Protect your Email at all costs

Keeping your email safe is paramount in a world where breaches are common and your email can be used to identify you for your most important assets

Recently there was a case in Australia of a couple losing $370,000 in an identity theft incident. It seems like the main attack vector was the couple’s email.

The problem with having your email compromised by fraudsters is that they can impersonate you, which allows them to steal access to various other services, which then gives them even more access. In this case, the email was used to verify the attacker to port the couple’s mobile number to an attacker’s phone, which then gave the attacker access to the couple’s bank account. With the phone number they were also able to bypass the couple’s multi factor authentication protection, which led to huge losses.

This got me thinking about our vulnerability with having our identity tied to our email and phone number, and why it’s so important to protect your email. Let’s look at how we can secure ourselves as much as possible and lower the risk of identity theft.

Don’t use SMS Multi Factor Authentication

First, SMS Multi Factor Authentication is incredibly insecure. There have been several cases recently of SIMs being ported. The danger of this is someone can take control of your mobile number and then verify themselves to gain access to your other accounts. They can also use it to impersonate you to commit fraud. The first sign you have that you’ve had your number ported is that your phone goes into “SOS” mode.

Yet this is ridiculously easy to do. Phone companies are slowly starting to put some safeguards in place, but with the case above a compromised email account was all it took to port the number.

Install an Authenticator App

Your first action should be to install an Authenticator App on your phone or tablet. I’d recommend either Google Authenticator, Microsoft Authenticator, or Aegis on Android. Then, set up MFA using this app for all important accounts, banking, government etc – if possible. If they don’t allow the use of these apps, the best you can hope for, is to set the MFA to use email instead of phone. Then, secure the hell out of your email.

When you turn on MFA through the Authenticator app you’ll be given some codes or a QR code to save in case you ever lose access to your phone. You can print these or save them somewhere easy to access. Always remember to back up your Authenticator backup codes somewhere safe!

Securing your email

Set up Multi Factor Authentication on your email

Most importantly, set up MFA on your email account (using an Authenticator). All good providers allow this. This almost eradicates the possibility of taking over your email account by porting your phone number.

MFA might seem like a pain at first, but it will recognise your devices and not ask your every time, only the first time. It’s worth it – this is probably the single most important step you can take to avoid losing access to your account and the identity theft that might follow.

Use a strong password or no password

Microsoft allows you to remove the password from your account so that you only use the Authenticator app. This is safer than using a password as you can’t get into your account unless you have your phone.

If you have a password, make it strong. The best passwords are not passwords like j$sdf#@Cx!! but actually a longer password like tidy-strawberry-underpants. The length makes it hard for a computer to crack but easy for you to remember. You can make it even more secure with numbers, symbols and uppercase letters but keep it simple still so you can remember it or at least type it easily. For example: Giant-Hairy-Chicken43!

Use a Password Manager

Ideally you shouldn’t need to remember passwords, and you should use password manager software to remember all your different passwords and emails for all your accounts. Of course, you need to remember one password for this, but that’s it. That’s the password you can make that’s easy to remember. For the rest, a password manager can generate super-complicated random passwords for you and remember them.

It’s important, given the prevalence of breaches (see below) that you use a unique password for every account. Without a password manager, this would be tricky.

Software like Bitwarden can be installed as a browser plugin, and a mobile app which takes over the Autofill feature on your phone. Your passwords are encrypted – even the insanely incompetent LastPass, who have suffered several breaches, were encrypted so attackers were not able to steal people’s actual password vaults. I’d recommend against using LastPass, incidentally. Bitwarden’s security is much better. ProtonPass is also a strong contender and there are others in this space such as Keepass.

Chrome, Edge, Firefox, Brave and all the rest allow you to save passwords in your browser. This is not as secure as a dedicated password manager as any malware on your computer will dump these passwords to a hacker’s server the first chance they get. But, some browsers now encrypt passwords, and it’s better than nothing.

Check for breaches

This is quite an important measure in today’s world where company breaches are ridiculously common. The website HaveIbeenpwned allows you to enter your email address to see if it has been in any company breaches. Firefox has a breach Monitor (which you can use from any browser) and Google One also has a new “Dark web report” feature.

In the past companies have been known to leak passwords as well, though this is becoming less common as encryption practices become more widespread and often legislated.

Here’s what happens when your email is breached: It is now public. It’s out there on the Dark Web and anyone can see it. Often lists of breached emails are sold, often they are publicly available for free. Hackers obtain the lists and send spam to trick you into further action. Some of this spam can be quite convincing as they may have other details about you which add some legitimacy. Remember that clicking one bad link is enough to infect your device with malware, or take over your accounts.

With that in mind, do you think it’s wise to use your full name in your email address? It’s likely that a pretty comprehensive profile on you is already out there, containing your contact details, identity documents, past accounts, and more. Hopefully you didn’t use an email containing your full name to sign up to a site like Ashley Madison.

If you have been in a breach, all you can do now is limit the damage.

Change your email address if you can. Microsoft allows you to add new email addresses to your account, and then block your old one from being able to login. So you can keep the address for receiving emails, but an attacker is not able to use that email address to access your account.

Google is pretty poor in this regard, you may have to set up a new account, which can be a massive pain if you have all your photos, and a paid account. So all you can really do there is get a new strong password and MFA. In my opinion Google are pretty terrible for security and even worse for customer support when things do go wrong, so take that as a warning.

Use Aliases

Given the problem of companies generally being unreliable twats incapable of protecting your data, it’s best to take matters into your own hands and hide your identity from them wherever possible.

A really good way to do this is to use email aliases. As I said, Microsoft allow you to add multiple addresses to an account which can be useful to separate out banking, government, and OnlyFans accounts.

Google don’t allow you to change or add email addresses to your account but you can create unlimited aliases. You can do this by putting a +something in your email address before the @ - eg if your email is dave@gmail.com you can sign up to a newsletter with dave+spam@gmail.com and the email will arrive in your normal inbox. Then if that newsletter company ever gets hacked, your main email address will not be in the breach. It’s obvious to anyone looking at it what your real address is, but often spam is sent out by automation to emails harvested from breaches. So when you get an email where the “to” is dave+spam and it’s not from the company you signed up for, you know that company has probably been hacked and you can ignore the email.

A great option for generating aliases is a service called Simplelogin by Proton, who also have a fantastic privacy focussed email service. You can get 10 aliases for free with Simplelogin, and they’re randomly generated. You get a dashboard to manage the forwarding and to make notes on each address. If you pay, you can get unlimited aliases.

Remember, you can use a password manager to save a different email and password for every website if you want to.

I’m sure you’ll agree that using an alias service has obvious benefits, as it means you’re not using your real email address at all. If it ends up in a breach, you can burn it, or don’t even worry about it if you don’t use that address for signing into anything.

Some of these services even have “reply as” features which let you have conversations under the alias, for when you need the email for more than just signing up for accounts or newsletters.

The important thing is that aliases allow you to keep your email sign in username completely secret.

A word on Self Hosted email

If you’re using a self hosted service, hopefully you know what you’re doing. But remember that by giving out that address, you’re giving away half the key to some pretty important stuff, perhaps your website or cloud storage. Always secure with MFA.

Conclusion

You can also take measures to protect your phone number with VOIP services, but this is a little trickier. I may address this in a future article.

Keeping your email safe is paramount in a world where breaches are common and your email can be used to identify you for your most important assets.

-          Secure your account with a strong password and Multi Factor Authentication using an Authenticator App.

-          Use aliases to sign up for websites and newsletters and try and keep your login email secret.

-          Sign up for breach alerts via Firefox or HaveIBeenPwned, and change your email address/passwords when they appear in a breach.

-          Use a password manager to store your passwords. Some, such as those built into Chrome and Edge, have built in breach alerts. Randomly generate different passwords for every account. Make sure the passwords are as long and complex as possible.

These tips are all a great start which will make it difficult for an attacker to break into your accounts. A determined attacker will always find a way, but generally you just need to avoid being an easy target.

In this article I’ve covered the absolute bare essentials of how to protect your email account. It’s my experience that many of these measures will not be known to a lot of people, which is why I have compiled this guide. Please share it with friends and family especially those who are not tech savvy. Any one of these measures can be the “inconvenience that makes the burglar try next-door instead”.