Prioritizing the Protection of Primary Webmail Accounts

October 6, 2014

Not all accounts are created equal. It’s only natural that you would care less about an ESPN Fantasy Football account than you would care about your online banking or PayPal account. Anyone who spends even a little time thinking about security is careful to use a strong password and proceed with caution when accessing a service related to personal finance. However, a lot of users are also relatively careless about their primary webmail account, which often serves as a master key to all other accounts.

Security-Tips-to-Prevent-Email-Hijack-Attacks

Think about it: whenever you set up nearly any online account, you’re prompted to enter a primary webmail account. There are a number of reasons for this. First and foremost, the service that you’re signing up for probably wants your email address for a variety of marketing and advertising reasons, the most obvious of which is so they can send you promotional content.

Much more importantly for us, this primary email account is also the place where you can recover online accounts if they become hijacked or if you forget your password. In this way, your primary email account is more sensitive than your PayPal or your banking account, because if the email account is compromised, so too are the PayPal and banking accounts.

Your hacked accounts affect the lives of all of your contacts. It’s like refusing to get a flu shot or to vaccinate your children: these are not decisions that affect only you, but they affect everyone.

Beyond that, a criminal in control of your webmail account can gather some serious intel about what other accounts you use online, and compromise those as well. Therefore, a hacked webmail account is, in more cases than not, the equivalent of someone hacking your entire digital life.

This is why we constantly and relentlessly remind you to use strong passwords and enable two-factor authentication and all other available security controls for accounts of importance.

It’s not just your primary email account you should worry about.

Google and Apple accounts, depending on how you use those services (especially Gmail or iCloud), can potentially provide access to vast swaths of your online and physical existence. Additionally, Facebook and Twitter can have access to scores of other online accounts and should be considered critical as well. Facebook’s Connect feature in particular, acts as an authentication agent all over the web.

OpenID provides a similar service that – if compromised – could give an attacker access to any number of online accounts, including your primary webmail, so it should be strongly protected as well.

It’s impossible to say what accounts you use for which purposes, but you should occasionally audit yourself. Really examine your accounts’ settings pages and determine how they are connected to one another and to third party apps and services, and act accordingly.

Long story short: you need to start handling that primary email address in the same way you handle your online banking account, or perhaps even more carefully since it is your most precious online account. Do you access your bank account from public or unfamiliar computers? Then you shouldn’t access your primary email address like that either, because there is no way to know for certain if any computer other than your own is safe.

It’s not just yourself you should worry about either.

Your hacked accounts affect the lives of all of your contacts. It’s like refusing to get a flu shot or to vaccinate your children: these are not decisions that affect only you, but they affect everyone. Because when or if you contract measles, you impose the risk of becoming infected with measles on nearly everyone you come into contact with.

Similarly, when and if your account is hacked, attackers will use it as a tool to attack the accounts of your friends, family and digital acquaintances. A good attacker will look through a hacked account, gather context and send malicious emails that are nearly impossible for a human to recognize as such. A strong antivirus solution will protect you against email-borne attacks containing malware.

Kaspersky security products also contain anti-phishing technologies that will detect phishing websites and warn you about them. This sort of protection will prevent you from handing over valued information to sites designed to look like the legitimate services you use. Ultimately, such anti-phishing protections could keep you from accidentally giving away your password and username combo, and thus access to a valued account, over to an attacker.

Security is hard, but if we work together, follow these steps and deploy multiple layers of protection, we are all better off.