loader from loading.io

Welcome! Criminals bypassing Multi-Factor Authentication plus more on Tech Talk with Craig Peterson on WGAN

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Release Date: 08/22/2020

Crack the Code: Mastering Windows Security and Digital Clean-Up Tactics show art Crack the Code: Mastering Windows Security and Digital Clean-Up Tactics

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

In the fast-paced world of technology, your Windows device needs the ultimate defense against cyber threats. I've revamped the guide, diving deep into the realms of anti-virus protection, cybersecurity, and online privacy. Here's your roadmap to a digitally clean and secure future: Windows Defender vs. Norton vs. Malwarebytes: Uncover the strengths and limitations of each superhero in the battle against cyber villains. The War Against Malware: Arm yourself with knowledge on the latest malware trends and the tools to combat them effectively. Guarding Your Cyber Fortress: Explore...

Boost Online Privacy: A Cyber Spring Clean show art Boost Online Privacy: A Cyber Spring Clean

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Is your digital realm resembling a messy attic? Files overflowing like forgotten knick-knacks, an inbox resembling a confetti blizzard, and social media feeds choked with digital dust bunnies? Fear not, fellow data denizens, for spring cleaning season has arrived – and this year, we're reclaiming our online peace of mind! But unlike dusting cobwebs and decluttering drawers, taming our digital wilderness requires a different arsenal. Forget brooms and vacuum cleaners – we're talking AI-powered assistants, data-detective hounds, and even a digital shredder for those long-dormant devices...

Beyond Delete: The Ultimate Guide to Shredding Sensitive Digital Trails show art Beyond Delete: The Ultimate Guide to Shredding Sensitive Digital Trails

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Hey there cyber enthusiasts! Ever wondered how to transform your digital space into a fortress of security? Well, buckle up, because we've crafted the ultimate guide to help you declutter, fortify, and defend your digital realm. Our mission: to make cybersecurity engaging and effective, without drowning you in techno-jargon. Check out these key points we've covered: Wi-Fi Wonders: Unveiling the mysteries of Wi-Fi security to ensure your online activities remain secure from prying eyes. Password Power: Dive into the world of password protection, unlocking the secrets to crafting...

Securing Your Digital Realm: The Ultimate Cybersecurity First-Aid Kit Unveiled! show art Securing Your Digital Realm: The Ultimate Cybersecurity First-Aid Kit Unveiled!

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

In the vast landscape of the digital world, safeguarding your online presence is paramount. Welcome to another episode of TechTalk with Craig Peterson, where today, we unravel the secrets to fortifying your digital realm with "The Ultimate Cybersecurity First-Aid Kit." Decrypting Wi-Fi Woes Our journey begins with the cornerstone of your digital fortress: Wi-Fi encryption. No secret stays safe forever, and that includes your Wi-Fi password. We delve into the importance of encrypting your Wi-Fi, ensuring that your digital stronghold remains impenetrable. Password Party Extravaganza "abc123"...

The Mobile Malware Menace: Protecting Against Evolving Threats show art The Mobile Malware Menace: Protecting Against Evolving Threats

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

In today's fast-paced digital age, staying ahead of the curve is not just an advantage; it's a necessity. From the electrifying world of electric vehicles to the intricate web of mobile security, and the visionary influence of Elon Musk, there's a lot to unpack. Join us on this insightful journey as we explore key topics that are shaping the future of technology. 1. Electric Vehicles (EVs): Paving the Way for a Green Future The surge in popularity of electric vehicles is undeniable. We delve into the latest advancements, innovations, and the environmental impact of EVs, providing you with a...

Scan Smart, Stay Safe: Mastering the Art of QR Code Defense show art Scan Smart, Stay Safe: Mastering the Art of QR Code Defense

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

In a world dominated by QR codes, the risk of falling prey to digital tricksters is on the rise. Fear not, fellow entrepreneurs, for we've decoded the secrets to outsmarting these cyber hosers and keeping your digital fortress secure! QR Code Unveiled: Understanding the Basics Let's kick things off with a deep dive into the world of QR codes. Learn what makes them tick and how scammers exploit these seemingly innocent codes to compromise your cybersecurity. The Rise of AI and Its Role in QR Code Shenanigans Artificial Intelligence (AI) has ushered in a new era, and unfortunately,...

Digital Media Ownership Debunked: The Tactical Octopus Unveiled show art Digital Media Ownership Debunked: The Tactical Octopus Unveiled

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

In the ever-evolving landscape of digital media, the illusion of ownership can be shattered with a single tactical move. Recently, the PlayStation community experienced a rude awakening when paid content was abruptly removed - and no refunds were given. This underscores a widespread issue: do you own the digital shows and movies you 'bought'? Topics Explored in the Article: Tactical Octopus Unveiled: Delve into the intricate tactics used in the digital realm that challenge the perception of ownership. IRS Alert: Explore the unexpected connection between the IRS and your digital...

Digital Armor: Safeguarding Your Online Presence with Chrome, Firefox, and Safari show art Digital Armor: Safeguarding Your Online Presence with Chrome, Firefox, and Safari

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Securing your online activities in today’s digital world is a top priority, and the trio of web browsers—Google Chrome, Firefox, and Safari—stand as formidable guardians against cyber threats. Let's embark on a journey into the intricacies of these browsers' advanced protection features to fortify your online experience. Chrome's Shielding Arsenal Google Chrome takes the lead with robust security measures. From safeguarding against phishing attempts to fortifying defenses against ransomware attacks, Chrome stands tall as a digital fortress. Explore its advanced protection features to...

Unmasking Gift Card Scams: A Growing Online Threat Exposed! show art Unmasking Gift Card Scams: A Growing Online Threat Exposed!

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Unmasking Gift Card Scams: A Growing Online Threat Exposed! Gift card scams are prowling the digital landscape, targeting unsuspecting online shoppers like never before. In this article, we'll dive deep into the murky waters of online scams involving gift cards, Amazon, credit cards, and more. Buckle up, because the world of online shopping is not as secure as it seems. Signs You're Being Scammed These online tricksters have mastered the art of deception: Too-good-to-be-true offers Urgent demands for payment via gift cards Threatening legal action if you don't pay up - yikes! (It isn’t the...

Click Like a Pro: Insider Tips for Safe Online Shopping show art Click Like a Pro: Insider Tips for Safe Online Shopping

Craig Peterson - Secure Your Business, Your Privacy, and Save Your Sanity

Hey savvy shoppers, gather 'round for a tale as vital as your grandma's pie recipe! Ever felt the sting of an online shopping scam? Fear not, I've got the lowdown on dodging those traps. Let's kick things off with a cautionary yarn and dive into the nitty-gritty. Spotting a Phony Website: Detective hat on! Check URLs for weird symbols and misspellings. A padlock symbol next to the URL is a good sign. Evaluating Sellers on eBay and Etsy: eBay and Etsy, our online treasure troves! Check seller ratings, reviews, and authentic photos. Don't fall for smoke and mirrors. Buying Big Ticket Items:...

More Episodes


Craig discusses how cybercriminals are now bypassing multi-factor authentication and what you can do to protect yourself. 

For more tech tips, news, and updates visit - CraigPeterson.com


Read More:

Huawei's expired US license is bad news for phone owners

Security Jobs With a Future -- And Ones on the Way Out

NSA & FBI Disclose New Russian Cyberespionage Malware

FCC beats cities in court, helping carriers avoid $2 billion in local 5G fees

Business Email Compromise Attacks Involving MFA Bypass Increase

NSA and FBI warn that new Linux malware threatens national security

How Fast Is SpaceX's Satellite Internet? Beta Tests Show it Hitting Up to 60Mbps

ISIS Allegedly Ran a Covid-19 PPE Scam Site


Automated Machine-Generated Transcript:

Craig Peterson: [00:00:00] I've been harping on multifactor authentication, and now a little bit concern because based on what kind you're using, the bad guys are getting around some of it.

Hey, Craig Peterson here. Thanks for joining me online and here on WGAN make sure you tune in every Wednesday morning when I'm on with Matt Gagnon for the early morning shift, as he goes through the latest in tech news with me. It's really fun. I like having a host to talk to who really understands things, he's on the ball and Matt is certainly one of those, no question about it.

Businesses are faced with the real problem as our consumers and that is how do you keep the bad guys out of your systems? One of the things that we've been using for the last few years is called MFA multifactor authentication. As I have said for decades, the best security combines something, along with something you have.

So for instance, in the computer world, something, might be the email address to sign in with and of course the password that you sign in with. So there you go, something know, something you have. In many cases, it's turned out to be your smartphone and people are using the smartphone to do authentication.

So you try and log in. It'll send you a text message than with that text message, you can now say, yeah, that's me and you type in the code, right? A four-digit, six-digit code and you are let in, I've explained before why that is a bad idea, using texts or SMS as it's called, and it's a very bad idea.

If you have anything at risk, something to lose, there have been many cases now well-documented of people that are big business people all the way on through people who own Bitcoin. Where, what will happen is the bad guy will transfer your phone number to a phone, not yours, but one the bad guy has control over.

So now he tries to log in because he got your username and your password from the dark web. If you haven't checked it out yet, make sure you go to have I been poned.com. And check out your email address, and you're almost certain to find your email has been compromised and your password was stolen along with your email address and maybe even more things like your social security number, your home address, et cetera.

So the bad guys will do is say, okay, so I'm going after company X and I am going to now find out what the guy's phone number is. They use little social engineering, find out the phone number, and then once they have the phone number, they can go to the next step, which is let's transfer that phone number to my phone.

Then they log as you. Let's say even your Yahoo mail account or whatever your mail account is, and then they look around and, yeah. Okay, great. He has an account at Bank of America. So they go to Bank of America site, cause they just found Bank of America emails. I count emails in your email box and they use your username and the password they got for your username.

You're smart and Bank of America and your Yahoo email account use different passwords. Goody for you because now all they have to do is say I forgot my password. Where is Bank of America going to send the password reset? It's good. I'm going to send it to your email box. So now your email box has a password reset.

They reset it to it, whatever they want to. And then Bank of America says yes, but wait. we need multifactor authentication. So we're going to send a text to your phone to make sure it's you and Romero. We're the bad guy. They just went ahead and tried, transferred your phone number to their phone. So what does that text from?

Bank of America? Go right into their hands. So now they've got your Bank of America account and they are in, and they transfer the money out in according to the United States secret service, 90 seconds later, it is likely out of reach and out of the country. That's how bad it is right now. It's really bad.

So that's why I warned you guys forever. Don't use SMS as a way to authenticate yourself as part of multifactor authentication. There are a number of apps out there that will work quite well for you. You might remember 10, 20 years ago, probably 20 plus years ago. Now actually people had these little key fobs.

I think it was Bank One that had the first one that I ever used. And you put it on your key chain and it had a little six-digit number that changed every 30 seconds.

So when you went to log in. You knew your username, you knew your password, and you looked at the key fob to see what the code was for this 30 second period and it would let you in. That's actually a great way to do it, but if you use one password or Google authenticator or last pass, there are a number of ways you can do it.

I recommend a few. You just don't have the money. If you're not a business, just use Google authenticator. Most websites will work with Google authenticator.

So what will happen is the website will pop up a QR code on the screen and you then take a picture of that QR code with Google authenticator will say, Oh, okay, great. I got it. And then it'll start giving you codes. New codes, every 30 seconds that you can use. So all you have to do is have your smartphone.

Now make sure your smartphone is locked down, but it's a little harder for them. If they're in Belarus or somewhere else, a little harder for them to get a hold of that phone so that they can then hack you by looking at your phone in order to get that code.

Now one password does the same thing and then we combine one password with Duo and a little key fobs and everything else. So depending on how security has to be, there may be multiple levels, but that's the basics.

Dark reading has an article out this week, talking about this legacy, email clients, and what they're doing. So I explain to you the right way to do multi-factor authentic occasion right now, and it's really, it's considered to be a very strong measure to protect you against an account takeover attack.

But the bad guys have a way around it and here's what they're doing. I have normal security this week is reporting that they've seen an increase in attacks where the bad guys are using legacy apps with old email protocols. So nowadays, for instance, You might be using something called OAuth 2 behind the scenes, whom you as a user probably wouldn't know that, but is used to authenticate you.

We have it set up for ourselves and our clients that you have to read completely we authenticate every week, which gets to be a bit of a pain, but it's actually a very good thing. In fact, I should probably have it set up to do it every day, but every week is pretty reasonable. And it uses more advanced protocols to authenticate me.

But if you've been around for a while, you're familiar with a protocol called pop, which was the post office protocol. I used that for many years, and that allowed me to connect to the mail server, download all of them. My email would be deleted off the server. I'd have it on my laptop and hopefully, I had my laptop.

Backed up so that I wouldn't get totally messed up if everything went wrong, but there's an old protocol. All that really shouldn't be used anymore. In most cases, another one is called Imam and it's a more modern protocol, but it doesn't have all these security checks supported. SMTP is another one that we've been trying to.

Beef up somewhat. And they've done that by putting some encryption TLS on top of this simple mail transport protocol. So what the bad guys are doing is they're connecting to your business, email server, or a third-party email server. They're collecting all of the data, all of the information that they can about you.

Then there's signing in using a protocol that does not support and therefore it's not required to have multi-factor authentication. Very interesting. And they'll look at the email account information. They'll find it on paste sites. They'll find it out on the dark web. But one example is an old email client like mail bird, which allows Gmail to be set up via IMAP, and then once they're using iMac, they've gotten around the multifactor authentication.

So consider all of that stuff, If you're using Microsoft office three 65, there are multiple versions of it. Microsoft has well over 12,000 skews. And in other words, individual products that you can buy. Most of the time we find businesses are buying the wrong. Microsoft office three 65 products. They have whole groupings of them, but here's what I want you to pay attention to. If you are using Microsoft office three 65, most of their licenses give your organization the ability to turn on access policies, to restrict these older protocols. Legacy access using all of these protocols we were just talking about is enabled by default called on Microsoft office three 65.

So if you're a security guy, gal, You've got to go in. You have to disable legacy access on a per person basis across the whole organization. How's that for fun? Now, there are some ways to do this using some CRM, why tools looking through, but you've got to do it one per one. But even so the best protection an organization can implement is multifactor authentication and conditional access, best policies for all of these legacy apps, just like I constantly advise. You have to have restrictions, access policies by the group for different people and different groups within your organization. That goes down to the control, which in many cases is using a Microsoft tool in order to allow logins and other things. So keep an eye out for all of that.

 By the way, the FBI estimated US businesses lost almost $2 billion to this type of fraud last year.

Stick around. We'll be right back.

You're listening to Craig Peterson.

We're going to talk about the FCC and what they're doing to help you.

 Stick around. We'll be right back here on WGAN and online.


More stories and tech updates at:


Don't miss an episode from Craig. Subscribe and give us a rating:


Follow me on Twitter for the latest in tech at:


For questions, call or text: