Crossbow Labs

Securing email – for users

securing-email-for-users

Email Security can be breached in 3 places:

  1. System used by user for email (Sender and Receiver)
  2. Email in transit from sender to receiver
  3. When email is stored on a server

The emails are stored locally and at the ISP of user and recipient, there are different ways that hackers or law enforcement can gain access to them.

Legally, the law enforcement bodies may not be able to get access to user’s computer saved locally, but they can get it from ISP. ISP’s creates end user service agreement that users must agree to abide by to continue using services offered by ISP.

Trending methods of email security threats

  1. Ransonware : It is a type of malicious program/software which shall not allow you to access your computer system unless you pay a sum of money demanded.

    The mail delivers in a user’s inbox. The user opens the mail and does the following:

    • clicks the attachment or
    • drive-by download
    • Clicks on the link in the e-mail

    Without the user’s knowledge, the malicious software is downloaded and the computer system that is been used get’s locked and the unlock happens when the sum of money is paid.

  2. Phishing: The hacker tries to learn user’s sensitive personal information like credit/debit card numbers, bank account details, personal identification number etc. through social engineering methods and advanced computer programming. The phishing mail will have

    • Question of personal information asked, for user to fill up
    • They will be directed to a website (asked to verify user by clicking the link) which might be looking real organisation website where they have fill up the personal information

    This way hacker tries to extract relevant personal info from the user by which some advantage is gained over user to exploit further or monetary gains.

  3. Spoofing: This method is used by Hacker who act as a known source to user to get the targeted information. The target information is asked by threatening the user through

    • By inviting them on to a malicious website
    • Individual or combination of emails & phone
    • Computer spoofing an IP address
    • Address resolution protocol etc.
  4. Key Loggers: The hacker sends a mail with a malicious software. The user unknowingly clicks a link and at the backend the software is installed. This software logs every key that user press on the keyboard. This method is used to learn IDs, password, personal messages, credit/debit card numbers, CCV2 number etc.

Secure Email Practices (From User Perspective)

  • Choose a mail service that provides 2-Factor Authentication (2FA). The two factor authentication can be in the form of text message, automated call, app based OTP
  • Setting your password in a way that it is unique and not relate to you in any way. Alpha numeric with uncommon special characters with a length of minimum 10 characters.
  • Do not click on email or messages containing suspicious links
  • Do not provide any information – personally identifiable information, bank account details, credit/debit cards, OTP etc.
  • Consider using a VPN on your computer & phone.
  • Always have an updated & strong antivirus on your systems
  • If you are using Wi-Fi, secure your Wi-Fi Router by setting a password as mentioned in the second point of secure email practices
  • Of-course do not use public un-secure WiFi for internet banking, online shopping, sharing personal information or in that matter normal internet browsing – Facebook, Instagram, Twitter or any social media accounts of yours
  • Keep your systems – computers & mobile updated with the latest software. This will help reducing the attacks from old technology
  • If your bank has an option to limit a transaction value, please do so. This helps to reduce the impact of the attack. You can always approach bank when you wish to transact in huge amounts.
Additional Resources – https://twitter.com/crossbowlabs/status/1257233517869596674