I was asked by a family member over the holiday break what the most important steps are to protecting one’s self online. In my opinion, it is not installing anti-malware software. It is not subscribing to credit monitoring. It is not installing updates to your OS and applications. It is not even necessarily using strong, unique passwords for all of your accounts. One should, as the first step in cyber security, lock down their email.
Email as Authentication
Progressive tech-heads have been trying to kill off email for years. The latest hot entrant into that arena is Slack (essentially a successful version of Google Wave), which is making headway; but email is still likely not going anywhere soon.
Scenario: You log into your investment broker’s site in the next couple months to prepare for tax season, but you cannot remember your password. You figured it was an important financial account, so you had created a unique secure password which you now regret one year later (more to come on password vaults in the future). How do you reset your password when that sticky note in your drawer is long-gone? Your email.
For the modern Internet to function, service providers require that a user authenticates that they are whom they say they are. For better or worse, the current security model of most organizations is to rely on the user’s provided password (something they know) to successfully authenticate them self. When a user fails to provide this password for whatever reason, the fallback is typically to rely on something they “have” (or technically “have access to”) – email.
Email as Data Treasure
Furthermore, in the era of essentially unlimited storage, emails rarely get deleted (and rightly so). How many times have you used your email to send a password, credit card number, or even possibly your Social Security number to a trusted family member or friend? If it is still in your archives, anyone who gains access to your email account can easily recover this sensitive data and wreak all kinds of havoc.
What can I do?
So, if you are tracking with me and are getting a little nervous, it is ok. Here is what you need to do if you use a modern web email provider such as Gmail or Yahoo Mail.
Use a Strong, Unique Password
No explanation needed. No excuses. Just do it. Upper case. Lower case. Numbers. Special symbols. Klingon characters. Store it somewhere safe (not in an email to yourself).
Use Two-Factor Authentication
2FA extends the “something you know” of the password also to require the “something you have” of a (typically) mobile device. All respectable email services provide this feature, so search around for their guide on how to set this up.
Audit API/OAuth Connections
In an attempt to cut down on the free flowing of passwords, major web service providers often allow for OAuth connections to each other. You can sign into Clash of Clans with your Google account, for example. Do an audit every once in awhile to ensure that you have not granted access to your email account to shady apps or even apps that you no longer use.
Use a passcode or fingerprint scanner on your smartphone. Use a password on your laptop or desktop. Always lock your device when you leave it, even if that is just for a minute. Protect your devices and specifically their browsers from malware.
Stop. Before I wrap up, if you know this article is being written to you, fix it. Fix it now. It will take no more than about five minutes, and it will prevent you from so much heartache down the line.
In conclusion, carefully executing these steps should protect your email from most prying eyes. Remember that you are most likely using a “free” service, however; and you are paying for that service by allowing them to access, analyze, and sometimes sell your data to third-party advertisers. Also, do not forget Edward Snowden’s confirmation that the NSA can pop in and read any email when they choose. If you actually want privacy and security, you would need to roll your own email service (very hard) or use a service priding itself in end-to-end zero-knowledge encryption like ProtonMail or Tutanota.
Disagree? Have a question? Let me know.