Log In | Register
I've been listening quite a bit recently to the Security Now! podcast. I must admit that listening to that podcast has made me a bit paranoid and it has driven home the fact that trying to achieve total security is daunting.
Nevertheless, there are some relatively basic things the average internet user can do to have a big impact on security and I thought it would be a good idea to write something up about them.
- Get a PayPal Security Key
PayPal/eBay are promoting VeriSign's VIP anti-fraud system which uses a security key to provide two factor authentication for end users. You may already have seen systems like SiteKey but the VIP security key is a strong and proven technology that really stands above most of these other approach. PayPal currently offers these security keys at their website for only 5 US dollars. In my opinion this makes this a no-brainer.
- Use PayPal virtual debit cards
Another nice thing that PayPal has introduced is virtual debit cards. For some reason, PayPal calls this the PayPal Plug-in now (which I think is a very unintuitive name) but the bottom line is that they allow you to generate a one-time use Mastercard number. This can be used to improve security (since it prevents merchants from knowing your true credit card number) and to expand the usefulness of the previously mentioned security token by allowing you to use your secure PayPal account even on web sites that don't accept PayPal.
- Use secure passwords
One issue I think everybody faces is having lots of passwords. There are a number of way to deal with this issue. One is to use a "password manager" in your browser. This is fine, but the information doesn't move with you so you can't count on referring to it wherever you are. A common solution to this problem is for people to use the same passwords (and typically the same user names) at various sites. Of course, this is a problem because once somebody knows one, they know them all. So what is a user to do? Ideally, you would generate a completely unguessable password for every site (e.g. using GRC's perfect passwords application). That may work for extremely high value information but it is completely intractable for most web sites. So what is the solution?
Personally, I use Clipperz (although there are other services in this space like PassPack). The idea with these services is to keep your passwords all in a central location where you can access them from anywhere. The natural response to such services is typically "Are you out of your mind?" or "Isn't that just inviting somebody to break into these systems and steal all their user's confidential information?". But the developers of these systems are smarter than that. When you sign up for these services what you are really paying them to do is store your encrypted information. Assuming you use a relatively secure and unguessable passphrase, there is really minimal risk since the decryption is only carried out in your browser so the information is never sent unencrypted over the internet. So even if somebody broke into one of these systems and stole all the data, there would be no practical use for that information since it is virtually uncrackable.
I should also point out that Clipperz provides (as do other services, I'm sure) a "1 click login" feature which means that you can not only store your username and password (or any kind of secure information) with them, but they provide a mechanism (once you've logged in) to jump to a site already logged in. Being able to keep all your usernames and passwords in one place and login so easily means that you can actually use unique and unguessable passwords (Clipperz will even generate them for you) for each site and this has no real impact on you as a user. Most users end up making a tradeoff between security and convenience but this allows you to have both.
As an aside, I really like Clipperz because their approach utilizes a so called zero knowledge proof for doing authentication which means that I only need to have a single passphrase. They also have thought of several other usability issues by providing "one time passphrases" to thwart key loggers on public machines plus they provide a mechanism to back up your data (in read-only mode) on your own machine.
Stlll think something like Clipperz is too risky? Well, I agree that it is not 100% secure (nothing is) but the question you really have to ask yourself is...is it safer than what I'm currently doing to address these problems.?
- Get an OpenID
This last one is perhaps a bit above the level of an average user but I wanted to throw it in here anyway. Previously I mentioned the problem with having to have lots of usernames and passwords associated with various sites. While the previously mentioned services like Clipperz are a nice way to manage this problem, the true solution will be implementation of a "single sign-on" system. In such a scheme you would only have to remember one password (and ideally possess one second-factor token) for all sites? Fortunately, there is such a scheme already being deployed. It is called OpenID. It is in the "chicken and egg" stage right now but Google and Microsoft have recently provided some support for OpenID and support is slowly growing for it.
I suggest that people go to VeriSign Labs and sign up for an OpenID account (and if you are a Firefox user, download their very nice "SeatBelt" extension). As an early adopter you are likely to get the username you want and since VeriSign is the provider for the VIP service mentioned previously, you will also be able to use your PayPal security key with your VeriSign OpenID account. This means that you will not only have the security of two-factor authentication at PayPal and eBay but with any web site that accepts OpenIDs.
I should point out that security is basically a never ending battle. These are not the final word on security (not even close). But, they are things that nearly anybody can do that will dramatically improve their security with very little inconvenience.
