Despite the rise of social networks and Twitter, e-mail is still the way many of us communicate. But it can put a tremendous amount of your private data at risk. Here are some tips for minimizing that risk.
Bad guys have a number of ways to compromise your account, including brute force attacks (trying username/password combinations until they stumble on the right one); password resets; or intercepting login credentials sent in the clear.
The risk: If you’re like most people, your e-mail account contains old bank statements (or links to same), addresses, information about other accounts, maybe even credit card numbers or passwords: It’s a treasure trove for an identity thief. And if an attacker gains control of your e-mail account, he can reset the passwords of other accounts. Finally, an attacker can harvest your friends’ e-mails for spam or phishing attacks.
How to protect yourself: The first rule of safe e-mail is: Don’t use it to send critical data.
Next make sure you connect to your e-mail accounts over encrypted connections. That means using SSL (look for the lock in your browser) for Webmail and a secure protocol (usually IMAP or POP3 over SSL) for other accounts. Do that on your portable devices as well as on your Macs.
Use very strong password for your e-mail accounts. (Mine is 25-digits long, and includes numbers, letters, and special characters; I keep track of it with a password manager.)
The Risk: Your e-mail address alone is worth money to spammers, scammers and other thieves, and is therefore worth protecting.
How to Protect Yourself:Use one time e-mail addresses for different online accounts and services. Many ISPs will provide such addresses for free; for example, MobileMe provides up to five such aliases (Mail -> Preferences -> Addresses). If that e-mail address starts getting spammed, you can cut it off without changing your primary address.
Some spammers still crawl Web pages looking for text strings that look like e-mail addresses. So make sure your e-mail address doesn’t show up in online forums or blog comments, much less any Websites you control. Or use a simple obfuscation technique, such as
you (at) isp (dot) com to make the address harder to recognize.
[Mike Rothman is an analyst at Securosis.com and author of The Pragmatic CSO.]