You’re conscientious about security, right? You’ve got anti-virus software and a firewall; you’re using encryption and strong, unique passwords with two-factor authentication set up on your accounts. High-five! Gold star! You get a cookie for good data-protection! But wait, there’s more to this equation than there may appear. Could you have followed the spirit of the security advice and still be shooting yourself in the foot?
On the obvious side, if you have all these security pieces in place but you never activate them, it’s not going to do you much good. If you click through every warning on your firewall without ever looking at it, it’s not going to be doing as much for you as you might think. If you disable real-time protection on your AV software, likewise, it’s going to be quite a bit more limited in its ability to protect you. But there are less obvious ways that you could be sabotaging your security efforts.
There were a couple of good articles this week discussing ways people undo their security without realizing it – specifically, using backups. The first is about how people backing their texts up to web services negate SMS for two-step authentication. The second is how backing up iMessages to iCloud negates the protection given by encryption. But backups are also part of a good security strategy, right? Oh man, so confusing. I know security advice can seem really conflicting sometimes. So, let’s break it down and see what’s up.
The SMS Issue – When is 2-Factor Authentication Not Two Factors?
SMS backup is problematic, partly because two-step authentication is only a small improvement over single-step authentication, and also because it is not quite two-factor authentication to begin with.
The idea with two-factor authentication is that the “thing you have” should be something separate than the thing you’re accessing a resource with. Because you can access most web-services with your mobile phone as well as your computer, it’s a less-secure method of authentication than using a dedicated dongle. And when you back up your SMS to your webmail, you’re making it so you can access your texts on both your computer and your phone. So an SMS activation code becomes simply another “thing you know,” rather than a separate “thing you have.” One factor. Whoops.
The iMessage Issue – When Are Our Messages Encrypted?
The iMessages issue butts up against the limitations of encryption. Encryption is meant to protect data only when it’s not being used. That is to say, when the data is in transit or when nothing (and no one) is accessing that data. But the problem is, by allowing backups of your messages, you’re creating more access to that data. If you forget your password, Apple has to give you a way to retrieve it, which opens up ways for other people to retrieve it too.
The ArsTechnica article also brought up another issue with regards to encryption, which is something we talked about other day too. There can be considerable clues to what you’re up to in the metadata. Metaphorically speaking, while having an encrypted file called “All my illegal activities” may not be admissible as evidence in a trial against you, it’s certainly going to put you under much more strenuous scrutiny whether or not it’s warranted.
So, What Does That All Mean?
Well, for better or worse, it means you need to think about the consequences of your actions in security as in life. There’s always a tradeoff between convenience and security. The more accessible your data is, the more difficult it is to protect it.
Backing your data up in the cloud is less secure than backing it up on a hard drive that you keep locked in a safe, where only you have the key. It’s simply safer if you are the only person with access to the device that holds your data. If there’s a bunch of people at a company that is contractually obligated to make sure you can access your data however you’d like, that’s less safe. Not necessarily unsafe, mind you, but less safe. And every time someone backs up their data to a web service that has minimal protection in a way that negates other security measures, somewhere there’s an attacker wringing their hands with glee and a security wonk that’s quietly weeping.
Further Reading:
photo credit: pasukaru76 via photopin cc
