Security Experts:

E-mail Hacks - A Bigger Problem than you Think

Last month was a good one for e-mail hackers. I received 13 odd-product e-mails from 12 friends and my wife (long story), and Yahoo gave up more than 400,000 e-mail addresses to a hacker who subsequently shared them with the world.

I sent what I thought was an amusing e-mail back to my friends and wife and wondered how an IT juggernaut like Yahoo could be so dumb. After the Yahoo fiasco, my friends and wife changed their e-mail passwords and Yahoo hired a new $42 million-a-year CEO. Their hearts are pure, but as you will see, a lot more was going on just below the surface than most people realize.

Protecting Email Accounts from HackersHowever worrisome these e-mail hacks may have been, the public just hasn’t sent up a real outcry to put a stop to these hackers. Like the chloride in our water and the radioactive cans of tuna on our store shelves, we Americans just accept such risks as hacked e-mail accounts as part of our daily lives. I guess you have to die of something (a feeble attempt at humor).

Let’s look at what e-mail hacking is really all about and why it could be much more painful than just having to sort through our spouse’s energy drink messages.

We’ll start with how our e-mail accounts get hacked, and then move to the personal and financial issues that stem from these hacks. Finally, we’ll touch on how to avoid your very own e-mail hack and what to do if you do get hacked.

A Little Clarity

Before we dive in – let’s look inside an e-mail hack.

Older readers may remember when the Internet was young and a bad e-mail experience was having your e-mail address (just the address, mind you) added to someone’s mailing list and sold to hundreds of spammers. We received endless emails that clogged our accounts, with no easy way to stop this electronic spam. How annoying.

Life is better now in that the majority of spam gets trashed before we ever see it. Let’s hear it for the Junk folder!

Fun fact –  According to Symantec, about 40 billion spam e-mails went out per day in 2011.

It’s a new age now, and the $32 billion U.S. cyber-crime industry is far more sophisticated. The e-mail hack of today includes - our email address and the password that goes with it. At best, some cyber-creep has full access to our private e-mail correspondence.

Dumb and Trusting

Today, the only thing we should have to worry about is keeping your password safe: Relax and assume your e-mail address will be harvested the first time you create an Internet account, but don’t lose sleep over it because you have a secure password.

E-mail accounts get hacked in many ways – some because of what I call “personal dumb” and some due to “corporate dumb.”

I see three major cases of e-mail dumb:

Bad Choices – Americans are lazy, and we whine when we have to work too hard to protect our own interests. Given that chance, we’ll use passwords that are embarrassingly easy to guess. Common bad choices include ‘12345’, ‘qwerty’ and ‘love’. When pushed (or required) for something more complex, we will use our dog’s name and birth year (ginger2001) or ‘Password1’ (after all, this is more than seven characters and contains a capital letter and a number, right?). In truth, having no password at all would be just as effective as these. Hackers have automated programs that will crack these common passwords in minutes.

Email Security TipsUndeserved Trust – We seem to have a mistaken impression that any company with an Internet presence must be smart and trustworthy enough to keep our personal information private. However good this makes us feel, it cannot be further from the truth. We live in a time when the FBI, CIA, Zappos and Yahoo (to name just a few recent cyber failures) get hacked. These guys have million-dollar security budgets! Instead, you should start every Internet day with the assumption that everything shared may end up in a far-away cyber-crime lab. Your e-mail addresses and associated passwords are no exception.

Malware – Studies have shown that more than 50% of all home computers have some form of malware installed. We used to call these silent background programs “viruses,” but in fact, the term “malware” (malicious software) is a far better name for software whose sole purpose is to send out spam (where did you think spam came from?), threaten large companies with attacks (yes, your home computer may unwittingly have been one of the many that helped bring down the CIA website), and collect and report your every keystroke. A resident malware program hanging out on your home PC would have no problem collecting your Yahoo, Hotmail of Gmail login credentials.

The Real Danger

OK, your e-mail account gets hacked and sends out questionable product e-mail ads to friends and relatives across the nation. This is not a big deal anymore; most people have seen so many of these, they probably won’t even bother to poke fun at you.

You change your passwords and assume all is well. Unfortunately, all may not be well. Your problems may just be starting. To get you thinking, I’ve picked out a few of the secondary problems you may encounter:

One Password for All – Studies have shown that more than 60% of all Internet users use one, at most three, login name/password pairs throughout their entire Internet journey. This means that a hacker who discovers your favorite password may have access to all of your Internet accounts. It doesn’t take a genius to figure out that the hacker’s next stop, after discovering your e-mail password, will be PayPal, eBay and every online banking site in the country. Your e-mail address and password will be checked against thousands of eCommerce and financial sites in minutes.

Identity Theft and Extortion – A hacker gaining access to your personal e-mail account is like your kid brother reading your diary – those e-mails are supposed to be private. Imagine the information you’ve sent to friends and family being read by an automated program that has been trained to pick out information that can be used in an identity theft or to gain access to financial accounts. Then consider the very, very private e-mails that you’d gladly pay someone to keep private. Cyber-extortion is alive and well as a thriving industry here in the U.S. At least with your kid brother, you had the option of blackmailing him.

It’s not just You at Risk – At the very least, your hacked e-mail account provided a hacker with your entire list of contacts. Your friends, family, coworkers and colleagues will get added to Spam and ‘Try to Hack’ lists across the world. You also might think about the e-mail messages you’ve received from friends that include their identity information or that might put them at risk of cyber extortion. We all do tend to be a bit indiscrete with our e-mails.

Supporting a Hacker – Feeling bad about the colon cleansing product you just unwittingly promoted (spam e-mails from friends and relatives are likely to be opened) is fine. What should make you really mad, however, is that every one of those spam e-mails that get opened makes a small profit for the hacker – the old pay-per-click system at work. The free market system is alive and well in cyberspace.

Taking Control of your E-mail Life

Let’s start by saying that even with your best efforts, your e-mail account may get hacked. Cyber-crime is big business and even the big e-mail providers like Yahoo, Microsoft and Google eventually will fall prey to persistent and well-funded hackers. Even if you are playing life safe personally, “corporate dumb” is well within your computer’s reach.

Having said that, however, you really should do your part to avoid being the next e-mail casualty. My suggestions for you:

Stave off Malware – Common Malware is often avoidable. Install a quality anti-virus/malware product (well worth the small extra cost) and keep it current. Then make sure your operating systems and browsers are likewise current.

Stay Password Safe – Choose your passwords with care; make them strong (long and complex) and try not to use the same password twice. As a compromise to password sanity, the least you should do is separate your passwords usage into financial, personal and casual buckets. For example, your PayPal password should never be the same as your Yahoo password.

Tread the Internet with Care – The Internet is a mean place. Treat every e-mail like a Trojan horse, every web page as a potential source of malware, and request to set up a private account and a trick to harvest your password.

Use Two-Factor Authentication - Adding an additional security layer to your account such as two-factor authenication can be a significant enchancement and protect your account even if your password was compromised. Google, for example, provides two-factor authentication to protect email and Google accounts from hackers.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.