ShareThis Page

Evernote hacking spawns new security standards

| Friday, June 21, 2013, 12:01 a.m.

In late February, a thief or thieves cracked into Evernote's digital vault filled with log-ins, passwords and email addresses belonging to 50 million users. It was a shocking cyberattack considering the Redwood City, Calif., company offers online lockers for people to safely store their files.

With its reputation on the line, the company quickly developed a security feature that may become the standard procedure for accessing online accounts: demanding two digital keys to gain entrance.

After inputting their passwords, Evernote customers who have opted to use the two-step feature must wait until the company sends a security code to their cellphones. Users must type in this additional code to gain access to their accounts.

Banks and other financial institutions have long had double-layered protection (i.e. asking a preset personal question such as “What was the name of your first pet?”). But a recent spate of major cyberattacks that have exposed hundreds of millions of personal accounts to hackers is increasing pressure on nonfinancial Web services to fortify their digital doors beyond a single password.

That's fueling a booming industry. Researchers are experimenting with futuristic electronics that are wearable or even digestible. And companies are working on making existing products harder to crack. Efforts include equipping smartphones and USB sticks with fingerprint scanners to identify users and developing keyboards that recognize an individual's touch.

Some of these technologies could take years to hit the market, if ever. Still, many in the industry say two-step authentication eventually will become as routine as brushing teeth.

Apple, Twitter, LinkedIn, Facebook, Dropbox, Microsoft, Yahoo and Google all offer some form of two-step verification. Typically, users can opt to receive the security code either through a text message or a smartphone application.

Getting consumers to take advantage of this extra security is another matter. At present, customers of these firms must voluntarily sign up to use the two-step verification. None of the companies would say how many of their users have opted in, but security experts said the numbers are probably small.

Although many people are willing to endure extra security to access computer systems for their jobs or to protect their banking or health insurance information, going through an extra layer to use social media or email is a hassle, said John Chuang, an information professor at the University of California-Berkeley.

“If I'm an employee and I need it to get my work done, I'm going to do it,” Chuang said. “Logging into Linked-In, that's a different calculus.”

Still, Google security engineer Mayank Upadhyay predicts users will become more accustomed to text-messaged codes as more companies offer the feature.

“The more people who have it, the faster the next set of people are enrolling in it because they've been told about it by friends,” he said.

Google is speeding ahead developing what it considers more secure and usable methods of two-step verification that could catch on with users.

By the end of this year, Google expects to have a limited number of users testing a USB thumb drive that could be used like a key. Users would first have to enter their personal identification number on the device before using it. When plugged into the computer, the USB stick would automatically log users into Google and other websites.

Google is part of an industry alliance trying to get more websites and technology companies to use the same security standards. The alliance's goal is to let users use any device of their choice, whether it's the USB stick, a phone with a special chip or a laptop with a fingerprint scanner.

Companies that manufacture the USB keys could choose to offer a fingerprint scanner or some other technology as a bonus. Users may scan their fingerprint once every morning to unlock their online life. A new scan and a PIN entry could be required before any financial transaction.

Mike DiPasquale, chief executive of fingerprint technology provider Bio-Key, said he expects fingerprint scanners to become a standard feature on phones because the technology costs just $2 a device. Mobile devices could also validate based on location, voice, touch or other biometrics.

DiPasquale said handset makers are realizing that smartphones and tablets are becoming a platform for every type of transaction.

“If security starts to fail, the whole premise behind e-banking, e-payments and e-commerce will come to a screeching halt,” he said.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.