1 minute read
Banking Aligned with Your Financial Purpose
codes can be scanned, because they’re not encrypted,” Lawrence says, listing social engineering, SIM card swapping, and man-in-the-middle as tactics used by malicious actors.
and password from then on,” Dorsey says, though he suggests a second OTP sign-in after lunch.
Limiting access by time also shrinks that vulnerability bubble. This is accomplished, for example, by not allowing log-ins on the EMR or admin files during certain times of day and blocking emails from overseas. Use a geofilter with webmail to limit sources to within the US or even the clinic. “Office 365 has some of these options, and IT vendors know how to turn that on,” Dorsey says. “These things minimize that footprint, so users don’t have to hit those codes every 10 minutes.”
OTP itself is now coming under fire. “The problem is texted one-time pass-
In 2021, Syniverse, a company that routes 740 billion text messages each year for 319 carriers, including Verizon, T-Mobile, and AT&T, revealed a hacker had been accessing its databases for five years. “They could have been just watching texts go back and forth. That’s why OTP codes and SMS codes are not considered safe. But you have to be fairly sophisticated to take advantage of them,” Dorsey says.
That texted code also generally stays valid a long time in cyber terms — ten to 30 minutes. The new, more secure venue for delivering the code or allowing for facial recognition lasts only ten to 60 seconds. Dubbed time-based onetime password, TOTP is generated by third-party apps, primarily Cisco Duo, Microsoft Authenticator, and Google Authenticator. “In the last two years, Microsoft, Google, all the big online vendors have been moving away from SMS text messaging,” Lawrence says. Hackers have already found a loophole, called push fatigue. Users can choose to set their authenticator app to
(CONTINUED ON PAGE 20)
