David Crookes looks at the lax security of people’s email accounts and how easy it is to hack them
Last December, the world became enthralled by the sheer number of emails that had leaked out of Sony Pictures. More than 170,000 internal missives involving some of Hollywood’s top stars were opened up for all to see, and it was a highly embarrassing state of affairs that showed the extent of the politics that swirl around Tinseltown.
It got worse in April this year when WikiLeaks published an analysis and search system for what it calls The Sony Archives. With the public able to pore over the 173,132 emails sent to and from 2,200 email addresses, it’s little wonder that actress Angelina Jolie and former CEO Amy Pascal are among those hopping mad at the breach. Yet something similar – if not quite so dramatic – could easily happen to you.
Email has been in common use since 1993 and, despite constant claims since then, it is as popular as it ever has been. Facebook and Twitter may have user figures running into the hundreds of millions, and we may see text messaging and Whatsapp as a viable alternative of sorts, yet some 85% of internet users continue to use email for communication – its ubiquitous nature and low technical requirements ensuring it remains attractive.
But with that brings the potential for danger. The core email technology has barely changed since the mechanisms for email were put in place around 1982 and, as we have seen, security can be lax. It’s easy to fall prey to hackers, and so many people do. In America alone in 2014, the personal information of 100 million people was infiltrated and exposed according to the Ponemon Institute. A good number of email accounts were compromised as a result.
Getting Into Accounts
In spite of all this, on the whole, we tend to do very little to protect ourselves. Emails pop into apps on our phones and iPads, and messages to pour into unprotected software on our desktops. If we walk away from those devices without locking them, then by and large anyone can quickly sneak a peak at the contents. But the problem runs deeper than someone taking a mere nosy glance. Our emails are being preyed on daily by hackers determined to access the goodies inside them, and even though it is possible to take steps to halt many of these advances in their tracks, too many criminals are simply being waved through because we’re not taking enough care.
One of the biggest mistakes people make when it comes to email is over-relying on anti-virus software. Viruses and malware can infiltrate computers, with keyloggers making a note of what you’re typing into password boxes. Yet good anti-virus apps will typically only protect emails from problems that have existed for a long time. They will not protect against zero-day attacks, system threats and the thousands of new viruses that are released each day online (Kaspersky Lab detected 315,000 new malicious files every day, and it says 41.6% of user computers have been attacked at least once).
Neither will they protect from basic human error. Even though the single biggest vulnerability that people face is the fact their email addresses are stored on remote servers (on retail sites, on social media databases and so on), too many of us fail to protect ourselves from possible breaches. “When you sign up to Amazon, you give an email address, so if Amazon is hacked, your email is toast and could potentially be disclosed,” explains John Douglas, a digital forensic specialist for First Response. And this is more common that it should be. We’ve seen breaches of the PlayStation Network during which email addresses, birth dates, names, addresses, countries, usernames, passwords and online handles were stolen. Amazon and what used to be Play.com have suffered security breaches and been sent spam emails. Dating website eHarmony and the business social network LinkedIn have also fallen prey to password hackers, and it’s clear it’s a problem that refuses to go away. It has led to worry among users and lots of inconvenience, not to mention a flurry of phishing emails which attempt to capitalise on the problem.
“When the databases of companies are targeted, very often people’s email addresses are in the database,” says Douglas. “That doesn’t necessarily mean that an email address can be compromised, but when those databases also have usernames and passwords stored, there’s a problem.
“Users tend to be lazy and they use the same password for various things. So hackers could obtain their email address and, in a disparate part of the record, their login details for the system that has just been compromised. They then have a password. It’s not a great stretch to imagine that 60 to 70% of the users in that database are going to use the same password for their emails as they do the login for that website that has been compromised. That gives hackers the potential ability to access an email account.”
Seek Protection
It’s crucial that we secure our email accounts adequately. One of the major issues with the Sony Pictures hack was that security was poor. The studio pinned the blame on software flaws and said its technical staff failed to see that those being targeted were being tricked into revealing their online credentials. Yet it also found that staff were using passwords that were too easy to guess – and this, experts have long agreed, has left so many email accounts vulnerable over the years.
“The number of people who use ‘changeme’, ‘password1’ or their favourite football team for their email accounts is startling,” says Douglas. “If you do a quick Google search on the top 100 passwords, you will find various security researchers who have downloaded the database of user accounts, reverse engineered them and looked at the passwords stored. They have determined that an extraordinary number use ‘password123’ – around 30% of the 50 million accounts compromised use that one password. It’s ridiculous.”
But even if you do not use such an obvious password, John Pozadzides, the CEO of web company iFusion Labs, says he could get into your system regardless. He explained at Lifehacker.com that he would try a partner, child or pet’s name first, followed by a 0 or 1, a date of birth, a string of numbers, ‘letmein’, ‘god’, ‘money’, ‘love’ or, as Douglas explained, a football team or the word ‘password’. But if that doesn’t work – and he says it would for 20% of people – then he would try a brute force attack, using a piece of software that tries to access an email account by trying lots of commonly used passwords until it finds the right one. Just like burglars, if someone wants to get in badly enough, they will, but you still have to do all you can to stop them.
“There are so many credential databases kicking around on hacker forums and various other locations on the darknet,” says Douglas. “The simple thing is to change your password reasonably often although not to the point where it’s a pain in the bum. Just make sure it is unique.”
Cracked Open
The danger of someone accessing an email account is stark. At the lowest of levels, someone would be able to send other people spam using a hacked account, but as you go up the ladder of vulnerability, your entire life could be laid bare. One of the most common things a hacker will do with a compromised account is search for ‘password’. This would usually bring up emails that contain the login details of numerous accounts, since many people don’t delete them. Even if the login details don’t work, the hacker will know that the email address is tied to a particular service. By going to a website and selecting ‘Forgot Password’, it would be very easy for them to reset it, gain access and lock you out.
When used with sites like Amazon, this could prove to be a financial disaster, since the retail sites tend to have so much information about you – including a home address – and it would enable them to be able to make purchases. But even if a hacker is not interested in going that far, any poking around in emails can unleash information that you may not want prying eyes to see.
“I’ve seen email accounts compromised because someone has wanted to read the email activity between the person compromised and another third party – maybe juicy details about a merger or acquisition. Very valuable data in the wrong hands,” says Douglas. “This kind of thing is less common for Joe Home-User, but there have been instances of a suspicious spouse gaining access to emails. By and large, though, email is a conduit to attack a system and get greater access to vulnerable and valuable data.”
Email As A Storage Device
One of the problems is that so many people use their emails as a place to store lots of important information so they have it to hand wherever they are. Do you want to remember a reference number or access an application form next week? Email it to yourself. Do you need to refer back to those FTP details that a company has sent you for those articles? Leave them in your inbox. How about those scans you took of your bank statement on your phone that you wanted to see on your computer? Email them. But did you remember to delete them afterwards? No?
Even though there are lots of services that can take the place of emailing – from Dropbox to SkyDrive to iCloud – email is too often viewed as a massive, almost limitless depositary for all the digital items that are accumulated throughout life. But email is not meant to be a database. It’s supposed to be for communication. By leaving vital information in the inbox, you could end up watching helplessly as someone rifles though all of your various files and builds up a massive picture of you. It’s akin to having a filing cabinet packed with important paperwork and letting someone loose on it.
Watch What You Type
But even if you lock down your emails, use different passwords, always log out when you’re on a public server, employ two-factor authentication (see below) or delete sensitive emails and keep on top of all your mailboxes, your emails are not entirely safe. Privacy is a major issue and more so today. There has already been suspicion that government agencies have been reading people’s messages. Indeed, GCHQ was revealed to have been capturing the emails of journalists at the BBC, the New York Times, the Guardian, Le Monde and the Sun, among others. But this is looking to set to become even more of an issue.
Within 24 hours of winning the general election, the Conservative government was reportedly looking at new laws allowing the security services to monitor people’s email, internet browsing, phone calls and text messages. Home Secretary Theresa May’s plan has been dubbed the ‘snoopers charter’ and it’s a revival of the proposals that had been blocked by the party’s former coalition partners, the Liberal Democrats.
People will need to be more careful about what they write in emails in the near future given that they could potentially be infiltrated, with the government able to ask for details going back 12 months. The new laws may even make encryption illegal. Encryption currently allow you to send an email that can only be read by the specified recipient – anyone infiltrating it in between will simply get gobbledegook. But the likes of Protonmail.ch, which provides a secure email solution, and Sendinc, which allows you to download Microsoft Outlook and Gmail add-ons, could be rendered useless and unlawful. Even if you have nothing to hide, the paranoia these laws will cause will almost certainly impact our relationship with email.
But that brings us to our final point when it comes to emails: current legalities. Emails can be as safe as possible to send, receive and keep, yet you still need to take care about what you’re actually writing. Composing an email isn’t a lesser form of letter writing and it holds just as much weight as the physical form. You should always bear in mind that emails can be forwarded to others in seconds and that they can be admitted as evidence in court, although legal experts say their reliability can be questioned.
According to Out-Law.com, “Just as email can be used to support a case, it can also be used to undermine it.” It goes on to say, “email is something of an informal medium, and individuals may often write things in an email that they would not include in a standard letter or memo. For example, individuals may send emails to each other discussing problems with a project and may make admissions of fault that they would not have made had they been aware that such emails could be disclosed to the other party. Policies regulating the use of email are therefore important.” It’s worth checking out a company’s policy on email before you go about making wild claims, admitting things or writing nasty notes about that person in accounts.
All of this should encourage you to reassess the way you work with emails. There are some simple tips such as not opening attachments from people you don’t know, using encryption software such as OpenPGP, using Bcc rather than Cc so that spammers are unable to grab large lists of names, using strong passwords and deleting sensitive emails. But at the back of your mind, you should always be wary that someone may be watching or that the recipient won’t do the right thing with your message. “You have to be smart,” says Douglas.
Tip: Create Difficult And Different Passwords
Make sure your password is different to any other that you currently use. That way, if one of your accounts is compromised, it should prevent others from falling too.
At the same time, ensure your passwords are as uncrackable as possible. Experts used to recommend a complex password using different letters, numbers and punctuation, but they found people often forgot them. As a reminder, they would make a written note – leading to a another security vulnerability.
The best approach is to form a lengthy password that you can store in your head and remember. Short, complex passwords add little to the time it takes to crack, but a mix of upper and lowercase letters in a long password increases the time by a factor of 26 for every extra character.
So aim for between 12 and 14 characters, which experts say it can take a computer as long as 15 years to uncover.
If you want to test various passwords for their robustness, play around at sites such as howsecureismypassword.net (but don’t input your real password).
Tip: Have Three Email Addresses
Use one email address for your important communications such as for banking and sensitive account or booking information. Never give this address out to anyone unless you really have to. Have another email address for friends and family – a general email that is used for day-to-day communications and which will only see non-sensitive information passing in and out. Then have a third that you use to sign up to all manner of less important websites: one that you rarely have to check and which is throwaway. Ensure that if this is compromised, it would contain such low-level information that you wouldn’t bat an eyelid and could just simply set up a new one and carry on.
Tip: Set Up Two-factor Verification In Gmail
Many email services will allow you to use two-factor verification. When you turn this on, every time you log into using your password, a code will be sent to your phone that you also have to input. It makes your email account extra secure because a hacker would not only need knowledge of your password but access to your phone in order to get in.
To make life easier for yourself, you can tell the email provider that you want it to trust certain devices. By doing this, you can continue checking and writing emails without needing the SMS code on your own machines. But if someone – including you – attempts to get into the account on a non-verified computer or device, it will ask for the code. Without it, access is barred – a perfect stranger deterrent.
1. Go to www.google.com/landing/2step, and Click Get Started. It will ask you to sign into your Gmail account and then take you to another landing page. Click ‘Start set up’.
2. You need to give Google your telephone number. Input your mobile number if you want a text sent to you. If you would prefer a voice call, you can also input landline numbers.
3. A text message will be sent to your phone with a verification code. Simply input this six-digit code into the box on the website and click ‘Verify’ to continue.
4. You can then indicate whether or not you want Google to trust the computer you are using. You need to do this later for your other devices too. If untick the box, you’d need the code to access your account on that computer.
5. Once you click ‘Confirm’, two-step verification will be turned on. It’s possible to change the phone number in your account settings, should you lose it.