Evernote provides a cloud-based note taking and clipping service that lets you store information for access from any Web-connected device. Tips for using Evernote are routinely shared on Twitter (just search #evernotetip). Unfortunately, amidst all the clever suggestions for using Evernote are several very risky tips. The problem: the only thing separating your Evernote collection from prying eyes is a username and password. If you're the victim of a phishing scam or password-stealing malware, that Evernote collection could provide a one-stop-shop for all your sensitive data.
Some premium (paid) users of Evernote mistakenly assume their Evernote data will somehow be safe from external attacks. However, the security in Evernote premium is simply SSL encryption, which merely encrypts the data while it is being transmitted. It does not prevent it from being stolen by anyone who obtains the username and password. Premium users can highlight a portion of text notes for an an additional layer of password protection, but third-party tests reveal that in the local database, the selected text still remains searchable in plain text. Further, whole notes, images, and notebooks cannot be encrypted. Of course, you could secure the local database using third-party encryption tools, but that would prevent access from other devices (and defeat the purpose of being "in-the-cloud").
Bottom line: storing unencrypted data on an Internet-facing server is not a great idea. With that in mind, following are seven of the worst Evernote (or any cloud-based storage) tips:
- I'm a teacher. I use @evernote to create individual portfolio files for each student, documenting everything.
Why it's bad: Compromise of the teacher's Evernote credentials potentially exposes sensitive details on students, who also likely happen to be minors. This tip is not only a security risk to those students, it potentially has legal ramifications for the teacher (and the school at which they teach).
- Store credit card statements.
Why it's bad: Credit card statements often include the account number. Exposure could lead to increased risk of credit card fraud.
- Store login names and passwords for websites (tag with Login to see them all together)
Why it's bad: Attackers who gain entry to your Evernote account now potentially have access to all your online accounts.
- Build family medical portfolios including medical history, allergies, pictures of medications, receipts.
Why it's bad: In the past, cybercriminals who have stolen medical information have sometimes blackmailed the victims. Unless this is information you would feel comfortable sharing with friends, neighbors or even strangers, it is best not stored in-the-cloud.
- Keep family social security numbers (and other info) in an encrypted note for easy, secure access.
Why it's bad: Exposure leaves your entire family at risk of identity theft. This type of sensitive information is best kept in a locked file cabinet, not in-the-cloud.
- Keep router/firewall settings (addresses, passwords, open/closed ports, etc.) handy and nearby.
Why it's bad: Attackers who gain access can use this information to reconfigure DNS settings on your router or enable their own access to your network.
- Take a photo of your passport and send it to Evernote. If it's lost or stolen, you can still show the embassy your info.
Why it's bad: A photo of your passport makes it that much easier for counterfeiting. A safer bet would be storing only the passport number (in encrypted form).
Cloud-based storage services like Evernote are not really "in-the-cloud". The data is simply off-shored to a remote computer and accessible to anyone who obtains the username and password. The more accessible the data is to you, the more accessible it is to would-be attackers. Off-shored, cloud-based storage is a convenience, but recognize that the convenience does carry risk and is probably not the best storage choice for sensitive information.