Google makes it easier for cheap phones and smart devices to encrypt your data

Encryption is an important part of the whole securing-your-data package, but it’s easy to underestimate the amount of complexity it adds to any service or device. One part of that is the amount of processing encryption takes — an amount that could be impractical on small or low-end devices. Google wants to change that with a highly efficient new method called Adiantum.

Encryption is an important part of the whole securing-your-data package, but it’s easy to underestimate the amount of complexity it adds to any service or device. One part of that is the amount of processing encryption takes — an amount that could be impractical on small or low-end devices. Google wants to change that with a highly efficient new method called Adiantum.

Here’s the problem. While encryption is in a way just transforming one block of data reversibly into another, that process is actually pretty complicated. Math needs to be done, data read and written and reread and rewritten and confirmed and hashed.

For a text message that’s not so hard. But if you have to do the same thing as you store or retrieve megabyte after megabyte of data, for instance with images or video, that extra computation adds up quick.

Lots of modern smartphones and other gadgets are equipped with a special chip that performs some of the most common encryption algorithms and processes (namely AES), just like we have GPUs to handle graphics calculations in games and such.

But what about older phones, or cheaper ones, or tiny smart home gadgets that don’t have room for that kind of thing on their boards? Just like they can’t run the latest games, they might not be able to efficiently run the latest cryptographic processes. They can still encrypt things, of course, but it might take too long for certain apps to work, or drain the battery.

Google, clearly interested in keeping cheap phones competitive, is tackling this problem by creating a special encryption method just for low-power phones. They call it Adiantum, and it will be optionally part of Android distributions going forward.

The technical details are all here, but the gist is this. Instead of using AES it relies on a cipher called ChaCha. This cipher method is highly optimized for basic binary operations, which any processor can execute quickly, though of course it will be outstripped by specialized hardware and drivers. It’s well documented and already in use lots of places — this isn’t some no-name bargain bin code. As they show, it performs way better on earlier chipsets like the Cortex A7.

The Adiantum process doesn’t increase or decrease the size of the payload (for instance by padding it or by appending some header or footer data), meaning the same number of bytes come in as go out. That’s nice when you’re a file system and don’t want to have to set aside too many special blocks for encryption metadata and the like.

Naturally new encryption techniques are viewed with some skepticism by security professionals, for whom the greatest pleasure in life is to prove one is compromised or unreliable. Adiantum’s engineers say they have “high confidence in its security,” with the assumption (currently reasonable) that its component “primitives” ChaCha and AES are themselves secure. We’ll soon see!

In the meantime don’t expect any instant gains, but future low-power devices may offer better security without having to use more expensive components — you won’t have to do a thing, either.

Oh, and in case you were wondering:

Adiantum is named after the genus of the maidenhair fern, which in the Victorian language of flowers (floriography) represents sincerity and discretion.

As threats proliferate, so do new tools for protecting medical devices and hospitals

Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) Vice President’s pacemaker, Mike Kijewski, the founder of a new startup security company called Medcrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem.  “A hospital came to the company and said we are treating […]

Six months after an episode of “Homeland” showed hackers exploiting security vulnerabilities in the (fictional) Vice President’s pacemaker, Mike Kijewski, the founder of a new startup security company called Medcrypt, was approached by his (then) employers at Varian Medical Systems with a unique problem. 

“A hospital came to the company and said we are treating a patient and a nation-state may attempt to assassinate the patient that we’re treating by using a cybersecurity vulnerability in a medical device to do it,” Kijewski recalled.

At the time, there were no universal solutions to those types of security threats — so companies were left to cobble together one-off solutions for their devices, which is what Kijewski’s former employer likely attempted to do.

Ever since, Kijewski became obsessed with the security holes that exist in the foundation of the healthcare industry’s practice — the devices used to diagnose and treat patients.

“My partner Eric Pancoast and I looked into the problem of medical device cybersecurity and we found two things,” says Kijewski. “Number one there were no regulations forcing medical device companies to use cybersecurity protections at all. Number two, any given company has only one core competency — maybe two. And are medical device vendors going to have cryptography and cybersecurity competencies?”

Medcrypt was launched in 2016 to ensure that medical device manufacturers wouldn’t need to be cryptographic experts. The company is graduating from the latest batch of Y Combinator (after raising a $3 million seed round from Eniac Ventures and other investors) with a pitch to secure medical devices using just a single line of code.

It’s a technological necessity thanks to new guidelines from the Food and Drug Administration requiring medical devices to include security features like encryption, signature verification, and intrusion detection.

By inserting a single line of code into the software of a device, Medcrypt can provide the security manufacturers need at the device level, according to Kijewski.

The company not only encrypts the data on the device, but it also provide intrusion detection services by analyzing medical device metadata to identify standard device behaviors and deviations from that behavior, Kijewski said.

Medcrypt is one of a growing number of startups that are securing medical devices and hospital networks as the threats to the healthcare system proliferate.

Other startups are working on protecting hospital networks. Companies like Medigate, founded by ex-Israeli officers from the Israeli Defense Forces, which just raised $15 million from investors including YL Ventures and US Venture Partners; and Cylera, which is backed by Samsung Next and launched from the DreamIT healthcare accelerator are two such companies.

By 2017, Beckers Health IT and CIO Report counted over 107 technology companies pitching cybersecurity solutions to healthcare practitioners and medical device manufacturers.

It’s little wonder so many companies are pouring in to close the (data) breach in healthcare, given the scope of the problem.

A 2018 report from Experian cited by U.S. News indicated that 233 breaches were reported to the Department of Health and Human Services, media, or state attorneys general in the period from January to June 2017. And for the 193 attacks where the scope of the breach was calculated, roughly 3.2 million patient records were affected.

Experian predicts healthcare cybersecurity spending will be a $65 billion industry by 2021.

Still, some of the security problems that hospitals face can be solved with some fairly basic updates. Indeed, perhaps the most critical — and the one that left hospitals most exposed — is just ensuring that their technology can accept patches and security upgrades. Many of the attacks that crippled health networks came down to an inability to upgrade their Windows operating systems.

Sometimes, all it takes is tightening the screws to make sure the machines don’t fall apart.

“Connected medical devices — from patient monitors, MRIs and CAT scanners to infusion pumps and yet-to-be invented devices — are critical to the delivery of healthcare today and are revolutionizing the care of tomorrow,” said YL Ventures founder Yoav Leitersdorf in a statement announcing Medigate’s 2017 financing. “These devices are inherently different from traditional IT endpoints and can’t be protected by currently available products and practices. With the pandemic of cyberattacks targeting healthcare providers, far too many connected devices are left vulnerable and exposed, putting patient health and privacy at risk.”

 

Houzz resets user passwords after data breach

Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach. A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, or if a hacker to blame or if […]

Houzz, a $4 billion-valued home improvement startup that recently laid off 10 percent of its staff, has admitted a data breach.

A reader contacted TechCrunch on Thursday with a copy of an email sent by the company. It doesn’t say much — such as when the breach happened, or if a hacker to blame or if it was a data exposure that the company could’ve prevented.

Houzz spokesperson Gabriela Hebert would not comment beyond an FAQ posted on the company’s website, citing an ongoing investigation.

In that FAQ, the company said it “recently learned that a file containing some of our user data was obtained by an unauthorized third party.” It added: “We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts.”

The company said it was notifying all of its users who may have been affected.

An email from a Houzz user. (Image: supplied)

Houzz said some publicly visible information from a user’s Houzz profile, such as name, city, state, country and profile description, along with internal identifiers and fields “that have no discernible meaning to anyone outside of Houzz,” such as the region and location of the user and if they have a profile image, for example, the company said.

The company also said that usernames and scrambled passwords were also taken.

Houzz said that the passwords were scrambled and salted using a one-way hashing algorithm, but did not provide specifics on what kind of hashing algorithm was used. Some algorithms, like MD5, are old and outdated but still in use, while newer hashing algorithms — like bcrypt — are stronger and can be more difficult to crack, depending on the number of rounds the passwords go through.

Regardless, the company recommended users change their passwords.

No financial information was taken, according to the FAQ.

The company was last year among many mocked for sending out emails to users alerting them of mandatory changes to their privacy policies ahead of the 2018-introduced EU General Data Protection Regulation (GDPR) law, saying it “value[s]” its customers privacy. “Their opening lines offer a glimpse of the way legal policy and user experience are colliding under the new regulations,” said Fast Company.

But it’s not clear if the company will face penalties — up to four percent of its global revenue — as a result of the regulation, only that the company “notified EU authorities within the statutory period,” said the spokesperson.

Another day, another breach.

Data management giant Rubrik leaked a massive database of client data in security lapse

A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant. The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a […]

A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant.

The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.

The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information, and case work for each corporate customer.

It’s believed the data goes back to October 2018, according to timestamps found inside.

A portion of the database was dedicated to all of the company’s corporate clients, allowing its customers to interact with Rubrik staff with issues or complaints. This included the contents emails that had been ingested into the system from customers — including, in many cases, their email signature with names, job titles and phone numbers. From a cursory review, we also found some emails included sensitive information about that customers’ setup and configuration.

Each company record also includes descriptive profile information, such as if it’s a Global 2000 or a Fortune 500 ranked company to determine the importance of the account, as well as the go-to person’s name and phone number.

It’s somewhat ironic, given that the IT unicorn, valued at $3.3 billion, recently announced that it’s expanding into security and compliance services.

Ribrik has thousands of major clients, and publicizes big names such as the Scottish Government, the U.S. Department of Defense, and CarePoint Health, among others, on its website.

But the client database disclosed what appears to be the company’s entire roster of corporate customers, including Deloitte, Shell, Amalgamated Bank, the U.K. National Health Service, and Homeland Security and other federal government departments.

In remarks, Rubrik said it was investigating.

“While building a new solution for customer support, a sandbox environment containing a subset of our customer corporate contact information and support interaction data was potentially accessible for a brief period of time,” said a spokesperson for Rubrik. “We rectified this issue immediately.”

“We also confirmed that no customer-owned data was exposed,” the spokesperson added. The company also said that, “other than the security researcher who discovered this issue, no one has accessed this environment,” without providing evidence for that claim.

It’s not known who might have accessed it, but the exposed server was indexed on Shodan, a search engine for exposed devices and databases, making it easily discoverable and accessible.

“We have traced the cause to human error, a default access setting was not changed per our standard practice. We have enacted changes to our processes to prevent this from happening again. Privacy and security is our top concern and we sincerely apologize for the mistake,” the spokesperson said.

Rubrik didn’t say if it would notify its customers or state regulators, per data breach notification laws.

Given that European businesses are included in the exposed data, Rubrik could face financial penalties of up to four percent of its global annual revenue if found to be in breach of the EU’s recently implemented GDPR data protection rules.

Rubrik’s data exposure came just months after data management and backup rival Veeam exposed millions of email addresses in its own data exposure.

Fortnite bugs put accounts at risk of takeover

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed. Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token […]

With one click, any semi-skilled hacker could have silently taken over a Fortnite account, according to a cybersecurity firm who says the bug is now fixed.

Researchers at Check Point say the three vulnerabilities chained together could have affected any of its 200 million players. The flaws, if exploited, would have stolen the account access token set on the gamer’s device once they’ve entered their password.

Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password.

The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games’ own domain and steal an access token needed to break into an account.

Check Point’s Oded Vanunu explains how the bug works. (Image: supplied)

“It’s important to remember that the URL is coming from an Epic Games domain, so it’s transparent to the user and any security filter will not suspect anything,” said Oded Vanunu, Check Point’s head of products vulnerability research, in an email to TechCrunch.

Here’s how it works: the user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker.

“If the victim user is not logged into the game, he or she would have to login first,” said Vanunu. “Once that person is logged in, the account can be stolen.”

Epic Games has since fixed the vulnerability.

“We were made aware of the vulnerabilities and they were soon addressed,” said Nick Chester, a spokesperson for Epic Games. “We thank Check Point for bringing this to our attention.”

“As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” he said.

When asked, Epic Games would not say if user data or accounts were compromised as a result of this vulnerability.

Tesla is entering the Model 3 into Pwn2Own, one of the world’s toughest hacking contests

Tesla is handing over its new Model 3 sedan to Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researcher: a Model 3. Pwn2Own, which is in its 12th year and run by Trend Micro’s Zero Day Initiative, is known as […]

Tesla is handing over its new Model 3 sedan to Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest.

The prize for the winning security researcher: a Model 3.

Pwn2Own, which is in its 12th year and run by Trend Micro’s Zero Day Initiative, is known as one of the industry’s toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program.

Pwn2Own’s spring vulnerability research competition, Pwn2Own Vancouver, will be held in March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software, and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle, and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference.

Tesla has had a public relationship with the hacker community since 2014 when the company launched its first bug bounty program. And it’s grown and evolved ever since.

Last year, the company increased the maximum reward payment from $10,000 to $15,000 and added its energy products as well. Today, Tesla’s vehicles and all directly hosted servers, services and applications, are now in scope in its bounty program.

The company also made an important overhaul last year to its bug bounty program to support “safe harbor” by allowing car owners to hack their own cars as long as they stick to the rules. Tesla’s product security policy now says that if, through “good-faith security research” you brick your car, the company will reflash the software over-the-air or at a service center. The company says it won’t void the warranty on their car if they hack its software either.

There’s a reason why Tesla (and now other automakers) have launched bug bounty programs. Tesla vehicles are software centric and in many ways changed the industry by enabling over the air software updates that can fix glitches and security problems as well as improve performance and add other new features. It’s what has allowed Tesla to win over consumers with the idea that their vehicle will get better over time.

But with that comes possible security issues. Since 2014, the program has led Tesla to release a number of security improvements including cryptographic validation of its software, more robust cryptography for its key fobs, and the launch of PIN-to-Drive, which aims to prevent against relay attacks on keyfob cloning.

Of course, there’s no guarantee that hackers at Pwn2Own Vancouver will find any vulnerabilities. TechCrunch was told by a Trend Micro spokesperson that the percentage of successful attempts varies, but it’s usually around 50% of available targets.

It’s also unclear if researchers will enter the automotive category since it’s new this year, the spokesperson said, adding that she hopes people enter “as we would love to see what the state of the art in automotive research really is.”

Some US government websites won’t load after HTTPS certificates expire during shutdown

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential. Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors. According […]

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential.

Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors.

According to Netcraft, a U.K.-based internet security services company, many government domains can’t be accessed until someone fixes the certificates. Some sites, like one Justice Department subdomain, are at the time of writing completely inaccessible because the domain is included in Chrome’s HSTS preload list, used by browsers to force browsers into using HTTPS only when accessing pages on the domain.

Others, like this NASA page and one U.S. Courts website, however, aren’t using HSTS and are still accessible via an interstitial warning.

So what’s happening?

Every time your browser lights up with “HTTPS” in green or flashes a padlock, it’s a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website. But TLS certificates are notoriously delicate things. When a certificate expires — a common mistake as people often forget to renew them. Depending on the security level, most websites will kick back browser errors while other sites won’t let you in at all until the expired certificate is renewed.

Except in this case, they can’t — because there’s nobody there to buy and install a new certificate.

As it stands, it’s the responsibility of each department and agency to renew the certificate for their own domain. Depending on how many workers have been furloughed and sent home in each agency, renewing a certificate might not be a top priority when they’re short staffed and overworked already.

There is some good news.

Most major government websites aren’t down or likely to go down any time soon. Most government certificates aren’t set to expire for many more months. Also, any government website hosted on cloud.gov, search.gov, or federalist.18f.gov won’t get certificate errors as these domains automatically renew their certificates every three months with Let’s Encrypt.

Until the government opens up again, don’t expect these websites until then. But depending on how long this shutdown lasts, you can certainly expect things to get a lot worse.

Cybersecurity 101: Five simple security guides for protecting your privacy

With hundreds of millions of people home for the holidays, now is a better time than ever to spread good tidings and cheer, and — well, some much-needed security advice for all the family. Security sounds complicated, but it doesn’t have to be. Privacy is more important than ever. With an ever-changing and evolving landscape […]

With hundreds of millions of people home for the holidays, now is a better time than ever to spread good tidings and cheer, and — well, some much-needed security advice for all the family.

Security sounds complicated, but it doesn’t have to be. Privacy is more important than ever. With an ever-changing and evolving landscape of threats and hacks, breaches and vulnerabilities, there’s no better time of the year to help your family navigate some of the most basic but effective security tips. (Let’s face it, you were bound to end up being called on for tech support at some point anyway.)

We’ve put together five how-to guides covering cybersecurity basics that anyone can learn — and everyone should learn, including:

Why you need to use a password manager

If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable. Nobody likes passwords but they’re a fact of life. […]

Getty Images

If you thought passwords will soon be dead, think again. They’re here to stay — for now. Passwords are cumbersome and hard to remember — and just when you did, you’re told to change it again. And sometimes passwords can be guessed and are easily hackable.

Nobody likes passwords but they’re a fact of life. And while some have tried to kill them off by replacing them with fingerprints and face-scanning technology, neither are perfect and many still resort back to the trusty (but frustrating) password.

How do you make them better? You need a password manager.

What is a password manager?

Think of a password manager like a book of your passwords, locked by a master key that only you know.

Some of you think that might sound bad. What if someone gets my master password? That’s a reasonable and rational fear. But assuming that you’ve chosen a strong and unique, but rememberable, master password that you’ve not used anywhere else is a near-perfect way to protect the rest of your passwords from improper access.

Password managers don’t just store your passwords — they help you generate and save strong, unique passwords when you sign up to new websites. That means whenever you go to a website or app, you can pull up your password manager, copy your password, paste it into the login box, and you’re in. Often, password managers come with browser extensions that automatically fill in your password for you.

And because many of the password managers out there have encrypted sync across devices, you can take your passwords anywhere with you — even on your phone.

Why do you need to use one?

Password managers take the hassle out of creating and remembering strong passwords. It’s that simple. But there are three good reasons why you should care.

Passwords are stolen all the time. Sites and services are at risk of breaches as much as you are to phishing attacks that try to trick you into turning over your password. Although companies are meant to scramble your password whenever you enter it — known as hashing — not all use strong or modern algorithms, making it easy for hackers to reverse that hashing and read your password in plain text. Some companies don’t bother to hash at all! That puts your accounts at risk of fraud or your data at risk of being used against you for identity theft.

But the longer and more complex your password is — a mix of uppercase and lowercase characters, numbers, symbols and punctuation — the longer it takes for hackers to unscramble your password.

The other problem is the sheer number of passwords we have to remember. Banks, social media accounts, our email and utilities — it’s easy to just use one password across the board. But that makes “credential stuffing” easier. That’s when hackers take your password from one breached site and try to log in to your account on other sites. Using a password manager makes it so much easier to generate and store stronger passwords that are unique to each site, preventing credential stuffing attacks.

And, for the times you’re in a crowded or busy place — like a coffee shop or an airplane — think of who is around you. Typing in passwords can be seen, copied and later used by nearby eavesdroppers. Using a password manager in many cases removes the need to type any passwords in at all.

Which password manager should you use?

The simple answer is that it’s up to you. All password managers perform largely the same duties — but different apps will have more or relevant features to you than others.

Anyone running iOS 11 or later — which is most iPhone and iPad users — will have a password manager by default — so there’s no excuse. You can sync your passwords across devices using iCloud Keychain.

For anyone else — most password managers are free, with the option to upgrade to get better features.

If you want your passwords to sync across devices for example, LastPass is a good option. 1Password is widely used and integrates with Troy Hunt’s Pwned Passwords database, so you can tell if (and avoid!) a password that has been previously leaked or exposed in a data breach.

Many password managers are cross-platform, like Dashlane, which also work on mobile devices, allowing you to take your passwords wherever you go.

And, some are open source, like KeePass, allowing anyone to read the source code. KeePass doesn’t use the cloud so it never leaves your computer unless you move it. That’s much better for the super paranoid, but also for those who might face a wider range of threats — such as those who work in government.

What you might find useful is this evaluation of five password managers, which offers a breakdown by features.

Like all software, vulnerabilities and weaknesses in any password manager can make put your data at risk. But so long as you keep your password manager up to date — most browser extensions are automatically updated — your risk is significantly reduced.

Simply put: using a password manager is far better for your overall security than not using one.

Check out our full Cybersecurity 101 guides here.

Two-factor authentication can save you from hackers

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts. Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent […]

Getty Images

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.