, Lisa Baergen director at NuData Security apologised for sounding like a broken record. It's only been a couple of weeks since TeamViewer user accounts were hijacked she reminded us. “Although usernames and passwords can be changed, as being asked here by Citrix, victims of a breach need to understand that every bit of information exposed is important and building out solid packages of identity information on the dark web,” she said.
Fraudsters are creating 'identity bundles'
What we need to be aware of (and afraid of) is that fraudsters are creating, selling and buying more comprehensive 'identity bundles' which sell for a higher value to hackers. With more complete information, fraudsters can ultimately do more damage and permeate a lot of these temporary points solutions advises Baergen.
Ivan Maksic is regional manager for Western Europe at Infobip. Maksic spoke to SCMagazineUK.com to say that although two-factor authentication (2FA) does exist with many online services, including GoToMyPC, the problem goes even further.
Doubled edged 2FA sword
“Introducing 2FA across the board can come with its own challenges if it's not rolled out correctly. There's no doubt that 2FA ticks all the right boxes for a consumer-friendly answer to the security challenges faced by today's online players. But offering consumers an overly complicated authentication process will not have the desired effect. The extra layer of security simply won't be used,” said Maksic.
David Gibson, VP of strategy and market development at Varonis echoes many of these thoughts. Gibson spoke to SCMagazineUK.com to say that the GoToMyPC attack illustrates that data breaches should be considered a real and inevitable possibility.
“Even Mark Zukerberg had a reminder earlier this month that you shouldn't use the same password on multiple sites. From what we know, hackers worked from a list of cracked accounts that came from a 2012 breach at Linkedin, and then reportedly got into his Twitter, Instagram and Pinterest account utilising the same password.
People are bad at coming up with their own passwords. We're all guilty! For convenience, we make them obvious or short or both and use them more than once,” he said.
Correct horse battery staple
The ‘correct horse battery staple' method is a memory trick where each letter of the password represents a word in a story. You can read more about that on the Varonis blog here and an automated password generator using this methodology is available here.