Information Security

police.jpgI’m thinking a lot about information security lately. Not because we develop and sell eWallet, but because of two things that have happened recently:

Our office was broken into. Nothing but one laptop was taken (and it was just used for testing, so had no valuable info on it, plus was password-protected). We think that our alarm scared the person or people away, and they just took the nearest good-looking piece of equipment. While we’re all feeling a little rattled by the thought that someone was in our office, we’re also very aware it could have been much worse.

We stopped keeping the credit card numbers we get for sales several years ago, and are very careful to protect any confidential info – whether users’ email addresses or our own credit card numbers and passwords – on any of our PCs, so I know that anyone getting any of our equipment wouldn’t be able to get any useful information. And I know we’re good about keeping offsite backups of all the corporate and customer info. I hope we’re also good about keeping offsite backups of our own PCs, but I know at least I don’t do that every day. But we’d lose weeks of work if we all had to get new PCs and set them up. I’m not sure that 5-year-old PCs (mine’s at least that old) are even worth taking, but I hope I never find out.

The other thing that’s happened is that as part of two banks I use being acquired, I’m kicking off a long-postponed personal financial reorganization. Wow – there’s a lot of info to enter and keep with new bank accounts. Online security is a lot better than it used to be, which I’m very glad about. But it’s clear that no matter how excellent my memory is, there’s no way I could be without a good wallet program. And being able to enter free-form info – like my third boyfriend’s pet’s name, or the street my high school was on – is a lot more critical than it was when we first added the Notes fields to eWallet cards.

Anyway, I’m glad the banks are looking out for me, and I’m glad there’s good enough software that I can manage everything I need to. And I’m really glad we got an alarm when we moved into this office (we’d always planned to with the previous one, but never got around to it). It’s too bad we need all that, but since we do, it’s good that it’s there.

And, yes, I’m thinking a lot about mobile technology too, especially with all the new announcements lately. I just don’t have anything to say about it – yet – that hasn’t been said by many other people.

6 thoughts on “Information Security

  1. Peter S

    Sorry to hear about the break-in. A friend of mine had that experience lately and they were also able to say that no customer information was really harmed. Everything that was possibly on the systems was publicly available information – no bank accounts, credit cards, etc. The worst case scenario might be that some passwords were stored to their e-mail accounts. However, these thieves were definitely after getting the equipment for a quick sell rather than whatever information was on them.

    As for the banks – I’m glad that the information on the customer-facing side is well-protected, but it seems that every time I hear of a security breach it’s because of flawed internal practices. I’m glad to hear that this is not an issue with the machine that was taken from your office, but it seems that you’re in a minority right now.

    In regards to mobile security, I know that Windows Mobile owners have several options now for installing something very similar to a lo-jack system on their devices. Some can send text messages to a predefined target or call home regularly. Some even allow receipt of text messages to harass the person. One piece of software even sends something if the SIM card is changed out. I also remember reading a story of someone whose phone was stolen, but the thief took pictures and denied stealing it. I think she eventually got the phone back after a long drawn out battle, but the thieves had no shame at all in being found out.

    I hope everything transitions smoothly for you all after the break-in. It’s never a fun experience to come in and find something missing that you expect to see.

  2. newsbreaker

    My office was broken into & my corp. laptop was stolen. It gave me a new appreciation for corp. security group policies and a renewed commitment to regular backkups! I hope all goes well at Illium HQ as you recover.

  3. Don

    I am sorry to read about your break in but as a customer I am impressed with you openess and the steps you have taken to help secure our privacy. Another reason to stick with your products.

  4. Eugene G

    “The worst case scenario might be that some passwords were stored to their e-mail accounts.”

    Well, I have a bone to pick with you, then ;)

    The worst case scenario, in my view, would be someone _quietly_ breaking into your office and posting a malicious “upgrade” copy of eWallet posing as you. Then collect all valuable personal data users put in their eWallets, and smile all the way to the offshore bank.

    Well… nevermind… they really don’t have to break in to do that. They can just set up a phishing site. Because, if I am correct, there’s still no way to verify that download actually came from ilium.

    This is the main reason that years ago I dumped eWallet in favor of a similar freeware application whose author provided PGP signature verification on all downloads.

    You’re not alone, though – all commercial wallet type application developers missed this very important safety step, last I checked.

  5. Marc

    Hi Eugene,

    You make some good points. Fortunately it isn’t quite this easy to replace a file without us noticing, and your assessment of our current security measures isn’t completely accurate. Every one of our installers is digitally signed with a third party sig. If any changes are made to to the installer or its contents, that signature becomes invalid. So if you right click on one of our installers and select Properties, you’ll see a tab for digital signatures. If there has been any tampering with the files there will be a red X here and the statement that the signature is invalid.

    This is a way that you can check a file yourself for validity.

    In addition, we check every file to verify signatures. This is one of our own, in-house security measures. So, while your scenario isn’t impossible, it is highly improbable that any attempt like this would go unnoticed. (Not to mention that they’d have to first bypass boot and login passwords on multiple systems to even pull this off in the first place….a crowbar might get you into our building, but it won’t get you into our systems.)

    Fortunately, in the past 10+ years we’ve never had a problem, but part of what makes us the best in the market is that we are always working to improve our products. We are already looking at methods of notifying the user if a file is invalid during the installation process, something you will likely see in the next release of eWallet.

    Sincerely,
    Marc Tassin
    Senior Product Manager

  6. Eugene G

    Well, as I said, they don’t have to break into your website or office. All they have to do is to offer a download of eWallet off some site that either pretends to be iLium, or just poses as a reseller.

    Now about the certificates – most laypeople, myself included, won’t know what to do with them, in all honesty. To me at least, they don’t offer same peace of mind as PGP verification. This is because I have total control over the process and origin of PGP public key (after I downloaded it, of course). I know that the key I have in my keyring is the one I imported years ago. I know where I got it and where I am checking it , I have no such control over certificates, it’s something that’s appeared on my machine and tells me it’s OK but I had no involvement in the process.

Comments are closed.