Wednesday, January 4, 2012

Email is Absolutely NOT a Secure Way to Exchange Information

If anyone tells you email is secure, don't believe them.  I now explain email security the same way my brother-in-law explained text messages to his teenage son.  "Don't put anything in a text message you wouldn't mind seeing on the front page of the local newspaper."

There are both technical and human reasons this statement is true.

Email is just like a postcard.  If you have ever sent a postcard in the mail you know that anyone who touches the card can read anything written on the card.  An email is the exact same thing.  The biggest difference is so many more people touch your email AND they can make a copy of it to keep each time they touch it.

Email travels from you to the recipient across actual servers on the Internet and in offices all over the world.  Each server that sees the email then determines where to send it next.  It isn't meant for them but they are the middlemen of the Internet world.  Plus, it gets to the other persons email server and you have no idea where that is or who has access to it.  Before your recipient even sees your note there are already unknown numbers of people with access to the information.

Logging into a website does not secure your email just your reading and writing.  Think of HTTPS and SSL this way, they are tools that allow you to pass the note across the room without yelling what you want to say across the room.  All the people who pass the note can still open it and see it but those who don't touch the note can't get to it at all.

Some people believe that they login to HTTPS or SSL site and that makes their email secure.  The only thing that makes secure is your conversation between you browser and the server you are interacting with through the browser.  That keeps people from seeing your conversation as it is being sent to the server but once it gets to the server it can be seen again.

Your email address and contacts are very valuable to Internet criminals.  I have been told that people don't really worry about getting hacked and their security because no one would care what was in their email.  Even if you do make sure you don't include real secure information in an email you should still use a secure connection and password with your email to protect yourself from spammers or others hijacking your account.

Spammers are always looking for accounts they can take over or for confirmed email addresses they know people use.  They will quickly start sending all kinds of email under your name and address to anyone you ever sent an email to before.  Do you really want to risk some of those X-rated emails from a spammer being sent to your Mom from your email address?  Or, what if potential employer you sent a resume to starts to get a rash of "enlargement" emails from you?

Email on your phone makes security even less likely.  If you access your email on your phone you have all that information at your fingertips.  It is great!  If you lay your phone down when you come in the house or on your desk at the office or on the table in a restaurant, you are allowing access to everything on the phone including your email.  These days when someone loses a phone they lose a lot of data!  If you can pick up your phone and open you your email, there is no reason someone else can't and won't do the same thing given the opportunity.  A thief gets so much more than just the physical device when they steal a phone.

Oh My Word, What do I do!?! Yes, that is exactly what you should be saying.  No one can consider they have perfectly secure email transactions but you shouldn't be the most likely to be hacked.  Just like burglars will choose a house with less security precautions, so will Internet criminals.  Make some effort to protect yourself as well as your contacts and you will become a less enticing target.

  • Never, ever send credit card information, social security numbers or anything you don't want on the front page of the local paper in an email.
  • If you must send sensitive information via email than you must use a tool that encrypts the email all the way to the recipient.  There are several, and they all cost money to use regularly.  If you just need to send an occasional one, try using something like this.  They usually require you to have a special email address and website to provide that security.
  • Be leery of any email that requests you to link somewhere and/or enter a password.  It is always better to err on the side of caution.  Ask someone to look into it for you, or look it up on the web first.  If you think you know the difference be sure by taking a quiz to see if you can tell the real from the fake sites.
  • Set a password on your email account that isn't obvious and easy to crack.  
  • Always log out of your email account if you use another persons computer to access it. 
  • Add additional levels of authentication to your phone and computers for accessing your email accounts.
  • Use a password management tool but only those that you have checked out every detail of how it works.  Get some advice before selecting one if you don't understand all the implications those tools entail.
  • Add a password to your phone and set it so the phone will be locked or wiped clean if the wrong code is entered too many times.
  • Set up tools to let you remotely lock or wipe your phone if it is ever stolen
  • Know how to immediately access your accounts and change the passwords without your phone or computer available to you.
  • Use common sense when you leave your computer turned on and logged into your accounts, or your phone is connected and just laying around.  Be careful out there!

No comments:

Post a Comment