Security Upgrades for Online Email

When I log into my bank, I type in my user ID, my password, and then type in the answer to a question. It's all done on a keyboard. If I were to access my account on a public computer with a keylogger install- and chances are, if it's a public computer, a keylogger *is* installed on it- then I could lose all my money.

Several times this summer, I've received email from people who've had their email or facebook accounts hacked. Usually, it's because of keylogging. Sometimes through malware, sometimes through physical devices.

I propose the following updates.

Have a pair of on screen keyboards- manipulated using the mouse- for entering passwords. Have it work in concert with the physical keyboard. This would allow the user to remove letters from the logging data, making it useless.

Why two onscreen keyboards? To make it more difficult to use mouse logging in concert with screen capture. The keyboards can also alternate between being in qwerty and alphabetical order and move around (between entered letters) to make it impossible to gather usable data. This wouldn't cancel the need for malware blockers.

People need to be educated by their email providers to check the integrity of the keyboard cord whenever they're on a strange computer.

There are always going to be workarounds. So, in addition to the password, I propose an extra layer of security that would be activated whenever someone attempts to access an account from a strange IP address.

When you set up an account, you are shown a series of cartoons with random names assigned. You memorize the names of the cartoon faces, which are provided to you so you can't be socially engineered. You then modify the names in two ways.

For instance, you're shown a goofy cartoon face and told that the this is "Pedronimo." You're quizzed several times to make sure you've memorized this. When you access your account, you're sometimes asked to answer security questions as a refresher. You may also be asked to change the name in some way. Change, but not replace. For instance, you might use "redPonim00." You can now be asked questions based on this information. The questions are presented in mild captcha form.

"What is the original name of this person?"
"What is your version of this person's name?"
"Except for the first two letters, what is the original name of this person?"
"What are the last three letters of your version of this person's name?"
"What does this person do for a job?"
...and so on.

The keylogger may get the raw data, but not know the question- including what the face looks like. And even if the hackers got everything- including the face and the questions- you'd just have more cartoon faces than likely legitimate locations for logging in. No two face/question combinations would appear to consecutive disparate IP addresses. For consecutive visits to the same insecure IP address, you'd ask a different question about the same face.

Every once in a while, you'd learn a new cartoon face while working from a secure location and from within your email account. You enter all the information using mouse data- just in case- so that even if you're being keylogged, no one can see your answers or even infer that this is what you're doing. You have a choice about how many of these faces are used- as few as five and as many as ten or fifteen.

If a person happens to suffer from a bout of extremely poor memory, you'd have a set of backup questions which require sentence-length answers. While the exact spelling and order of words isn't essential, a certain minimum percentage of correct words is required. If you score low on one question- less than 95%, you have to answer another sentence-length question. If you can score above 90% on two, or above 85% on three, you get access to your account.

How do you keep from keylogging these answers? That's a problem. Inference of missing letters would surpassingly easy if you were to do the mixed method mentioned above. Of course the questions would be in captcha form. The only solution I can think of is that every time you successfully answer one of these personal long-form questions, it is never used again. If you get less than 85% matching on a single attempt, the question is red-flagged and no further attempts at accessing the account from non-secure IP addresses will be allowed for 24 hours.

Could someone that knows you really well answer these questions? Possibly. This places a burden on using intensely personal content and idiom. Like the cartoon faces, this is a method that would need to be actively maintained. One could put the answers (without questions) in a secure place. A secure place is one that no one that knows you knows about. If someone that doesn't know you finds the sentence, they won't know what to do with it. They won't even know the question.

A program running on your phone uses a virtual-randomization algorithm. By running a number through a series of mathematical operations (invisible to the user), and then returning a sequence of numbers based on the original. The login page offers a seed number, which you enter into the separate program, and it returns a four-digit number which is the incorporated into your password. For instance.

You're given a seed number of 59393
The virtual randomizer, which is, itself a unique program created by random seeding, returns 8702.

Your part of the password is the word "rutebega." But "rutebega" all by itself doesn't work. You have to add the first digit before the first letter and the last three digits just before the last letter. Your password, in this instance, is "8rutebeg702a" Given a different seed number, it would result in a different password.

If someone gets the letter parts of your password- the "rutebega," they still need the randomizer to get the rest.

If someone gets both your phone, and your root word, they'd be able to get access to your account. Otherwise, using keylogging would do them no good whatsoever.

To authenticate your standalone app, it would generate a long number that represents the identity of the random program that it is using to generate the seeds. Enter this on your email account to match the math. You'd only need to do this once.

And example of a random program.

Seed squared times pi, take thirteenth through eighteenth digits, divide by the current date in six digit format, take cube root of the fourth through eleventh digits, invert the answer, multiply by the square root of 2, and take the third through sixth digits. Rearrange- first digit third, second digit first, third digit fourth, fourth digit second. And that's your seed. The individual steps, constants, use of independent variables, etc. are all subject to one-time randomization.

To prevent the program from being copied, you could have a line item that uses an internal identifier, such as a serial number, as a source of a constant. Furthermore, you could make the device unusable to a stranger using your phone by having a number added to the seed. Your email account would need to know what this number is.

In other words, part of your password would be entered on a separate device.

I'm not saying that any of these ideas are perfect. All of them share the same issue of being more complicated than simply remembering a password. They wouldn't be used on secure computers, but they could be an option for questionable computers. Some of them might be considered fun. Some might appeal to those made paranoid by past experiences. Methods such as the ones I've mentioned could be provided on an optional basis. This means that hackers would go after the low-hanging fruit instead.

The Advertising Revolution: How to "Save" Spam

And by "save" I mean "kill."  And by "kill" I mean change it into something that actually works.  For the reader, not for the reprehensible people that engage in unsolicited sending in the first place.  

I won't go into why.  Let's skip to what.  The why will provide itself.

Imagine that the advertising revolution is underway.  You no longer are forced to see ads- on TV, on the internet, even in e-print- for things that simply don't interest you.  Ads are subject to personalized feedback.  Your current interests are respected.  Branding-across-demographics is no longer necessary.  You are now addressed as an individual.  Meanwhile, your spam folder is still full of garbage.  So let's clean it up, once and for all.  Well, not exactly.  

Imagine that every time anyone sent an email to someone they didn't already know, and who didn't already know them (the people in your address book), they had to pay a few pennies in postage. On email.  Postage is charged at two points.  Half is charged for the simple act of sending.  Half is charged if the receiver opts to open the email.  The reader can also opt to refund the charge.  You like receiving monthly specials from REI?  Don't change them for the privilege of sending them to you.  

The first charge acts as a disincentive to fill the world's inboxes and spam folders with offensive, excessive amounts of garbage.  Part of that change goes directly to the email recipient.  You get a lot of spam?  You also get a lot of pennies.  Another, very small part goes to pay for the service.

The second charge is applied when you open the email.   It is also a disincentive to the would-be spammer to send ineffective email.  But it is also an incentive for the recipient to give that spam a change.  Have a few seconds to spare?  Why not earn a few cents checking out the ads you've been sent.  The assumption, of course, is that if the recipient looks at the email, even for a second, the sender has recieved meaningful exposure.  Certainly better than being lost in a spam folder, resented, mistrusted.  Everyone knows you don't follow links in spam, right?  (DON'T FOLLOW LINKS IN SPAM).   

What happens if someone is sending you personal email for the first time? Well, they have the option of charging you postage, just like any spammer.  However, if you respond directly to them at the email they used to send to you, they are automatically refunded.  After that, you must actively choose to change them if you ever want to reverse the situation.  Responding to them refunds the last several charges, or all charges in the past month, or week.  Some length of time.

This would not replace spam filters.  You would still be able to block unwanted email.  You would never be forced to see something you didn't want to.  

Why such a service wouldn't work.  

Who could you trust to administer such a system?  Even if they couldn't see your mail, they would have a record of what went where.  If they were publically traded, they could be bought out and exploited.  A private company would be just as susceptible.  Even a government-regulated service would be subject to iffyness.  

It would be impossible to send completely anonymous email.  You would have to register your email with the service in order to get paid.  

So, the service would need to be optional.  

If you're a private individual that wants to be able to email anyone without a money trail attached, you'd be allowed to do so.  As long as you "paid" with a captcha.  The receiver wouldn't get paid any postage for the inconvenience of reading the email you sent them.  And they'd know it.  The email would be labeled as "anonymously sent" or "postage withheld."  If it turned out to be a piece of traditional, obnoxious spam, it would still be subject to traditional filtering.  The sender would have to solve a captcha for every piece of anonymous email.   

It would still be possible to send millions of emails to millions of people you don't know.  But you'd have to pay for the right to waste their time.  And you'd have to pay the recipient directly. You'd have to think long and hard about whether it was worth the expense.  Not just to send, but to be read.   The quality and legitimacy of spam would rise accordingly.  It would also become far, far less common.  

It would still be possible to send anonymous email to anyone.  You just couldn't do it quickly.  And they'd know it was anonymous.  They'd have the option of rejecting it for that reason, to even block it permanently.  

Let's examine a common scenario.    You receive an obnoxious forward from someone you don't know that well.  Charge them.  You take some of the money they earned from reading spam in their own inbox.  They start to notice that they're losing money.  

How do you administer the system?  For web based email, it's done in server side software.  For HDD-resident email software, it's a download.

Would anyone be exempt from being charged for sending mass emails?  Would the government be able to send email for free?  Perhaps.

Email is a currently a weak system.  Spam is that weakness.  Solve spam and the utility of email will be elevated.  Marginally respectible companies willing to spend money on printing and posting junk mail will have a cost effective alternative.  Trees will survive.  

The system will involve an increase in web traffic.  An extra two messages must be sent before an email can reach your inbox.  One confirming that the sender can afford to send, one subtracting the postage.  Potentially, afterwards, there would be another message.  The total number of messages sent would multiply by four.  But there would actually be a net gain in efficiency because spam volume would go down.