by Larry Magid
This post first appeared in the Mercury News
At ConnectSafely we’re strong advocates for keeping your online information secure. But when possible, it makes sense to choose approaches that are both secure and easy to use.
Last week, someone I know asked me for help with a file they had received but couldn’t open on their phone. I clicked the link and discovered it was a Microsoft Word document. The problem was that they didn’t have a compatible app on their Android phone, so the file wouldn’t open.
They forwarded it to me so I could open it on my PC, but the document was password protected. The person who sent it texted the password, which was then passed along to me. Sending the password as a separate text message is actually a smart idea because even if someone intercepted the email with the file, they still wouldn’t be able to open it without the password.
The file contained the names and months of birth of some people’s grandchildren, but not the exact birthdates. The idea was to make it harder for anyone with access to the file to steal the children’s identities. I understood the concern. Names and birth dates can sometimes help criminals steal a child’s identity , although they usually need additional information.
Over the next few days, the person managing the list sent two or three revised versions because of corrections and additions. Each time a new file arrived we had to repeat the same process to open it again.
Easier way to manage
As I thought about this, it occurred to me that there was a much easier way to manage such a list. It could be placed in a shared Google document or spreadsheet. Google allows the owner to authorize specific people by email so only those invited can access the file through their Google accounts. Anyone with editing privileges can update it, and the changes are immediately visible to everyone who has permission to view it. In most cases this is both easier and more secure than emailing new versions of a document every time something changes. Many businesses and organizations use Google Docs for highly sensitive information.
Google uses strong encryption
I explained to the person who created the file that information stored by Google is encrypted both in transit and at rest. That means the data is scrambled when it travels across the internet and also while it is stored on Google’s servers. In practice, that means no one can access it unless they log in with authorized credentials.
But the person who created the document, along with at least one other member of the group, wasn’t convinced. They preferred to keep the list in the original format, believing that it offered a higher level of security. I reminded them that banks and health care providers rely on similarly encrypted online portals because those systems are typically more secure than sending sensitive information through email.
Nothing is 100% secure
Still, their concern raises a broader issue. Nothing stored online or sent by email or text is 100% secure. If a highly sophisticated attacker truly wants access, there are ways to breach nearly any system. But when information is properly encrypted and the people who have access use common sense, security measures such as two-factor authentication and strong passwords, gaining access becomes very difficult. It would require significant effort, which means there would have to be a very strong motivation to try. For that matter, even information stored on paper could be stolen if a skilled intruder was highly motivated.
It’s similar to physical security. Most of us live in homes with glass windows and fairly simple door locks. That’s enough to keep out most burglars. But there are people who could break into almost any home if they had a strong reason to do so. Banks, by contrast, use much stronger locks and vaults that are extremely difficult to penetrate, although even those are sometimes breached. Even some of the world’s most well-guarded institutions have been targeted, such as the recent burglary at the Louvre in Paris, which is a reminder that no system is completely immune if someone is determined and skilled enough.
Balancing act
When it comes to personal security, it’s always a balancing act between risk and convenience. We need to weigh the likelihood and consequences of a breach against the complexity and inconvenience of the security measures we use to prevent it.
For example, I protect different online accounts in different ways depending on what’s at stake. For my online newspaper and entertainment subscriptions I use strong passwords, but I don’t bother with two-factor authentication unless required. The consequences of someone accessing those accounts are relatively minor.
But for my medical, financial, e-mail and social media accounts, I use stronger passwords along with two-factor authentication that sends a code to my phone when I log in from a new device or browser. For some accounts I use an even stronger method that relies on an authenticator app such as Google Authenticator or Authy. These apps generate codes that change every minute, making them secure even if someone were able to clone my phone number.
An even stronger option is to use a physical security key such as a YubiKey. This small device must be inserted into a computer or tapped against a phone to verify your identity. It’s less convenient, but the added protection can be worth it if you believe there is a meaningful risk of attack.
Regardless of the type of information you’re protecting, it’s especially important to secure your email account with a strong password and two-factor authentication because it often serves as the gateway to many other accounts. It’s also important to avoid phishing scams, in which criminals send messages that appear to come from a bank or other trusted organization asking you to click a link and log in. Those links typically lead to fake websites designed to steal your password, personal information, or money.
We all need to protect our digital, physical, and financial assets, but we also need to be able to access them ourselves without making it a herculean task. I want a secure home, but I don’t want to live at Fort Knox.
Larry Magid is a tech journalist and internet safety activist. Contact him at [email protected].