|
|
|
Following a security breach in which passwords were stolen, Dropbox now sends a six-digit code via text message to a mobile phone
More websites should ask customers to confirm their identification by using one-off security codes sent by text messages, rather than by only entering a username and password.
Andy Kemshall of security firm Securenvoy warned that a study of security professionals found 42 per cent believe "the average kid could crack most end user's passwords."
Read more: Security news | Security software reviews
He said the second-factor authenticaiton process of confirming a transaction or a person's identity using code sent via text messages is a simpler version of the system many online banks have tried, which uses a card reader.
"Even if a hacker has found out your password, they won't have your phone. If your phone is stolen, the criminal is unlikely to know your password."
Recently cloud storage service Dropbox has introduced a two-stage sign-in process for its online storage service,
Following a security breach in which passwords were stolen, Dropbox now sends a six-digit code via text message to a mobile phone, which is entered after the username and password.
The system will also work through apps for iPad and iPhone, Blackberry, Windows Phone 7 and Android devices.
However, Oren Kedem, at security firm Trusteer, disagrees that two-factor authentication using SMS is inherently safe.
"SMS authentication is insecure as there are multiple ways it could be compromised. Some malicious software can hide, read and generate texts on mobile devices," he warned.
Rik Ferguson of Trend Micro also agreed with two-factor authentication sent by text being used for online banking.
"The question is not only about verifying the person initially making the transaction but is the transaction itself valid?
"For example you could be sending £50 to your son's bank account online using the code, but if you had malware that allowed a man-in-the-middle attack, the hacker could change that from £50, to £500 and direct the money to a different account.It's ok for sites such as drop box but it's not fail safe.
"It should certainly never be used for online banking because we have seen so much mobile malware used to bypass this form of security," he said.
Article tags
Related articles
Get rid of the plug-in from Windows, OS X, Linux, Internet Explorer, Chrome, Firefox and Safari
Users urged to disable Java as criminals exploit flaws to spread malware
Content Recommendation
Q.Why is Windows Backup skipping files?
Q.Why do my scanned documents display gibberish?
Q.How can I convert MTS files to edit in Windows Movie...
Updating your subscription status 
Save money by switching to fast 3G broadband
Not everybody has mobile phones....
The problem is not everybody has mobile phones, so people without mobile phones will be locked out of using Dropbox etc.
Posted by Josh, 07 Sep 2012
Answer for Josh
Hi Josh I can put your mind at rest somewhat as you are not forced to use a mobile phone to access Dropbox; the new two step sign in process is not enabled by default, you have to turn it on. Speaking personally for a moment, you can pick up a pay as you go mobile for around £10 from Tesco. I'd consider that a reasonable cost for the increased security. Of course, that doesn't help if you're in an area with no mobile signal. The Dropbox website offers some mobile apps that don't require a signal to work https://www.dropbox.com/help/363/en#2fa-apps although you will need a smartphone or tablet with a camera I hope that's helpful. Kind regards Tim
Posted by Tim Smith, 07 Sep 2012