Are those USB security devices any good?

[dullard]

My girlfriend is terrified that someone will steal her information if she ever types it into a computer. Even though you never type in your bank account number, that doesn't matter to her, because someone will still somehow steal it if she ever used a bank online. Her life would be much easier if she was willing to buy things online, bank online, etc. So, I need to help convince her that she is safe.

Do those USB security devices (example) actually provide any real protection? Do they work well? Or are they simply placebos?

Any other suggestions on hardware/software to soothe the fears?

 

[Zugzwang152]

the devices you linked are for storing data on it. It has nothing to do with online transactions. While encrypting storage devices like hard drives and USB flash drives are an excellent way to protect your information if the actual device is stolen, you will have to type it into your computer to actually use them, and I think that is what she fears, judging from your post.

Don't confuse your link with something like RSA SecurID, which provides two-factor authentication. Two factor authentication helps in requiring two parts to gaining access to an online resource like your banking website. Even if someone figures out or steals your password, you still need that physical token to log in. Likewise, if someone steals your token, they need to know your password too, or the token is useless. This gives you valuable time to figure out that one of them has been compromised, and get it fixed before someone steals your information.

Unfortunately, the service provider (the bank, the store, credit card company,etc.) needs to enable two factor authentication on their end for it to work. This is prohibitively expensive, especially to distribute a USB token to millions of people, so in general, they don't do it.

Once you start putting your name, address, and credit cards into online stores, you have to understand that it will probably get disitributed or sold to other companies unless you're careful. Read the store or bank's Privacy Policy carefully before you register or input any information. If you don't agree with their policy, don't put your information in.

There is a difference between giving your information to a known, trusted company and getting it stolen from you, either by malware on your computer or you getting tricked into giving it away. No USB token alone is going to protect you from identity theft.

Rather:
1. Understand how your information is used and protected by the companies you deal with online. There's actually very stringent requirements, especially for sites that accept credit cards (<a target=_blank class=ftalternatingbarlinklarge href="https://www.pcisecuritystandards.org/"><a target=_blank class=ftalternatingbarlinklarge href="https://www.pcisecuritystandards.org/">https://www.pcisecuritystandards.org/</a></a> if you're interested in technical detail).
2. Shop at top-tier, well-known, and trusted websites.
3. Monitor your credit card and bank account information frequently. Most financial institutions will not hold you liable for unauthorized use of your accounts, provided you report it to them in a timely manner.
4. Practice safe computing. Set strong passwords. Don't visit shady websites. Use trusted software. If you google the software name plus "spyware" and you get a bunch of hits on how to manually clean the program from your computer, chances are you don't want to install it in the first place.

 

[gsellis]

Dullard, what the Ironkey does well is store passwords and the consumer version has a Firefox browser that should not have any malicious plug-ins in it. The history, etc., will be restricted too.

It does not prevent any other malware such as keyloggers from capturing the info or preventing phishing (Zugzwang152's post details this).

I am considering getting one as a password safe (Bruce's is good, but this is better). If the banks, etc., every did certificates with private keys, the ironkey would be a good place to keep it. But keypairs is not always user friendly when using a device to store them.

But, Ironkey is probably the best portable secure storage device on the market that is affordable. It just is not more than that.

The best suggestions in addition to the above are to use layers of security. A good AV/spyware pair; a hardware firewall/router; the strongest wireless connections available (WPA2) if wireless is on that router; Non-Admin accounts for daily usage.

 

[hans007]

some of the "encryption" on some of these secure usb keys is supposed to be easy to defeat.


that said, the market for these is generally because corporate usb key use combined with compliance regulations and such made a niche. some of these things were reallly rushed out with things like passwords stored as hidden text files on the keys etc.

i dont remember where i read it, but if you are going to get one of thsee things, make sure to do some research first on the particular model

 

[gsellis]

Originally posted by: hans007
some of the "encryption" on some of these secure usb keys is supposed to be easy to defeat.


that said, the market for these is generally because corporate usb key use combined with compliance regulations and such made a niche. some of these things were reallly rushed out with things like passwords stored as hidden text files on the keys etc.

i dont remember where i read it, but if you are going to get one of thsee things, make sure to do some research first on the particular model

You want to look at this one Hans. I got my initial info from one of our Blackhat regulars who was impressed with what they have done. Even to filling the key with epoxy to prevent hardware hacking the memory or the key gen.

 

[dullard]

Thanks for the info.

 

[kamper]

Originally posted by: Zugzwang152
Don't confuse your link with something like RSA SecurID, which provides two-factor authentication. Two factor authentication helps in requiring two parts to gaining access to an online resource like your banking website. Even if someone figures out or steals your password, you still need that physical token to log in. Likewise, if someone steals your token, they need to know your password too, or the token is useless. This gives you valuable time to figure out that one of them has been compromised, and get it fixed before someone steals your information.

That's all fine and good until the entity stealing your password is on your computer. It sniffs your password and then next time you put the token in (or if you just leave it in), it goes and does its thing. And if what it sniffs is your credit card or ssn/sin or whatever else, then the token doesn't matter at all, because those things are valuable without it.

You have to be able to trust your own machine to do online transactions. A good way to deal with this could be to keep a separate machine (physically separate, not a virtual machine) on which you use only a browser to visit only sites that you need to. If possible, separate from the rest of the network and firewall it well. Much as I dislike security-by-obscurity, using an operating system that does not have a significant amount of malware targeted at it would also be beneficial.

 

[Zugzwang152]

Originally posted by: kamper

Originally posted by: Zugzwang152
Don't confuse your link with something like RSA SecurID, which provides two-factor authentication. Two factor authentication helps in requiring two parts to gaining access to an online resource like your banking website. Even if someone figures out or steals your password, you still need that physical token to log in. Likewise, if someone steals your token, they need to know your password too, or the token is useless. This gives you valuable time to figure out that one of them has been compromised, and get it fixed before someone steals your information.

That's all fine and good until the entity stealing your password is on your computer. It sniffs your password and then next time you put the token in (or if you just leave it in), it goes and does its thing. And if what it sniffs is your credit card or ssn/sin or whatever else, then the token doesn't matter at all, because those things are valuable without it.

You have to be able to trust your own machine to do online transactions. A good way to deal with this could be to keep a separate machine (physically separate, not a virtual machine) on which you use only a browser to visit only sites that you need to. If possible, separate from the rest of the network and firewall it well. Much as I dislike security-by-obscurity, using an operating system that does not have a significant amount of malware targeted at it would also be beneficial.

I didn't really say anything to the effect of "two factor authentication makes everything else fine and dandy", but ok. The point was that his ironkey link has nothing to do with the OP's girlfriend's problem.

 

[kamper]

Originally posted by: Zugzwang152
I didn't really say anything to the effect of "two factor authentication makes everything else fine and dandy", but ok.

I didn't say you did, but ok.

 

[Zugzwang152]

Originally posted by: kamper

Originally posted by: Zugzwang152
I didn't really say anything to the effect of "two factor authentication makes everything else fine and dandy", but ok.

I didn't say you did, but ok.

if you're not addressing what I said, why quote?

 

[kamper]

Originally posted by: Zugzwang152
if you're not addressing what I said, why quote?

I liked your post and used it to segue into another area that I had something to say about. Next time I'll ask your permission.

 

[gsellis]

Originally posted by: kamper
Next time I'll ask your permission.

:beer::thumbsup:

it is funny Zugzwang152. Gots to admit it