I've been spending a lot of time thinking about personally digital security. Sometime it can be hard to talk about because the first (and often best) line in digital security is having a unique setup where attackers don't know your security measures. But let's talk about some overarching topics.
ISSUES
The most obvious issue is that even when a user wants to take security seriously most services aren't setup to even support that user. Most services are still using 2FA through text message and the sad part is that this method does in fact increase security over not using 2FA at all. Forcing users onto 2FA from nothing is already providing massively more security for most people. However 2FA only prevents a very specific type of attack and it's pretty clear that there are work arounds. Basically every single service that utilizes 2FA only requires it for login - never for additional changes/uses of the service. And for crypto this is a disaster. On Coinbase, additional 2FA verification can be enabled for sending crypto off the platform. But Coinbase doesn't require it for adding bank accounts nor making withdrawals by USD. Why not? I don't know. It's trivial to implement from a developer stand point and it is almost irrelevant from a UX perspective. As a user I almost never add a new bank account or send USD off the platform (and definitely not more than moving crypto off the platform). As a user I am totally fine putting in 2FA one or two times a YEAR for this extra security. A second example is that GMail doesn't require 2FA to make changes to your account settings. I would very much like 2FA required to make changes to mail filters. This is by far the most common attack surface and yet a trivial change could completely shut it down. The obvious reason why 2FA isn't required by these service - they assume that a valid users device has not been tampered with. And this is honestly ridiculous. It is too easy and common for malicious software to unfortunately gain access to a users device or a random stranger to get access to your laptop as you get up to pee at a crowded coffee shop. A lockscreen on your laptop does not encrypt your computer - it fact it barely provides any protection to a user who has physical access to your personal hardware. Critical services need to assume that hardware might be malicious and help to protect users - or at least provide it to the users that want it.
Having 2FA and therefore incorrectly thinking you are secure is almost worse than not having 2FA at all.
SOLUTIONS
Unfortunately there are a significant lack of solutions. I can't exactly stop using GMail/Google. These sorts of 3rd party services are too baked into the online experience to get around and as far as I have researched, no online services provide these security measures. Even hosting your own emailing service doesn't solve the problem. So unfortunately the solutions aren't really solutions but instead best efforts.
Securing your browser:
I was sad to find out that browser too never assume they are working in adversarial environments. Saving cookies/sessions is a huge attack vector for hackers. I really need any profile information to be encrypted (ideally with homomorphic encryption so that it doesn't have to be decrypted in memory but that's beyond my current expectations). Instead I would settle for a best effort and I couldn't even find that. So again we'll have to settle for an interior setup.
Securing the OS better:
- The first and most important step is that your secure browsing should be kept separate from all other programs you install on your computer. When a program gets installed, you basically have no idea what it does. A common attack is to install a correctly functioning program and add in an additional virus. It’s basically impossible for the user to catch this if the company’s installer has been compromised.
You could choose to only use open source but that is basically impossible. Instead it makes more sense to have a secure and unsecure desktop. You only log in to email/secure websites on the sure desktop. Your browser profile should never be near the litany of unsecure programs daily life forces us to us. This 2 desktop setup is ridiculous and over the top but it is the only way to live a semi normal life and still be secure.
- Use a nonstandard OS on your desktop. Windows has too many users and too many known attack vectors. When your system is non standard, it immediately removes the threats of most attacks.
- Your secure desktop has hard drive encryption. This isn't new, been around a long time.
- All (remote) logins/sudo/administrator/password prompts require 2FA with a physical key with biometric scanning. Even if the password is compromised no remote logging in or local changes can happen without your biometrics.
All of this only gets you so far. For a knowledgeable attacker, who knows how your specific system has been setup, they can still attack it by finding out a single password. But this system is still better than the alternative.
ON THE GO:
This 2 desktop setup doesn't solve security when you are traveling with a laptop. I think it too ridiculous to have multiple computers on the go. So I recommend a different options when traveling.
Laptops never store a user profile. Each time you start the laptop up you have to login from scratch! This is indeed annoying but I can not stress how much extra security this provides. But you shouldn’t be deleting this stuff by hand because programs leave around all sorts of files in various directories and in various OS configuration files. In order to ensure these files are deleted correctly:
Laptops should use the equivalent of a live OS. Basically the OS is booted from scratch each time you use it. This ensures that even if someone is able to install something maliciously on your laptop, it gets destroyed at each shutdown. I'm order to do this, the OS drive must be mounted as read only/loaded to RAM so changes can't be saved. There are a couple ways to accomplish this but the simple explanation for now is to use a live USB drive without persistence. There are other more usable options that I might write about in another blog post but the idea holds up either way.
This still leaves one obvious attack vector: a computer is infected and attacked all in the same session. But this is probably a very very tiny fraction of attacks that meet these very stringent conditions.
The goal unfortunately isn’t guaranteed security. Instead the goal is to lock down as many attack vectors as is reasonable. Especially the one that have been left blatantly exposed (and continuously attacked) by important online services.
My final thought is that I don't love any of this. It significantly reduces user experience because online services don't take user security seriously. With crypto, their lack of security measures is just not good enough. If you hold any non trivial amount of crypto, you have to seriously consider increasing your security even if it means more work. Stay safe out there!
