Wednesday, January 2, 2008

Opinion - IDVault

Do you bank, invest, purchase or enter a username and password combination while online? If you're like most people, you do. Did you know your accounts and perhaps your identity could be compromised? If you're like most people, you do, but the convenience factor usually overrides your wariness and you accept the risks.

Well, I'm not so accepting. So to that end I looked around for a way to secure all those usernames and passwords, plus provide a secure method to exchange them with the target site. There are a number of choices out on the market, but each had some aspect that did not matchup with the general need for this type of protection.

Enter IDVault.

IDVault 2008 was announced on September 18, 2007. As more and more transactions are processed online, it becomes more and more advantageous for thrieves to target these transactions.
Hopeful that a device and software combination would mitigate this risk, I selected Guard ID Systems IDVault to test.

The retail price varies just a bit, but can be obtain for between $40 and $50. A second IDVault can be purchase for around $30 by the original owner. These prices were available via Guard ID Systems website at the time of this writing.

The one tested was purchased directly from Guard ID and the box contained the USB drive, USB extension cable, software CD and the various paperwork. The first thing that was noticeable was that the USB drive looked like a rubberized padlock. It has a yellow button to retract the drive connector into the body of the "lock". Overall "feel" is that of an inexpensive thumb drive. The environment is a closed loop. IDVault presents a trimmed down version of a browser for the actual Internet operations. It does notice when you attempt to browse to one of the sites that is part of their list and will ask if you want to use IDVault to login. If you respond with yes, the page you are viewing is stopped and the IDVault browser appears along with the dialog boxes. Similarly, if you browse to a previously repistered site, you are asked if you wish to use IDVault and the operations proceed using their trimmed down browser.

Conclusion:
Overall, IDVault performs on an average level. It does what they say in the ads, with only a few hiccups.
There are a number of features that slide over to the "CON" column, these are:

  • Multi-browser support is lacking (only uses your default browser, either IE or Firefox);
  • no direct editing capability for correcting URLs, usernames and other account attributes;
  • did not work with several sites tested. They were Comcast, Qwest and BestBuy. Some of these were manually added while others were part of their list of sites.


The perfect implementation would allow use with other applications, such as Quicken and the like, in addition to browsers. IDVault does not accomodate these other applications.

Opinion: For a majority of the web browsing consumers, IDVault will work adequately. For my use, it does not make the grade. For those who need a more flexible option, shop around.

BTW, Steve Gibson of Security Now podcast fame will be performing an in depth review of IronKey, yet another secure option. Refer to Security Now #126 (AKA Listener Feedback #32) where he mentions the upcoming review.

Update 2008-03-13: Security Now #135 covers the product from IronKey

Alternative that I use:
Presently using the Open Source KeePass Password Safe to maintain usernames and passwords for all accounts. These accounts include those access via browsers as well as particular applications. The configuration in my situation is two USB thumb drives. One drive contains the database password (long computer generated string) and the other drive contains the database. To access the database both drives must be mounted. Both usernames and passwords are available via a paste option so keystroke loggers won't see the entries. In addition, all information is editable and easily accessed.

Side Note: In the same Security Now episode mentioned above, Steve mentions the security risks involved with the use of Opera Mini, which is their free option for mobile browsing. Bottom line, if you are concerned about security, DO NOT USE OPERA MINI !

Hopefully, in 2008, some type of general purpose online ID protection will be made available. If you are using another device to personal online ID protection, please let me know.

Other related links:
Coolest Gadgets - IDVault Review
Amazon.com IDVault page

4 comments:

Jumboo said...

"Steve mentions the security risks involved with the use of Opera Mini, which is their free option for mobile browsing. Bottom line, if you are concerned about security, DO NOT USE OPERA MINI !"

How come?

Opera Mini actually encrypts the traffic between the handset and the Mini servers.

Rich said...

Jumboo, yes, if you completely trust this "man-in-the-middle concept, then your fine.

BTW, Opera Mini FAQ states that the Opera Mini transactions are not secure.


Why does the page information say that the connection is not secure when you said all traffic is encrypted?

All versions of Opera Mini support encryption between the Opera Mini server and any web site. Starting with Opera Mini 3 Advanced, the connection between your phone and our server — the Opera Mini client and the Opera Mini Transcoder server — will always be protected by encryption.

Note that the encryption is only available in the advanced version of Opera Mini, and not in the basic version. In the basic version, and in older versions of Opera Mini, the connection between the Opera Mini client and the Opera Mini transcoder server will always be unencrypted. Parts of the connection may however still be encrypted depending on your provider and wireless protocol.

With older versions of Opera Mini, or Opera Mini 3 basic:

1. The connection between your phone and the Internet Access Point may be encrypted by GSM, AMPS, TDMA, or CDMA.

2. The connection between the access point and your provider's internal network is possibly unencrypted, but it is not a public net.

3. The traffic between your provider and the Opera Mini server is not secure.

4. The connection between the Opera Mini server and the remote web server is SSL-encrypted.


With the advanced version of Opera Mini 3 and higher, all of these connections are secure.

MIDP already supports secure sockets and HTTPS. Why invent your own solution instead of using the existing support?

Opera Mini runs on hundreds of different handset models. During development we found out that certificates and implementations of secure sockets/SSL is an area where there is little standardization, with many bugs and big differences between different handsets and manufacturers. This is the current state of J2ME/MIDP, so we found developing our own solution to be the only viable option.


I hope this helps. Be sure to listento Security Now Podcast for more information and any updates as they arise.

Jumboo said...

"Jumboo, yes, if you completely trust this "man-in-the-middle concept, then your fine."

As in, trusting someone else to handle your data? Like Google with Blogger (or even Gmail)? Like your ISP? Lucky for you that Norway has some of the strictest privacy laws in the world, then. (Opera Software is a Norwegian company.)

"Opera Mini FAQ states that the Opera Mini transactions are not secure"

No it doesn't. It states that only the advanced version is secure. Opera Mini 4 only comes as an advanced version.

Quote: "the connection between your phone and our server will always be protected by encryption."

Jumboo said...

Eh, the article clearly state that Opera Mini is secure. It uses a secure connection as of version 3, for the advanced version. Version 4 is only available as an advanced version, so it does use encryption.