Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Make Backups and Go 2FA

_DSC1084It’s still relatively early in this new year of 2015, and if you’ve not thought about any new year’s resolution, I’ve some suggestions for you. If you’re not already doing these things, it’s high time that you make them a priority. It’s 2015, you had better be making backups of your computer stuffs, and you had better be using 2FA.

Let’s talk about backups first. I think it goes without saying, at least for savvy computer users, that you must make backups of your computer and whatever other digital content you posses. Yet, it isn’t surprising that many users still don’t do backups. In particular, I must stress that I mean regular, systematic, backups. Not that one-time backup you did one or two years ago because you got scared after almost losing something important.

Mac users have absolutely no excuses to not be doing regular, systematic, backups. Time Machine, which is built into OS X, does an excellent job performing automatic system wide backups for you. You only need to give it an external disk, and remember to turn on the feature. That’s all there is to it. You don’t have to think about which directories need backup, and which others don’t. You could do that if you truly want. But the beauty of OS X’s Time Machine is that it just does the sensible thing for you.

Screen Shot 2015-01-13 at 11.11.58 pm

External and portable hard disks are relatively cheap nowadays. You should have more than one Time Machine backup disk. At least have two of them, and make sure they are in different physical locations. Having one Time Machine backup disk at home and the other in the office is a good start.

I’m not a Windows user, so unfortunately I don’t know what to recommend for Windows. There is in fact something called File History baked into Windows 8 that’s similar to OS X’s Time Machine. Alternatively, there are also backup software included in external and portable hard disk drives.

If you use cloud storage, remember to back that up too! Many people wrongly assume that the cloud is infallible. Accidents do happen. Even Amazon Web Services (AWS) has lost customer data too! You had better have a backup plan in case disaster strikes, they get hacked, or they suddenly go out of business. Besides, you want to guard against your own erroneous actions (i.e. you yourself accidentally deleted your stuff).

If you’re thinking a cloud storage service like Dropbox already syncs data across multiple devices, and that those are inherently backups, think again. An accidental file corruption on one device may sync into Dropbox’s servers, which thens ends the corrupted content to all your other devices. Data replication is not the same as backup.

Your dandy NAS appliance, if you have one at home, has its vulnerabilities too. RAID drives (apart from RAID0) replicates data to guard against a single drive failure. But what happens when something screws up, like when your computer corrupts files or the entire filesystem? RAID does not protect against that. Also, consider the case of a fire or theft. You’ll lose everything in an instant.

I often stress this to people. Don’t mistake replication for backup. They are different things altogether.

Next, I want to encourage you to use two factor authentication (2FA), if you’ve not begun to do so. 2FA Is also known in some places as 2nd factor authentication. In Singapore, banks were mandated by regulation to introduce physical 2FA hardware tokens several years ago. To login to a 2FA-protected system, apart from requiring your password, you also need to enter a secret number displayed on the 2FA device. 2FA ensures that, whoever is trying to login with your credentials not only must have your password, but they must also be in possession of the 2FA device.

We’ve heard time and again about various organisations and systems within them being compromised. Passwords are no longer sufficiently secure. Simply having good passwords, and different ones at each system, might not be good enough. The frequency, volume and scale of data breaches happening around the world are simply mind-boggling.

2FA gives you an extra layer of protection. Of course, you cannot pick and choose where you want to use 2FA. In the first place, the system must support 2FA before you can even use it, or enable it for your account. However, apart from banks, where 2FA is mandated by regulation in Singapore, many websites and systems are offering 2FA. I suggest that you turn on 2FA for your account at these sites:

  • Google (i.e. Gmail, etc, where your Google account is used)
  • Facebook

The reason why I focus on these two is that these are likely to be quite important and play a central part of your online activities. Your Google and Facebook accounts are also often used to provide authentication for login to numerous other websites and services that you use. For example, Qoo10 allows you to login with your Facebook account. If your Google or Facebook accounts are compromised, the impact is not just limited to your presence in Google and Facebook, which on their own could already be bad enough, but also affect numerous other services that you use.

Notice that the problem isn’t necessarily about Google or Facebook themselves being compromised per se. Their systems could be perfectly secure, yet for some other reasons your password could have become leaked. A malicious hacker could have learnt your password from a breach at another website. Some people use different, but related, passwords are different websites, so that their passwords are sort of unique, yet still easy to remember. In this case, it’s possible that the malicious hacker, after having learnt your password from a breach at one website, can make educated guesses about what your passwords might be at other websites.

Side note: I wanted to suggest that you use truly unique passwords at each and every account you have online. Passwords that are different, unrelated, and truly random. The only practical way to do this, however, is to have a password manager to help keep track of all your passwords. This is a good thing to do, but in principle there are still some challenges.

In my opinion, 2FA is an easier win, and makes a more significant and meaningful improvement to security. Note that services like Google and Facebook adopt RFC 6238 Time-Based One-Time Password Algorithm, and the token takes the form of a mobile app installed in your smartphone. Yes, a single app can provide the 2FA for multiple services. It’s a great idea, and it’ll be real nice if everyone could use the same system. I can’t imagine having to install a 2FA app for every website out there that wants to do 2FA. (Worse, if every organisation wanted to give you a physical 2FA token, you’re going to have a big bunch of tokens to look after.)

Backups and 2FA, these are two easy, but important things to do. Things that if you’re not already doing, you’d better start now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.