Why Email is a Key to Your Castle

Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.

Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things as private photos that were uploaded to the account. There have been a few cases where attackers broke into email accounts and found sensitive pictures, like naked photos, and then blackmailed the owner of the account. While most people are smart enough not to upload such pictures, with the integrated cloud storage that is available with many services now there may be all kinds of files stored in those accounts, such as password files, license files, tax records, passport scans, company documents, and more.

The power of an email can be even larger than this, as its scope is much greater. Many online services use the email address as a user name. Therefore, knowing the email address and the email account password can give the attacker access to many different accounts besides the email provider as many services offer to reset a forgotten password through email, even if the user does not use the same password on different services. Controlling the email account means controlling the password reset emails of other services and therefore giving access to many different services regardless of what password it uses.

Every time there is a data breach and email and passwords are publicly posted, other attackers will take this information and start new attacks with it. The first thing they usually try is to check whether the same password also accesses the email account.

Of course, not all services are of interest to attackers. Losing control of your social media account may not be enjoyable—especially if you are a news agency—but it will not really hurt most people. For companies this might be a different story, as it could lead to brand damage if something happens to their accounts. Last year there was the widely publicized situation of Mat Honan, a Wired reporter whose Apple devices were wiped when hackers gained access to his iCloud account. This can be troublesome, but as a user you can help to avoid it by registering for the additional security measures provided.

Some services are of interest to attackers. Companies can allow goods and services to be ordered for instance, charging the on-file credit card or sending an invoice to the account owner. Financial services, auctions, and payment services are definitely high on the list of services that hackers would check. There are many services that you probably do not want to lose control over. With companies adding more and more features it is even more important to protect your email account. For example, Google announced recently the integration of Google Wallet into Gmail. This allows you to send money from your email account in the same way you attach a picture to an email. You can attach money to an email as well. Or an attacker might do it for you.

To ensure that such attacks will not happen, Google was one of the first service providers to introduce two-factor authentication to the masses. Other services, including Apple have followed and have started to integrate two-factor authentication or out-of-band authentication in the form of a code being sent to a previously registered mobile phone or one time password (OTP) generator applications. This is a good solution to secure your account beyond passwords. It is definitely better than just forcing the user to fill out security questions that can easily be guessed with public information.

Not proactively enrolling in additional authentication measures, if they are available, also might leave you vulnerable to rare attacks for which a password is not even required as there is always a chance of a glitch, like the one in Apple’s password reset function in 2013. While Apple acted quickly and fixed the issue, users who had enrolled in two-step verification were protected the entire time. There have also been some cases where an attacker could use a cross-site request forgery (CSRF) attack to hijack an active session and reconfigure your email account. For example, a long time ago there was a simple attack where a website could add a forwarding filter to your Gmail account, resulting in all emails being forwarded to an additional address. Of course Google fixed this issue quickly and increased account security even further. For example, now the user is warned with a UI message if any new filters have been added. Those attacks are harder to prevent for the user, as logging out of the account whenever it is not used is often not really practical advice.

You should use a strong password for your main email account that is unique and also different than the passwords you use for other services. Also keep yourself aware of new security features introduced by your email account.