PII at Risk Part 1: Why Your Email Account is Valuable to Hackers

BLOG-Why-Your-Email-Account-is-Valuable-to-HackersIdentity is a funny thing. I used to think I knew exactly what it was made of—Social Security number, date of birth, and first and last name. Period. But then came the Internet and the notion of identity began to change and evolve along with the latest technology. Now I’m also known by my Twitter handle, Facebook name, and even my Xbox gamertag. Increasingly, in an online world, people know not only my name, but also my email address.

 

The miscreants of the “dark web” (anonymous, virtually untraceable global networks used by criminals) are looking for email addresses to harvest. Why? Because they make money selling consumer’s online credentials—usernames and passwords to online accounts for companies like iTunes, Groupon, dell, overstock, Walmart, BestBuy, etc[i]. These login and passwords of hacked accounts go anywhere from $1 – $8 each. To understand the risk, let’s start with the basics.

 

How many email addresses do you regularly use?
The best stats I could find indicate the average person maintains 2 – 3 email accounts[ii]. Other anecdotal accounts mentioned 3 – 1 for work and 2 for personal. Of the personal, there was one “spam” account (you know the one you use when you are “required” to create an account when using their website) and one “real” account for your friends and families.  I personally revolve around 10 email accounts; 9 personal + 1 professional email. Of the 9 personal, I will probably interact daily with 2 of them, with the remainder being ones that I look at maybe once a week.

 

How much information is in your Inbox?
The information in my email accounts truly unlocks the keys to my kingdom. Banking statements, utility bills, receipts for online purchases and my contacts list of friends and families (that once my email is known to criminals, becomes the launching pad to send these same people spam and phishing emails).

 

Understand the relationship between your email address and other online accounts.
Email addresses are often used—nay, required—in order to shop, socialize or get access to website content. Whether it’s creating an Amazon.com account or posting your latest picture on Pinterest, you need an email address. Now think of all the online accounts you have. The average person, by the way, has 26 with 25-34 year olds at the top of the heap with 40[iii]. I know I’m far from the “average Jill” with my 102 different online accounts.

 

So here’s the problem: the math makes it easy to be a hacker.
“So what?!” you say?  Let’s do the math. Based on the information I just gave you, I will most likely interact with my 102 online accounts using only three email accounts (2 personal and 1 professional). So the payoff for a hacker to gain access to only one account is pretty good—potential access to thirty-four accounts (102 divided by three).  If you’re a poker person like me, you know those odds are pretty good. You’re going all in.Now imagine the depth and breadth of information a hacker would have access to after gaining access to these accounts.

 

To get a bird’s eye view of what kind of information a compromised email account can unveil, check out this super cool infographic[iv].

 infographic_Kreb_security

So what should I do?

 

  1. Create secure passwords. It’s never been more important to make sure you are creating difficult to guess or crack passwords for your email accounts. Password management software is everywhere now (PasswordBox is one of my personal favorites). Find one that can generate secure passwords with a click of a button and use it to manage your existing accounts as well as create security hardened passwords. (Stay tuned for part 3 of this series where we discuss managing your passwords securely.)
  2. Be thoughtful about to whom you give your email address. Look, I just want to read some content, not marry you. Why are you forcing me into some kind of long term relationship? When I’m not sure if I want to create a relationship with an online property, I use mailinator.com. Mailinator is service that allows users to create a temporary email address and receive and easily access email on their servers—at no cost to the consumer. Email is purged after 24 hours. IMPORTANT NOTE: DO NOT use this service for confidential or sensitive relationships since passwords are not required to read emails—the user only has to know the email address.
  3. Pay attention to data breach announcements.  The Target breach that exposed 110 million consumers was reported to be perpetrated by an email malware attack[v]. Breach announcements will often be accompanied with specific information about what data was exposed. Consumers are often able to identify brands with which they do business. Another free resource is Pwnedlist.com. This website allows consumers to sign up for free monitoring of a maximum of 3 personal email accounts. The service notifies you if they find your email address in a data breach containing credentials.

 

The moral of this story is pretty clear— don’t take the security of your email address for granted. Treat your email address more like your cell phone number than your zodiac sign. Only people I know and trust get my real cell number (and yes, I have alternate “fake” ones that route to my real one too, thanks to Google Voice). As we’ve become accustomed to letting our email addresses wander about, unsupervised like a drunken bachelor in Vegas, we’ve put ourselves more at risk. Remember, this is the 21st century and what goes in Vegas doesn’t necessarily stay there anymore. Stay tuned for the next part of this series, PPI at Risk Part 2

 

Karin Tansey is the Senior Direct of Product Management at myFICO and an online security expert.

 

 

Sources:

[i] The Value of a Hacked Email Account, 6/10/2013, Krebs on Security
[ii] Email Statistics Report, 2011-2015, THE RADICATI GROUP, INC.
[iii] Online fraud: too many accounts, too few passwords: Threefold increase in fraud compared to 2010, 7/18/2012, Techradar,
[iv] The Value of a Hacked Email Account, 6/10/2013, Krebs on Security
[v] Email Attack on Vendor Set Up Breach at Target, 2/12/2014, Krebs on Security
About Karin Tansey

Karin Tansey is the Senior Direct of Product Management at myFICO and an online security expert.

Disclaimer: This content is not provided or commissioned by a credit card issuer. Opinions expressed here are the author's alone, not those of a credit card issuer, and have not been reviewed, approved or otherwise endorsed by a credit card issuer. This site may be compensated by credit card issuers mentioned on the site by such companies.