Five Things: Protect Your Webmail Account

Wednesday, November 10, 2010

Robb Reck


The other morning when I started going through my email I saw one from my wife with the subject, "Respond ASAP." So of course, first thing I did was open the email and see what my wife needed from me:


I am really sorry to disturb you but you have to help me if you can, I had to rush off to Cyprus for something very important but unfortunately for me I was robbed in the cab I boarded and the robbers made away with my hand luggage were i had my air ticket, cash and other valuables. Infact as it stands right now I am stranded in the hotel where I am already owing them. 700 Euros

Please can you loan me 2000 Euros so that I can settle my bills and book the next flight home and I promise to pay you back immediately  I return.please get back to me and keep this between us.



Now, Kristin had been in the house just a few hours previous when I went to bed, and had no plans to visit Cyprus, as far as I knew. My wife also has a significantly better grasp on the English language.  I started to suspect that perhaps this was not on the up-and-up. As I came downstairs the first words out of her mouth were, "My email was hacked."

So we headed to the computer and set to fixing things. The first problem was that the criminals had changed her password. They had not only broken in, but had locked her out. Rude, huh? Fortunately she had set up another email as backup so she could reset her password, and she did so. Then we logged in to the compromised account to find how many devious things they'd done. They had set all her emails to be forwarded to another account they controlled. They had attempted to delete her alternative email address, but fortunately the provider requires a waiting period before that goes into effect. They had changed her security questions.

We spent a bit of time setting things straight that morning, and she spent a day or two fielding emails and questions from two groups of people: (1) Helpful friends who wanted to let us know her email was hacked and (2) helpful friends who thought she might really need some Euros.

The whole situation got me thinking about how vulnerable our webmail accounts are. Below is my list of easy ways to protect your internal mail account.

1. Use a complex password. Yes, this is simple, and you've heard it countless times before, but still many people aren't using passwords with all four character sets. My wife's password wasn't horrible, it had 8 characters with letters and numbers, but clearly it wasn't good enough. A nice strong password can keep your private access private.

2. Set up an alternative email address. Make sure your internet email account has a backup email in there. Otherwise if you forget your password, or someone takes control of your account, you won't be able to get back in there. This feature wasn't always around, so if you've had your account for a long time you might not have had the option when you started. Make sure you're properly set up now.

3. Don't leave your account logged into public computers. If you ever need to sign into public computers (which is best avoided if possible!) be absolutely sure that you sign out of your accounts when you're done.

4. Change your password regularly. Even complex passwords can get hacked eventually. By changing your passwords you ensure that even if someone has managed to get your password they will be locked out. A combination of regular password changes and a complex password should keep the international bad guys out.

5. Check the settings on your account. If you ever suspect someone might have hacked your account, take some time and go through all of your account settings. Ensure they didn't change your alternative email address, security questions, turn on email forwarding, or any other little trick that might slip by you.

Take a moment and ensure that all your internet email accounts are secure. Sure you already know this stuff, but knowing doesn't do you any good if you don't put it into action. Go through these steps and maybe you can avoid being awakened in the morning, like my wife did, to find that your mother is seriously concerned that you got involved in some shady dealings in Cyprus.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Email Passwords Phishing Security Awareness
Post Rating I Like this!
Allan Pratt, MBA Good post, Robb.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.