Knowledge Base Guide:
Two-factor Authentication via the Authy Desktop Application
What is two-factor authentication?
2FA is defined by Authy as having “‘something you know’ paired with ‘something you have’”. For example, you likely have a bank card, and in order to use your bank card, you must have a correct PIN when completing transactions. The bank card is something you have and the PIN is something you know. Together, the card and PIN makes for a great two-factor authentication system, which in return protects your money. Authy is used in the same way when you want to use an exchanger or do a Bitcoin withdrawal. Your electronic device is the object you have and the 2FA password is something you know.
Why should I use Authy?
Authy is an alternative way to setup the two-factor authentication. It is commonly a choice for users who cannot or do not want to install a 2FA application on a mobile device.
What is required in order to use Authy?
• A mobile phone/device that is capable of receiving text messages
• A personal computer or tablet
• Google Chrome as the default browser
• A SolidTrust Pay account
How do I install Authy?
1. You can start the Authy download by going to https://authy.com/download/
*Reminder: it is important that you are using Google Chrome to setup Authy; no other browsers will work.
2. The option for desktop will be the second white box, as shown below:
3. Select ‘Get it on Google Play’
4. Once the button has been selected, a page will pop-up. It looks like this:
5. Select ‘Add to Chrome’, located in the upper right-hand corner:
6. Select ‘Add app’ when prompted:
7. The page should change and will show that Authy has now been added to your Apps in Google Chrome:
8. Follow the on-screen prompts when you click on the application. Authy support can be found at https://support.authy.com/hc/en-us if you are having issues with the application itself.
How to enable the 2FA on your SolidTrust Pay account
1. After Authy has been installed, login to your SolidTrust Pay account and go to ‘Security Zone > Two-Factor Auth Settings’:
2. Once on the next page, please read all of the information. You can ignore what is inside of the red box (see below) since this information is for 2FA on a smartphone. Once you have reviewed the entire page, select ‘Start Two-Factor Authentication Setup’:
3. Select ‘Send SMS Confirmation Code’. If you are not receiving the text message, please contact Customer Support at https://support.solidtrustpay.com/
4. Enter the number provided in the text message you received. After, you will then select ‘Enable Two-Factor Auth’:
5. The next page will have the manual setup code (see Figure 1). You will then copy the manual setup code into Authy (see Figure 2).
Figure 1 – Locating the manual setup code.
Figure 2 – A view of a manual setup code in Authy. Select ‘Add Account’ after entering the manual setup code.
6. After the account has been added, chose a logo and provide a name for the account in Authy (see Figure 3). After, select ‘Done’ to close the box. Another box will pop up (see Figure 4) with the account they have added. Have the user select the account and the 2FA password will appear (see Figure 5).
Figure 3 – Selecting a logo and naming the account
Figure 4 – Close the box once your account has been added
(Figure 5, below)
Figure 5 – A new box appears after closing the previous box. Select the account and the 2FA password will appear. Copy and paste this where the 2FA password is required.
*Reminder: the 2FA password changes every 30 seconds. Insert the 2FA password in time after you have copied it or it will not work!
“DoubleFalg”, a popular darknet vendor, is selling user data from 11 different bitcoin forums, obtained between 2011 and 2017. HackRead obtained a screenshot of the information for sale on the darknet, at the equivalent of $400 in bitcoin.
We know that many of our members also use some of these forums, and we are urging everyone to update their passwords and account information immediately.
The database information for sale contains the following:
- Email Address
- Date of Birth
- Cellphone Number
- Website URL
After a hack this big, anyone related to the industry in which it happened should take reasonable safety measures to ensure their information is not at risk. Update your passwords and use a password manager, delete old accounts with personal information if you are no longer using them, and follow our 10 steps for better internet safety!
The Internal Revenue Service has continued to issue warnings about a prevalent phishing scam that has been circulating this tax season. The attack comes in the form of an email requesting W-2 forms or other tax information, seemingly from a valid employer or employee email address.
This same attack was used around this time last year, and now attackers are coupling it with another attack, one that requests banking information for a wire transfer – again, seemingly from an employee or employer.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.
The attack is what is known formally as a BEC (business email compromise) or BES (business email spoofing) attack, and it typically aims to gain access to tax or banking information for small-medium businesses through natural human error in their employees. Any business using email or online resources for their employees should provide extensive security training, which will drastically decrease the likelihood of being compromised.
A Closer Look at the Attacks
The W-2 scam is not new, appearing last year. Cyber-criminals tricked payroll and human resource officials into disclosing employee names, Social Security numbers and income information. The attackers then attempted to file fraudulent tax returns to steal tax refunds.
The spoofed emails will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office or human resource employee and requests a list of employees and information including Social Security numbers.
The following are some of the details that may be contained in the emails:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
- I want you to send me the list of W-2 copy of employee’s wages and tax statements for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
New Attack: The Money Wire Request
In the latest addition to the W-2 scam, the cyber-criminal follows up with an “executive” email to the payroll or HR staff and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.
While the money wire request is not a new attack, seeing it coupled with the W-2 attack is what makes it even more important that both employers and employees remain vigilant. The wire request may not come for weeks or even months after the W-2 attack.
What You can Do
As mentioned above, the single most important thing you can do if you’re an employer is ensure that all your employees have adequate online security training. In addition, if you work with any databases or online interactions whatsoever within your company, you need to ensure that your building and network are both physically and digitally secure.
If you aren’t an employer, you should at least read our 10 tips on making the internet a safer place!
The internet allows you access to the world at large, but it also allows the world at large access to you. If you’re not careful, you could easily be the victim of any number of various online attacks. In fact, depending on where in the world you live, many people are as likely or more so to be attacked online than in real life. Yet we rarely take cyber security as seriously as real-life security.
Luckily there is a day, February 7th, on which awareness is raised about internet security, and the hashtag #SaferInternetDay is currently trending! So we’ve compiled a list of 10 tips that we could all implement in our daily internet usage which would go a long way in making the internet safer for everybody.
- Never use the same password twice. Many people use a clever set of rules to create unique passwords for each website. We suggest using a password manager such as KeePass, which can create and store high entropy passwords for you without ever having to type them in, leaving you impervious to key-logging attacks and simple password-cracking tools.
- Always use 2-factor authentication when available. Not only does 2FA prevent users from accessing your accounts/information without your cellphone, but it also acts as an alert that somebody has attempted to access your accounts/information.
- Never use free/public WiFi. Most people know very little about the security risks posed by free/public WiFi. For a work-around, if you really value your free WiFi, at least use a free VPN.
- Always read terms & conditions/privacy agreements. In many cases, you may be agreeing to have your information used in a way that you wouldn’t approve if you had only read the privacy agreement! Always remember to read what you’re agreeing to before agreeing to it!
- Never open an unexpected attachment from a stranger. This is called phishing, when hackers will send out thousands or even millions of random emails with links that, if followed, will, in some way or another, attempt to steal your information or infect your computer.
- Always lock your phone/tablet/computer! These devices all have built-in security features which, in most cases, can be tightened or loosened in the settings. Make sure you keep your security tight and your devices locked when you’re away from them.
- Never check the “save password” box. Your devices may be secured, but if anybody does somehow gain access to them, they will have access to any account which you have the password saved in your browser for. Avoid this again by using a password manager — we recommend KeePass.
- Always use additional security for online banking. Most banking Apps and mobile sites are pretty secure, and offer plenty of increased security options to their users. We suggest that you use as many of them as possible.
- Never use a default password. This is far less common today than it used to be, but one good example of a default password is your router. Always make sure to set your router password to something unique.
- Do not share personal information online. This goes mostly for social media, where many people often feel comfortable sharing information that they don’t realize could compromise their security. One simple example is the answers to common recovery questions, such as your mother’s maiden name or the name of your first pet.
We hope you will use some of these tips for a safer internet in your daily internet usage, and maybe we can see a future where hackers and cyber criminals are disincentivized based on the knowledge and security of average internet users!