No one wants to have their identifying particulars stolen and abused. To help, there is the security concept of using one secret (a key) to unlock keys to other services. The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles. That collection of keys is kept in a locked wall-mounted cabinet. Upper management are the only people with the keys to the “key locker.”
On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied. They are stored in a browser-managed repository which is the equivalent of the “key locker” described above. Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials. But there is simple way to mitigate this risk. For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords. This master password is the equivalent of the key to the key locker in our physical world example. This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!
Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard. These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments. Here’s how it works:
First you sign up for the payment service of your choice, let’s say PayPal:
- you create an account at the payment service using a unique string such as your email address
- you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
- depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through
That’s it! Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):
- go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
- proceed to check out and notice that there is a PayPal option, choose it
- Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
- you confirm your PayPal password and then tell PayPal which of your accounts to debit
- when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
- PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
- PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment
So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!
Why bother with that? In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information. Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time. So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.
Is there a downside to using these services? Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history. Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).
So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.
John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust