Citizen Lab Senior Research Fellow John Scott-Railton has published an updated version of his “Security for the High-Risk user” paper, first published in the IEEE Security & Privacy in spring 2016. The updates were made based on new evidence of attacks against two-factor and account recovery SMSes, underlining the need for innovation in two-factor authentication. The abstract of the paper is as follows:
The constant cyberattacks against governments and industry are widely known. Further from the public eye are the targeted attacks against civil society groups. These attacks aren’t opportunistic online targeting—or cybercrime—but politically driven campaigns intended to disrupt, degrade, or steal civil society groups’ private information. Many occur via the popular online platforms that under-resourced organizations use in place of the more expensive managed IT environments preferred by other sectors. Although attacks in any sector are costly, attacks against civil society often have much greater ramifications, including threats to life and liberty.
Digital threats against civil society deserve your attention—first, because of what they reveal about the default-insecure options in popular online platforms and, second, because addressing the most glaring cases will confer security for broader user populations.