Our email address today has become the equivalent of our social security number in many ways. A majority of Internet sites today use a person’s email address as their username. Think about how many sites you access on a regular basis with your email address:
- Social media sites such as Facebook or LinkedIn
- Online payment sites such as PayPal
- Utility accounts such as the Power Company, Water Company, etc.
- Travel sites such as Trip Advisor, Airbnb, etc.
Your email address is essentially your universal calling card today. The utilization of one’s email address as a username is convenient, for both the user and the company managing the site. Convenience however rarely equates to security however. It is for this reason that many financial organizations such as your bank, mortgage company or brokerage firm requires you to create a unique username that is not indicative of your email address. Assuming that one simply does not choose a username format of first initial/last name, this is far more secure. There still two weak links in the armor however.
Your password and email account!
One of the primary motivations for hackers to issue phishing attacks is to capture user passwords. The sad fact is that many people reuse their passwords for all of their accounts. A traditional phishing attack is one that tricks a user into clicking an embedded link to a forged website that is disguised as a ligament website such as PayPal, EBay, Yahoo, etc., and input their logon credentials, including their password. If the username for the site in question employed the user’s email address as the username, the hacker could simply use these credentials for a multitude of sites to see if he gets a hit. This is why the large scale security breaches of Yahoo in which over a billion accounts were compromised in 2013 and half a million in 2014 will have long term reverberations for years to come assuming that the afflicted users fail to modify their stolen passwords.
The real prize however for many phishing attackers is to acquire ownership of a user’s email address. Consider the following scenario:
You receive an email informing you that the IT department is requesting that you change your password due to a recent security breach. The email includes an embedded link that takes you to a site in which you provide your email address and password.
Now the imposter has your email logon credentials and can access your account. Perhaps they access your account and immediately do a search for the word “bank” in your existing emails or maybe they simply monitor your emails for a week or two. Either way, they learn what kind of sites you access. They then visit these sites and request a password reset, which of course is sent to your email. The hacker then simply accesses the newly sent email and clicks the embedded link and inputs a password of his choosing.
Many sites add a layer of security to this progression by requiring that a user fill out a form or answer a security question in order to request a password reset. A popular form field is your date of birth. This is easily accessible however by simply doing a web search for the person that will provide his or her current age. The victim’s birthdate can then be easily discovered by looking at their Facebook page as many people post their birthday on social media (which is exactly why you should not). A popular security question is to ask for your mother’s maiden name. This information can easily be acquired from sites such as Ancestory.com. In other words, logons that only utilize the authentication factor of “what a user knows” is highly vulnerable today in a connected world in which footprints of your personal data reside all throughout the Internet.
That is why it is essential to shore up these two highly vulnerable cyber security weak points. The first line of defense is a highly reputable and effective SPAM filter to protect unsuspecting users from phishing attacks. Email is still the preferred delivery method for cyberattacks be it attempts to capture logon credential or to infect a device or network with malicious malware such as ransomware, key loggers and rootkits.
It is also time for organizations to admit that the era of the act of protecting accounts through the use of a single passphrase is over. Organizations must start implementing multifactor authentication systems, a factor being a method of authentication. The three types of authentication factors are:
- Something a user knows (password or answer to a question)
- Something a user has (some sort of physical device, certificate or token)
- Something a user is (biometric verification)
This powerful combination of email protection and the utilization of more than one authentication factor provides a powerful shield of security to protect users and the untold resources that are connected to these accounts.
bradinthecloud 
Posted on March 7, 2017
0