Skip to main content

Private Email - The Key To Your Personal Identity

Identity theft is big business, costing an estimated £2.7bn in 2010 [1], affecting millions of individuals.  Identity theft can occur from multiple attack vectors such as rubbish sifting for uncompleted credit card applications, right through to the more sinister underworld of fraudulent passport applications.

Whilst non-technical avenues such as dumpster surfing and social engineering are a major concern, technical methods of stealing the required information to assume a different identity are popular.  The most common is probably that of a fake URL to online banking and financial accounts.  URL Phishing is still common and still surprisingly effective.  A email correctly formatted with the appropriate wording, colouration and logo's, can often navigate through complex spam filters and land in the recipients inbox.
By arriving into the inbox, the email has instantly generated a level of trust from the potential opener, more so than if it had directly landed in to the 'junk' or 'spam' folders.  Once a level of trust has been established, it often takes a high level of observation to notice something is untoward and not as it seems.

If a victim does follow through with the phished link and enter their credentials for example, it is quite likely, that whilst their account will then be attacked and potentially usurped of hard earned cash, the attack is likely to stop at just that one account.  A quick call to the respective bank and the account is closed with all access revoked.  Whilst that is certainly unpleasant and inconvenient experience, the impact can be firewalled.

In 'real' life we generally like to avoid situations which result in the old cliché of putting 'all of our eggs into one basket'.  Drop the basket, lose your eggs, no cake for tea.  Whilst you could then have some counter measures like the equally old 'baker's dozen' approach, having a scenario which contains all of our treasured items in a single place, leaves them open to be lost/stolen/attacked/destroyed.  We know this, but why do we do it on line?

Take for example a personal email address.  Most people will have at least one.  A lot of people may have more than one, either due to signing up to things like Google, Yahoo or MSN which carry a free email address with them, or to simply separate work and personal life for example.  Ultimately though, you are likely to have one or two email addresses that you will then use to sign up to any on line service you use.  That could be from the benign like Facebook, through to online banking, tax, car insurance and so on.  Pretty major entry points all reliant on a single email address.   Whilst it's obvious good measure to not use the same password for all those accounts, the one thing that is the same is the email address.

Why would an attacker want to try and guess every password to every single on line account if they can simply attack the one that matters - the email password.  If an attacker knows that, they have the 'keys to the castle' and ultimately the key to your (online) personal identity.  Next step is to simply change your email account password and start forgotten password cycles on all other accounts signed in with that email address.  The attacker in addition, then has an entire email history for the victim including anything sent (which are generally not deleted) as well as any folders, trash and current inbox mails.

It goes without saying that the email address password should be more like a passphrase than a password, changed regularly and always accessed via HTTPS/SSL.  Emails should be cleared down regularly and anything that is personal, sensitive or financial should be deleted unless absolutely necessary.

Sometimes it is often the simple things that an attacker will look for, so it pays to think and act like simply in order to avoid the obvious pain of an attack.

(Simon Moffatt)

[1] - National Fraud Authority 2010 Report


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…