Public hotspots and PhoneFactor
As I’ve been traveling, I’ve been looking around for public hotspots to use for Internet access. There are a few very important security considerations to keep in mind when using public hotspots, though.
First, by their nature, they’re not encrypted. That means that anyone else on the hotspot (not just the operator) can see everything you’re doing. I’ve demonstrated this before to people, and it always gets a raised eyebrow. In particular, attackers can see usernames and passwords.
Worse, most computers have a number of programs on them that automatically try to log into various servers whenever an Internet connection shows up—things like the GMail Notifier, your e-mail client, Skype, instant messenger, Windows drive shares, or even your VPN client.
Under normal conditions, programs don’t immediately transmit auth credentials, but it’s trivial for an attacker to coax your computer into giving them out, and these attacks are in the wild and well documented.
There are two solutions to this problem. The first is to be extremely careful, and to learn about and understand the inner workings of every program on your computer that has authentication credentials. This is, to say the least, generally impractical.
My favorite solution (not that I’m biased) is to use PhoneFactor! That way, even a captured password is useless without also capturing the user’s phone as well, and that’s an entirely different problem for an attacker.
This goes double for IT departments, by the way. You not only have to worry about the software on your personal computers, but also whatever might be out there on corporate laptops. Adding two-factor authentication such as PhoneFactor is the only way to really be sure your users aren’t unwittingly mass-compromising your systems.
-Steve
I think another issue here is that an attacker could just use the stolen credentials for something else that isn’t PhoneFactored. Many users these days use the same password for multiple web-services (I wonder when it becomes standard practice to use an online password storage), so even though you are greatly reducing the risk that an attacker impersonates you for some services, your credentials have *still* been stolen and can be used a great deal of other places.
Here’s an interesting thought: say all the applications you mentioned in your previous post (e.g. IM, Skype, E-mail) were using PhoneFactor. When the user logs on to his computer his phone would ring like 20 times and some of the applications would probably fail to authenticate since they are trying to call your phone at the same time.