Phishing and possible countermeasures with pretix

April 4, 2024

Last week a sophisticated phishing attack aimed directly at us reached our mailbox. We're a little bit baffled by the scale and effort of the attack, but we were prepared and didn't fall for it. Nevertheless we analyzed the attack and took some countermeasures. In the following paragraphs we'd like to detail the reason for us not falling for this kind of attack and how you can implement easy, cheap, low effort measures in your browsing habits to increase your IT security by a lot.

At pretix we take data privacy and information security to heart and we show it by being an ISO27001-certified company and running an intense information security management system. Running such a system implies being prepared for many kinds of attacks, like this phishing attack by email. These kinds of phishing mails are, regrettably, a given in today's world.

Phishing attacks, often delivered via email spam, attempt to trick individuals into giving away sensitive information or login credentials. Most attacks are not targeted and are instead sent in bulk to a wide audience. The stolen information or access may be used to steal money, data, or install malware. Most attempts fall somewhere between brazen and obviously recognizable as a phishing attempt. But at some point a phishing attempt may come along that tricks you and it's good to be prepared for that moment.

Phishing Attack Prevention

Password Manager

Simply by using a password manager you can drastically enhance your security. Password managers support you when creating new user accounts for web services by suggesting strong, distinct passwords and saving them for the new service you're signing up for. If you want to log into a specific web service, the login credentials are restored and will be automatically entered in the corresponding login field. There is a side effect by using a password manager, which significantly increases your cyber security: The password manager only suggests your credentials if the web address you've opened matches the web address of the corresponding credentials. Here is an example: If you go to www.bretix.eu, your password manager won't show any credentials since the address doesn't match the address of pretix.eu which is stored alongside your pretix user credentials. That way you cannot fall for phishing attempts that use (slightly) modified and therefore easily overlooked web addresses.

Two Factor Authentication

To further increase security, we recommend that you also activate two-factor authentication (2FA) for your pretix user account. This virtually rules out identity theft since you not only need your credentials for logging into pretix – which are stored in your password manager – but also an additional, independent proof ("factor"), which is linked to your pretix account. This second factor cannot be copied and effectively is like showing an ID card while you login. Even if your credentials are stolen, no one can log in with them since the second factor is stored on your smartphone/software/hardware.

A simple solution for using a second factor is by installing an authenticator app on your smartphone ("TOTP", "time-based one-time password"). This is a good way to protect your account.

Even better is the use of a so-called passkey, which is offered by current browsers and operating systems. This passkey does not use any additional time-based passwords, but exchanges data with the server in a complex verification process (like a game of ping-pong, requests and responses are exchanged between your browser and the server). The responses sent by your browser are only valid for our pretix server and can't be used by any third party.

By far the best solution is using a hardware token in the form factor of a tiny USB stick (e.g. the YubiKey from Yubico). During the login process, you insert this token into an USB port on your computer and use it as a second factor. Like with the passkey, data is exchanged between the server and your hardware token and it is ensured that the responses from your hardware token are only valid for this specific server.

You can activate all of the above-mentioned two-factor authentication methods ("2FA") in your pretix user account by navigating to User settings > 2FA. Please make a copy of the emergency tokens shown during the setup process and keep them in a safe place. If the registered method for the second factor fails, you can use these emergency tokens to log in as a replacement. Each token only works once. As the administrator of an organizer account, you can even make the use of two-factor authentication mandatory for individual teams of your organizer account:

New Security Measures

For the recommendations mentioned above, you need to take action to get the best protection. But at the same time, we are also working to protect your pretix account with all the options available to us. In addition to the aforementioned new option of enforcing two-factor authentication for your colleagues, we are continuously working on expanding the security functions in our system. You may have already noticed: Since yesterday, the system has been sending you an email if we detect a login from a different device or from a different country than usual. So if you only use Windows and suddenly a MacBook logs into your account (or someone on the other side of the world has suddenly found out your password) you'll receive a heads up and can change your credentials.

Summary

If you have any further questions regarding this topic, don't hesitate to contact us by phone or email.

Jochen Siebert

At pretix, Jochen is responsible for customer consulting, sales and co-ordinating our ISO 27001 efforts. His main strength is communicating with customers at eyesight and bringing together the needs of the customers and pretix's plentiful features. In his free time he enjoys taking hikes, biking, literature and visiting art exhibitions.