Email is the most popular utility on the Internet. Email messages use about 80% of Internet traffic. Though, so widespread in use, yet, people do not use it effectively and securely. Most of current use of email is like sending a post card via regular mail… it is open and anyone who can get hold of it can read it. Unfortunately, not enough people realize the implications of it. I have heard people claim that all email messages of today will be archived on some server in the near future and you will be able search the archives and read each and every message.
This article deals with preliminary security aspects of email. Detailed security matter: where making a given email message so secure that it can only be read by intended recipient, will be dealt in separate article in the future.
Here we suggest guidelines, which lead to selecting a secure email service for you and also keep tips as to how prevent it being cracked.
Note: There seems lot of misinformation about a hacker and a cracker. Even the people who claim to be most knowledgeable about Internet misuse the terms: they unfortunately use these terms interchangeably. A hacker is person who is extremely knowledgeable about computer system and is able to get around some of its published limitations using that knowledge. A cracker, on the other hand is an mal-intentioned person who may or may not be knowledgeable about the computer system but by some means is able to misuse the computer system to his personal benefit. In context to Internet he is able to e.g. crack your password and at the very least read your mail… and of course do many worse things.
Your Email Service Provider:
About five years ago VSNL started ISP service in India. At that time the only way to have email address was to subscribe to VSNL service. As a account holder, if you wanted more addresses (for wife/son/staff) you had to subscribe to more VSNL accounts. At that time free email services had not come in to being.
Since then came many free email services are available. One of the first one was a web based email service: http://www.hotmail.com. This was followed by many services e.g. Yahoo and others like http://www.usa.net. Today we see most people using free email address rather than that provided by their ISP (e.g. vsnl.com). There is advantage in having such an address. For example if you change your ISP your email address remains same and no need to inform your friends/relatives of changes of ISP. Also if it is web based service, then you could access it from anywhere… even from public cyber cafes.
However with free email service comes, hordes of cracking possibilities. These services are improving on their security setup. Yet, most of them quite easily cracked.
Deciding on the email service
Here is the first step most people would make mistake: by selecting one a service provider who will provide large disk space to store email or one with well known name e.g. http://www.hotmail.com
or http://www.yahoo.com . They rarely focus on the security aspect of email service which according to me should be a prime concern.
There are many aspects of security for an email service. One should look how services in question allow you to change/retrieve your password when you forget it. As this is one biggest security hole in present day email service system. This allows cracker to take control of your email account by changing password of the account and impersonating you to your friends and business associates on Internet.
For example services like Hotmail earlier just asked for your login name and popped up Hint question, which most cases had very simple and easy to answer questions. People who know you (your relatives/friends) can easily answer this question and take over your email account. Recently Hotmail has added one more layer, it also asks for your State and country before it pops hint question, but again anyone who knows you also knows e.g. you live in Mumbai, Maharashtra , India.
Yahoo is one step more secure than Hotmail, it asks for your birth date apart from your country before it flashes hint question.
Most users are naïve when it comes to selecting hint questions/answers. I know many users whose hint questions are:
Looking carefully at above questions, you can conclude that it won't take cracker, who knows you a bit, much effort to get answers, if he doesn't have the answer, its easy to ferret it out from person himself , by asking him what's his maternal uncle name surname and you will have answer to "Whats your mother's maiden name?"
- Who am I?
- Where was I born?
- What is my husband's name?
- What is my pets name?
- What is my mothers maiden name? (this one is default in most services).
As for where was I born, "Bombay" works for most users who live in Mumbai. If that doesn't work, a cracker will just tell them he does astrology and they will give out their date of birth and birthplace very happily.
Ideally one should draft a hint question in such a way that it (question itself) wont make any sense to someone who reads it. Even your brother or mom or best friend shouldn't know what that question is and what is the answer to it.
There are some well known services who are worse then Hotmail or Yahoo. They instead of resetting password on correct answer to question, give out existing password. One such service is http://www.indiatimes.com
Second most common mistake people make is to use the same password for different services not just that email service. For example someone whose password may be abcd1234 on Indiatimes may be same for his vsnl account too.
Ideally one should select service without password retrieval system. In event you lose/forget password, simply create new account and let world know it by personal emails. (since its free to create a new account).
One such service is http://www.hushmail.com its not only secure for passwords (no password retrieval) but also its email messages are encrypted by browsers before sending it, and decipher it through browser before reading it (if recipient is also hushmail.com subscriber). It uses very high level of security (1024-bit encryption) by Java enabled browsers. US government allows only 128 bit encryption to be exported. http://www.hushmail.com had to hire NON US CITIZEN programmers to create 1024-bit encryption service by stationing their programmers in Anguilla, a small UK protectorate in the Caribbean. (outside USA jurisdiction). Company itself is based in Dublin, Ireland.
Hushmail also offers private label email service, so your company can securely use yourcompanyname.com with 1024-bit encrypted email messages.
In conclusion at the primary level:
Select a email service provider who has reasonably secure way of password retrieval. For the this design a hint question and answer which only makes sense to you.
Please write back to me in case your email account has been cracked so that we can inform others to be on guard. firstname.lastname@example.org
(Vipul Shah is a Chartered Accountant, specializing in Online systems security and Ecommerce.)