Public Service Announcement: Don’t forget to enable two-factor authentication on your e-mail accounts!
A co-worker of mine got his GMail hacked. I doubt anyone guessed the password — it was not easily “guessable.” There was probably some malware running on a machine he used to log in at some point. Who knows?
Why is a hacked GMail or Yahoo Mail account a big deal? Because once they get into your e-mail account, they have access to EVERYTHING.
Think about it… if someone has access to your e-mail account, they can launch any number of frauds against you. They can read through your email and see that you’re on vacation in Hawaii. Then, when you’re asleep, they can email your contacts asking them to send money via PayPal using credible details about your travel (“I twisted my ankle on the beach — please send cash!”). They can also reset the passwords on your bank accounts, Facebook, etc. Access to your e-mail account is, to a hacker, like a kid in a candy store.
For a number of years I’ve been using Two-Factor Authentication on my GMail account. Each time I log in, you can set it up to send you a text with an additional code that’s only valid for a short period of time. Alternatively, they make an app (called Google Authenticator) that gives you the code even if you aren’t in wireless range. Using two-factor authentication makes it MUCH harder for someone (other than you) to access your GMail account.
If you don’t always (or ever?) carry around a smartphone and would rather have a physical device, you can use an “electronic key” that you plug into your computer. I’ve used a Yubico security key (the cheap one — there are more expensive versions) and can recommend it. It’s a little device that hooks to your keychain. It almost looks like a USB thumb drive, and while it does get inserted in a USB port, it is much more rugged that a standard thumb drive. You can set it up so that the key has to be plugged into your computer in order to log in to your account.
I found the security key to be easy to carry around, it’s cheap ($18 on Amazon – not an affiliate link), and waterproof. The key can be used to provide an extra layer of security not only for GMail, but also WordPress (via 3rd party plugin), Lastpass, and more. One downside, however, is that it only works with the Google Chrome browser at the moment. I would imagine as more browsers adopt the FIDO U2F standard specification, more options will be available.
Whether you choose to use one of the two free options, or pony up for a physical device like the security key, the only thing that matters is that you do SOMETHING. If you use GMail, watch the video above to learn step-by-step how to do it. Please do it now and avoid waking up some morning to find that you’ve been hacked. It’s not a good feeling.