Copy keys

 

Photo by author

Do you remember Mister Minit? In my memory, they were those kiosks in department stores where you could have shoes repaired and spare keys made. In that same memory I see the logo, a man in a red jacket, making an inviting gesture. To my surprise, Mister Minit still exists. Nowadays he wears a blue polo and has only three stores in the Netherlands. It is much larger to the south and east of our country. And he has learned something new – he now also repairs your watch and engraves your name on a pen or nameplate.

In Australia and New Zealand Mister Minit is really big, but I don't know if he ever made it to the US. Anyway, the Americans have another solution for copying keys: vending machines. The company Minutekeys (hey, I see a similarity!) has kiosks in the entrance of large supermarkets, such as Walmart. These machines can copy home, office and padlock keys. Keys marked 'Do Not Duplicate’, school buildings keys or other keys subject to a restriction will not be copied.

It is of course my professional deformation that makes me immediately wonder what could possibly go wrong here. When I first saw such an automaton, I jumped into that mode right away. A machine where you can have a key copied completely anonymously - you can even pay with cash - offers prospects for malicious parties. Of course, that's not what those machines are intended for at all; they are there to let you copy keys to locks that belong to you. But is it so far-fetched that someone 'borrows' a key, has it quickly copied and puts the original back? You are at the gym, someone visits the locker room, picks up your home key and stops by one of those machines. He was observing the gym beforehand, so he knows who the bag in which the key was belongs to. After your workout, he follows you home. Now he knows where you live and he already has the keys to your house. He just has to wait for a good moment to empty the place. Other scenarios are welcome (for research purposes only).

As loyal readers know, this blog often starts with a real life situation, which I then twist towards information security. That's not always easy; sometimes I start writing and meanwhile wonder how on earth I can divert that situation into my field of expertise. That also bothered me a bit today, but eating an apple solved it. I can't write while eating, but I can read. And so I started reading some articles for the section And in the big bad world… So it turned out that an article appeared two days ago about someone from Boskoop, who had bought keys to the password vaults (password managers) of over a thousand people on the dark web. This granted him access to the passwords of all the accounts that someone had in there: e-mail, online stores, you name it. He could order stuff and remove the order confirmations from the email, so that no one would notice. Only the victim's bank account showed the orders.

Does that mean that password managers are not safe after all? Well no. The passwords of those vaults were stolen using malware. If you have a computer or mobile device without a good virus scanner, you run the risk of infection. Criminals can then install malware that captures the your password manager’s master password when you open the vault yourself. So it is not the vault itself that is not safe - the vault is alone in an unsafe environment. If you place a real safe in the public space, you shouldn't be surprised if some people look over your shoulder when you enter the code.

Here's my periodic call to ensure good protection against malware. That doesn't even have to cost you money. For example, the virus scanner built into Windows (Microsoft Defender Antivirus) performs well - but only if you have not turned it off. There are also excellent free and paid apps available for Android devices (which you will of course only install from Google Play). I definitely recommend securing your Android device with it. iPhone and iPad users still have to rely on the inherently secure ecosystem that Apple believes it has for these devices; there are no virus scanners in the App Store (but there are numerous other security apps).

Accessing your password manager with your fingerprint instead of with your master password also helps preventing illegal access. Mister Minit and the Minutekeys vending machines cannot yet copy that.

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• digital keys can indeed be copied unnoticed. [DUTCH]
• you can read more about how that worked here.
• it appears that LastPass vaults that were stolen last year have been cracked.
• This exploit works for Apple products without any user interaction.
• your new car is a privacy nightmare on wheels.
• Chrome presents ads based on your browsing history.
• Agreements have been made (temporarily) regarding the transfer of personal data from Europe to the US. [DUTCH]
• a smart chastity belt might not be such a good idea after all.
• the Dutch government is working on a vision on the use of artificial intelligence. [DUTCH]
• This article underlines the importance of security by design.