As a security key Yubikey protects against phishing attacks

Phishing (from the word “fishing”) or a phishing attack is one of the most dangerous and at the same time common social engineering methods used by cybercriminals. It is based on mass mailings of e-mails and short messages on behalf of well-known brands, banks, charitable organizations, government structures or even from good acquaintances. The links contained in such emails lead to a fake site where the user enters data and thus compromises it, essentially voluntarily sending their complex passwords and bank card details to the fraudsters.

In 2020, 75% of businesses worldwide suffered phishing attacks. According to IBM, every fifth company out of the total number was affected.

How dangerous are phishing attacks?

Phishing attacks are very inconspicuous, but very dangerous. You may not even realize that at some point you became their victim. Long and complex passwords do not help against phishing, and additional protection factors such as one-time passwords in SMS hardly save, as they can also be intercepted. Quite a lot of people fall for the bait of fraudsters for the following reasons:

• phishing sites are very similar to sites you are used to using;
• the letter in the mailing list may not differ from similar previous letters of the company, especially if its website was previously hacked by fraudsters;
• even if the attackers just copied the design of the letter and created a similar address, the subject may be very attractive and you will want to open the letter and the link, if it contains, for example, a gift or a discount;
• also the subject of the letter can scare you, for example, if the message says that the account on some important service for you will be blocked if you do not enter data for confirmation;
• you may receive a letter from someone you trust and not suspect that their account has been hacked;
• sometimes fraudsters deliberately get to know each other in advance and communicate for a long time until you begin to trust them, after which they begin to attack you;
• you can become a victim of surveillance, so you will receive the news you are waiting for: you can really expect some winnings if you play the lottery; or, for example, you may expect to receive some form of welfare payment, especially if you have previously applied.

Отримавши доступ до одного облікового запису, шахрай може отримати доступ до десятків або сотень нових контактів у вашій електронній книзі. The attackers’ goals are:

• use of malicious code;
• theft of confidential information;
• obtaining a database of contacts;
• access to bank accounts.

How a security key can help in this matter

As we mentioned above, there are practically no additional protection measures in the form of two-factor authentication against phishing attacks, since any messages can be intercepted or stolen by viruses from your devices. But there is an exception. YubiKey Security Keys can help protect both home network users and corporate employees from phishing, as it is a physical factor that supports asymmetric encryption. To understand how it protects, consider the principle of operation of the key.

1. When registering a key on the site or in the operating system, the server sends a request to the key for authentication, in response, the key generates a closed digital signature and sends it to the server. Be careful, it is better to disable alternative login methods during key registration so that an attacker cannot use them and bypass verification. It is more reliable to purchase a second (spare) key and specify it.
2. When you log in to the account of the original site where you previously registered the key, the server asks you to confirm the login with the key. It is necessary to insert it into the socket and touch the indicator that determines the presence of a person. If you insert the key, touch the indicator, and within a short time the key is not connected to the device, then authorization does not occur. So, this site is not what it claims to be.
3. If the site turns out to be fake (phishing), the server will not send a request to verify the account owner using a security key. Therefore, even if you accidentally enter data on it, a hacker will still not be able to break into your account without having the real key.

Why YubiKey

• YubiKeys were made to order for US government sites and have long been used by Google and Meta employees.
• YubiKeys support FIDO2 and FIDO2 U2F protocols, OTP passwords and asymmetric encryption.
• It is impossible to copy data from YubiKeys. That is, if a hacker tries to break the USB connector on the device, he will not copy anything from it and will not be able to steal the private key.
• YubiKey’s keys have different form factors, which allows you to choose them for different devices, including keys with NFC support.
• In addition, YubiKey keys are supported by all popular services with increased security requirements: Google, Binance, GitLab, GitHub, Dropbox.

These are far from all the advantages of the original and reliable YubiKey devices, which are already used by millions of people in 160 countries of the world. You can verify their reliability yourself and choose the right device for you in our online store.

If you are interested in YubiKey software or custom order, you can contact our managers.