In a cloak-and-dagger caper reaching from Eastern Europe to the Virginia suburbs of Washington, DC, the nation and the world witnessed the most highly publicized case of phishing ever to come to light. It was during last year’s presidential campaign when 10 years of emails from Hillary Clinton’s campaign chairman, John Podesta, became public. The emails proved politically embarrassing, but there was also a lesson about internet security for us regular schlubs, too.
Thanks to the far-reaching implications of the case, a detailed account of the phishing and hacking of Podesta’s emails was put together by various US spy agencies. Here is the quick and dirty:
- Podesta had been using the same personal Gmail account for over a decade when he received a notice, supposedly from Gmail, informing him that his account had been compromised and requiring him to reset his password.
- A help desk employee confirmed to Podesta’s team via email that the note from Gmail was “legitimate”—I use quotes because this individual later claimed he meant to type “illegitimate.”
- Podesta reset the password.
- All of Podesta’s emails were then released to the public, and the government got involved because of espionage concerns.
- In a post-mortem of the event, intelligence agencies surmised that the password reset notice sent to Podesta was sent from agents of a foreign government. Because Podesta had not enabled two-step verification, the hackers were able to gain access to his account with just the password.
What is Two-Step Verification?
Two-step verification is a system in which there are two tests to pass before getting into the account. The methods of two-step verification vary:
- Some sites ask you a security question.
- Other sites text a code to your phone to enter.
- Some smartphone apps can have you provide your fingerprint as the second step.
- Highly secure sites, like the business bank accounts I service, send a code that expires every few minutes.
How Do I Get Two-Step Verification?
The odds are that most of the services you use offer two-step verification, but it has to be enabled. In this excellent article from Gizmodo, you can find out how to turn it on for Google, Apple, Twitter, Dropbox, and a host of other popular websites and services.
In the end, our approach to safeguarding our accounts is subject to the classic rivalry between freedom and security: We all love easy access to our accounts while we are on the go—but is it worth the risk?