What would be the consequences of someone getting access to your email account for just a few minutes?
Your email address connects you to friends and family as well as business contacts. You may, like most of us in this connected world, have more than one address, a home and work email perhaps.
Just how important to you is it? Would it be more than a temporary inconvenience to you if you lost it or for some reason it was unavailable for even a short space of time?
If you, like the vast majority of us, protect your email address with only a username and password you are vulnerable and for most of you the consequences of someone hacking your account just by guessing the password would be utterly disastrous. (I’ve written about passwords before)
Your email is likely to be the username for many services you use on the internet including your bank account. Your email address is the most likely mechanism that many of these systems use to enable you to re-set your password for those services. Many will also use your email address to re-set your username and password.
Anyone able to gain access to your email account will potentially have the ability to change every password you have on every service you use:- your bank details, Twitter, Facebook, Google Apps, everything!
In a recent incident a friend of one of Ecommnet’s development staff lost access to her email account, it was hacked.
Both her Google business account and her personal Gmail account were hacked and she’s totally locked out.
She’s permanently lost access to her invoices, contacts, customers, calendars, etc.
The attacker tried 7 times to gain access to her bank account and paid for £1000 worth of goods with PayPal. The attacker also reset her passwords to every service she had tied to her email account, social networks, etc.
All could be avoided if 2FA (two factor or two step authentication) was switched on.
If you have any important services linked to your personal email accounts, just do it! Turn on 2FA.
In practical terms, if you’re looking to protect your personal stuff then always turn on two step authentication for any of the services you use. If it supports Google’s authenticator use that as it’ll support multiple accounts and save you having to remember how to use different things for each one.
For anything that involves business information over the Internet use an enterprise grade 2FA system like the Gemalto Safenet Authentication Service and integrate that across everything, including in my view network login as well as remote VPN access and all of your cloud based services such as Citrix Sharefile, Office365, Google Apps for Business, Salesforce.com.
Stay away from SMS-only token-based systems as they are far too easily compromised as has recently been demonstrated by You&Yours on BBC Radio4.
It makes sense to provide users with their token of choice, and SAS supports phone based authentication as well as a wide variety of hardware tokens. If you need more information, please get in touch.