Email Security After the Epsilon Incident
There has been a lot of talk in the security industry surrounding the recent data breach experienced by database marketing vendor Epsilon. As detailed in reports, the company’s email system was broken into, enabling the attacker to obtain information such as names and email addresses associated with Epsilon’s customers. Trend Micro researcher Rik Ferguson listed a number of the affected customers in his CounterMeasures blog entry here.
Last year, I talked about how users are not fully aware of the consequences of having their email accounts compromised as well as how such instances can lead to information and identity theft. I think the points I raised then are things that users, especially those affected by the breach, should fully understand. While this breach did not involve user passwords as well as email accounts, a number of risks still exists.
In many ways, our email account is like the backbone of our online profile. Regardless of how much we favor social media in terms of communicating (as opposed to email), most if not all social media channels require users to sign up for an email account before being able to communicate with others at all. More importantly, transactions related to online banking, online shopping, and booking flights or hotel accommodations online are all dependent on the user having a valid email account to which important information can be sent. Needless to say, email accounts contain valuable and personal information and should be appropriately secured.
Now, considering the nature of information exposed by the breach, its effect is quite comparable to an attacker getting a sneak peek of the contents of users’ inboxes. While the attacker cannot directly access the victim’s email account, they do know some of the types of email the user typically receives (in relation to whichever Epsilon customer the user is associated with). This places the affected users at greater risk of being victimized by many known Web threats such as spear phishing and spam attacks.
Under such circumstances, users—whether affected by the breach or not—are strongly urged to take action and to apply means to secure their email addresses as soon as possible. Steps to do so may include:
- Make sure you don’t use publicly available information in the password-recovery process of your email provider. It was mentioned that “only” names and email addresses were acquired by the attackers during the breach. However, this may not stop them from trying to break in to the email addresses through different means, one of the most likely being the password-recovery process.
- Do not reuse passwords for different accounts, be they email, social networking, or any other account. In relation to the first tip, if an attacker successfully breaks into the user’s email account, the attacker may try to use the credentials to log in to other accounts such as social networks in hopes of accessing these as well.
- Make sure your password is complex enough to prevent casual brute forcing, Change passwords regularly. Using brute-force attacks to break in to accounts is a technique commonly used by cybercriminals. Thus, using fairly complex passwords can provide added protection and can prevent attackers from easily breaking in to users’ accounts.
- Be extra cautious of email messages asking you to click links or to confirm personal information. Phishing attacks, particularly their email components, are crafted to appear legitimate and to persuade you to follow their instructions. A better alternative is to go directly to a trusted website and conduct your business there.
- Use a password manager to securely store passwords. This has the additional benefit of allowing you to use extremely complex passwords with all sorts of random letters, numbers, and symbols that you may not be able to memorize.
Most importantly, users should always follow online best practices. Bear in mind that similar threats are out there and are likely to appear again. Just when we think everything is safe, we may fall victim to yet another malicious scheme.
Post from: TrendLabs | Malware Blog – by Trend Micro
Email Security After the Epsilon Incident
Spotlight
Cloud Computing
- HR could play leading part in BYOD success
- US still safest bet among data center destinations
- Commission makes controversial security recommendation
- Government agencies working toward secure procurement
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Workforce mobilization becoming the new normal in healthcare
- Best practices for users to stay secure while virtualizing
- HR could play leading part in BYOD success
- US still safest bet among data center destinations
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet