Don’t trust a public PC with your digital identity

Contrary to popular belief, stealing someone’s digital identity is a snap. It almost seems as though the more we use digital identities, the easier they are to swipe. The reason can be attributed to general carelessness or perhaps outright ignorance, but whatever the case, letting your digital identity fall into the wrong hands can expose you and your organization to a world of headaches.

Case in point: I routinely use Pretty Good Privacy (PGP) and SMIME to secure e-mails and file transfers. Yet frequently, even somewhat knowledgeable IT security people get confused about which keys to use when. In order to for someone to send me encrypted content, I need to send that person my public key. Similarly, I need the recipient’s public key so that I can send him or her encrypted content. We should never share private keys. That’s why they are called private. Pretty simple — or so you would think. More often than not, if the person isn’t overly familiar with PGP/SMIME, even if they’ve been using it, they send me their private key.

[ Is your organization moving to Windows 7? Then be prepared: Check out InfoWorld’s essential guide. | Tune in to the InfoWorld Security Central channel for the latest IT security news and reviews. ]

Being the good citizen that I am, I delete their private key and ask again for their public key, explaining that with their private key, I could be them, for all digital purposes. About half the newly educated group then sends back my public key back or, if they’re using PGP, their private key ring, which contains all their private keys. You might think that I’m making this stuff up, but it’s pretty much been this way with PKI and PGP exchanges since they were invented. PGP’s own Phil Zimmerman has often written on this subject.

Real and virtual converge The danger of having your digital identity stolen is dire. Increasingly, our digital identities are us. I now pay 95 percent of my bills online. My digital self has platinum status with several major hotels and airlines. I get monthly refills on some of my supplements and my family’s medication from online stores. Even my dog gets her medicine in the mail. I’ve had my personal e-mail address for over a decade.

Moreover, Xbox and everything that virtual world entails knows me by my Microsoft Live ID. Netflix only knows me through my Xbox profile. Talk to anyone who has accidentally misaligned their Live ID and Xbox profile. It’s a frustrating experience to have your digital self not synced with your real self.

Your online identity doesn’t stop there, either. I’ve developed multidecade relationships with people whom I consider true friends though I’ve never met them in person or talked to them on a telephone. I’m not alone in this experience. At the end of their lives, my oldest relatives all found the joy of Internet e-mail to stay in contact with family and friends. They may have been 80 or 90 years old, but they smiled like a teenager when they talked about their online relationships.

In short, I can’t imagine the interruption in my virtual life, both personally and professionally, if my online identity suddenly changed or got stolen. For all of us, the importance of our digital identity is increasing with each passing day.

I guess that why I’m still amazed with how little respect many people still give to protecting their digital identities. I frequently overhear people giving log-on information on airplanes via their cell phone, as if everyone nearby can’t hear them. The vast majority of companies still have very poor password policies. News flash: Six-character passwords that never expire aren’t considered secure anymore. It’s still not unusual to spot the CEO’s log-on name and password posted on a yellow sticky next to their monitor.

[ Are your organization’s passwords strong enough? | Roger shares advice on managing passwords: “Password size does matter” | “Getting a grip on better password hashes” | “Ask better password questions” ]

Log on with care But what troubles me most is how readily people input their log-on information over an untrusted computer. I do a lot of traveling, and I’m in a new hotel each week. I’d say that nearly three-fourths of the public computers at these places have key-logging Trojan installed. I’ve seen airport kiosks with hardware key loggers installed. Wireless networks at conferences are often littered with malicious sniffers and computer worms. At least half my friend’s computers have at least some sort of malware running on them. It’s getting to the point that you can’t trust anyone’s PC but your own these days.

That’s the fact: Given how important it is keep your digital identity safe, you should never input your log-on credentials into another PC not completely under your control.

That means you shouldn’t check your e-mail or any authenticated online service portal using a computer that is not your own. Don’t use the hotel’s computer. Don’t use computers at conferences. Don’t use your friend’s computer. Don’t use a co-worker’s PC. The risk that the computer not under your control is exploited is too high, and once the bad guy has your log-on credentials, it’s all too easy to mess with your digital life.

If you are involved in your company’s computer security, you should make a new policy saying that no one should ever type their authentication log-on credentials into a nonmanaged computer. Make it a policy and enforce it. I know of one company that shut down its online, Web-based e-mail system until it could get a two-factor system enabled for all employees.

That’s a good solution. Any security system that doesn’t rely on a simple, one-factor, traditional username and password is better. While not perfectly secure, a two-factor system or something using a one-time password/PIN (such as a RSA keyfob) does provide additional security that would be sufficient to protect most online systems.

The risk of accessing your own personal system or corporate assets is just too great to be hoping that the system you are using isn’t exploited.  And increasingly in this world, that computer not under your control is infected. Just say no.

This story, “Don’t trust a public PC with your digital identity,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com.