Wednesday, 29 August 2012

Dropbox implements two-step verification to enhance security


In the wake of a breach that Dropbox suffered earlier this month, the company has added a layer of security for its users' accounts. In a blog post, Dropbox's Dan Wheeler announced the launch of a two-step verification for its users. The two-step verification is an attempt by the company to enhance the security of a user's Dropbox account, and it comprises two levels of authentication. The two levels essentially are a password and a security code, which will either be sent to a user's mobile phone via a text message or generated using a mobile authenticator app - available for iOS, Android, Blackberry and Windows Phone 7.

To begin with, users need to go to new Security tab in their Dropbox account settings and enable the two-step verification in the "Account sign in" section. There on, users need to follow the steps to set up the two-step verification. Users logging into their Dropbox account on their desktop or mobile devices will have to enter the code only the first time they sign in. Users can select the option "Trust this computer", following which users won't be required to enter a code, ever.

Elaborating further on the purpose behind having a two-step verification in place, Wheeler writes that it is one of the many steps that the company is taking to better the security of its users' Dropbox accounts. Users also have the option to view all active logins to their account by way of an option on the Security tab. He added further that they're working on automated mechanisms to detect suspicious activity.

Dropbox confirmed that it was hacked into, earlier this month. After an investigation spanning two weeks, the online file storage service confirmed that hackers accessed usernames and passwords from third party sites and then used them to get into users' accounts. At the time of the hack being reported, it had also been revealed that the users whose accounts were affected used the same sign-in credentials across multiple online accounts.

The hack was discovered when scores of users, who had received unsolicited spam emails related to online casinos and gambling sites, began posting on company's forum. The users revealed that they had been receiving spam from the e-mail addresses that were only associated with Dropbox. The company got hold on the situation, but by then, 295 people, majority of them coming from Germany, Holland and the U.K., had already posted on the forum.

Post the news of the breach grabbing headlines, IT security and data protection firm Sophos reiterated to users the importance of maintaining separate passwords across different online accounts. At the time, Dropbox was of the opinion that the hack into its services led to its users receiving a lot of spam. Therefore, it decided to take steps to help users in not only protecting their accounts, but also improving security as a whole.  

Graham Cluley, Senior Technology Consultant at Sophos explained, "The Dropbox incident underlines the necessity of having different passwords for every website. As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts.  The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves. If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service. That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox."

No comments:

Post a Comment