Private Email - The Key To Your Personal Identity

Identity theft is big business, costing an estimated £2.7bn in 2010 [1], affecting millions of individuals.  Identity theft can occur from multiple attack vectors such as rubbish sifting for uncompleted credit card applications, right through to the more sinister underworld of fraudulent passport applications.

Whilst non-technical avenues such as dumpster surfing and social engineering are a major concern, technical methods of stealing the required information to assume a different identity are popular.  The most common is probably that of a fake URL to online banking and financial accounts.  URL Phishing is still common and still surprisingly effective.  A email correctly formatted with the appropriate wording, colouration and logo's, can often navigate through complex spam filters and land in the recipients inbox.
By arriving into the inbox, the email has instantly generated a level of trust from the potential opener, more so than if it had directly landed in to the 'junk' or 'spam' folders.  Once a level of trust has been established, it often takes a high level of observation to notice something is untoward and not as it seems.

If a victim does follow through with the phished link and enter their credentials for example, it is quite likely, that whilst their account will then be attacked and potentially usurped of hard earned cash, the attack is likely to stop at just that one account.  A quick call to the respective bank and the account is closed with all access revoked.  Whilst that is certainly unpleasant and inconvenient experience, the impact can be firewalled.

In 'real' life we generally like to avoid situations which result in the old cliché of putting 'all of our eggs into one basket'.  Drop the basket, lose your eggs, no cake for tea.  Whilst you could then have some counter measures like the equally old 'baker's dozen' approach, having a scenario which contains all of our treasured items in a single place, leaves them open to be lost/stolen/attacked/destroyed.  We know this, but why do we do it on line?

Take for example a personal email address.  Most people will have at least one.  A lot of people may have more than one, either due to signing up to things like Google, Yahoo or MSN which carry a free email address with them, or to simply separate work and personal life for example.  Ultimately though, you are likely to have one or two email addresses that you will then use to sign up to any on line service you use.  That could be from the benign like Facebook, through to online banking, tax, car insurance and so on.  Pretty major entry points all reliant on a single email address.   Whilst it's obvious good measure to not use the same password for all those accounts, the one thing that is the same is the email address.

Why would an attacker want to try and guess every password to every single on line account if they can simply attack the one that matters - the email password.  If an attacker knows that, they have the 'keys to the castle' and ultimately the key to your (online) personal identity.  Next step is to simply change your email account password and start forgotten password cycles on all other accounts signed in with that email address.  The attacker in addition, then has an entire email history for the victim including anything sent (which are generally not deleted) as well as any folders, trash and current inbox mails.

It goes without saying that the email address password should be more like a passphrase than a password, changed regularly and always accessed via HTTPS/SSL.  Emails should be cleared down regularly and anything that is personal, sensitive or financial should be deleted unless absolutely necessary.

Sometimes it is often the simple things that an attacker will look for, so it pays to think and act like simply in order to avoid the obvious pain of an attack.

(Simon Moffatt)

[1] - National Fraud Authority 2010 Report