Email Security after equifax breach

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Email Security after equifax breach

Post by andyandyandy » Sat Oct 07, 2017 6:01 am

Since lot if info is stolen- how do we deal with our associated email ID to various financial institutions?
Should we replace with another?

Although email has has 2 Factor + strong passwords.

Another question- Since emails have lot of communication and information these days - how do we remove all that sensitive information from emails?
It will be tons of time to cleanup. Any suggestions?

Thanks for this discussion!

Hockey10
Posts: 131
Joined: Wed Aug 24, 2016 12:20 pm
Location: Philadelphia suburbs

Re: Email Security after equifax breach

Post by Hockey10 » Sat Oct 07, 2017 8:49 am

I use a separate e-mail for my financial accounts. Other than a few financial institutions and me, nobody knows about this account. It is listed in my Letter of Instruction, so my heirs will be able to figure out where all my financial e-mails go to.

andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Re: Email Security after equifax breach

Post by andyandyandy » Sat Oct 07, 2017 9:06 am

Thanks! 'how much' secret should we keep that email ID? Just for financials?

When we place let's say equifax frezee type of activities- do we provide their 'financial email ID' or regular?
Do we keep an eye on 'financial email ID'? What is recovery mechanism of 'financial email ID'?

Also please help me on suggestions on how do I cleanup sensitive information from my current email IDs?
Any tools available for it?

Thanks again and hoping for useful discussion.

2015
Posts: 907
Joined: Mon Feb 10, 2014 2:32 pm

Re: Email Security after equifax breach

Post by 2015 » Sat Oct 07, 2017 9:26 am

andyandyandy wrote:
Sat Oct 07, 2017 9:06 am
Thanks! 'how much' secret should we keep that email ID? Just for financials?

Mine is strictly for financials

When we place let's say equifax frezee type of activities- do we provide their 'financial email ID' or regular?

No, I provide to no one (it is in my estate planning documents for my executor to access).

Do we keep an eye on 'financial email ID'? What is recovery mechanism of 'financial email ID'?

See the link in my post below. It's as close as I've been able to find to setting up a financial email with no phone number recovery mechanism. Gmail recovery mechanism is 1) Google authenticator; 2) Google backup codes;

Also please help me on suggestions on how do I cleanup sensitive information from my current email IDs?

Personally, I will be migrating from Hotmail to Gmail as Hotmail has no system for not using text recovery mode like gmail does.

Any tools available for it?

Thanks again and hoping for useful discussion.
This is my plan, as posted previously (see the link imbedded as well):

viewtopic.php?f=11&t=227649&p=3545230#p3544706

andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Re: Email Security after equifax breach

Post by andyandyandy » Sat Oct 07, 2017 12:57 pm

Thank you very much!

Jeff Albertson
Posts: 404
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Email Security after equifax breach

Post by Jeff Albertson » Sat Oct 07, 2017 1:11 pm

There are also postal mail security concerns associated with the Equifax breech and the post office's 'Informed Delivery' service. Authentication is weak meaning someone could sign up for the service posing as you.
A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
https://krebsonsecurity.com/2017/10/usp ... ers-dream/

User avatar
BolderBoy
Posts: 3400
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Email Security after equifax breach

Post by BolderBoy » Sat Oct 07, 2017 4:22 pm

For your really sensitive accounts (financial) I would recommend changing your login username away from your email address. For the average hacker, knowing your email address is your username on XYZ site is basically giving her 1/2 of the access needed to get into your account.

If both your username and password are gibberish (longer = better), hackers - like burglars - will move on to an easier target.
“Where you stand, depends on where you sit” - Rufus Miles | "Never underestimate one's capacity to overestimate one's abilities"

Mudpuppy
Posts: 5430
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Email Security after equifax breach

Post by Mudpuppy » Sat Oct 07, 2017 5:57 pm

BolderBoy wrote:
Sat Oct 07, 2017 4:22 pm
For your really sensitive accounts (financial) I would recommend changing your login username away from your email address. For the average hacker, knowing your email address is your username on XYZ site is basically giving her 1/2 of the access needed to get into your account.

If both your username and password are gibberish (longer = better), hackers - like burglars - will move on to an easier target.
I'm not convinced in this method. It strikes me too much as security through obscurity. From a psychological perspective, most people will employee more "best practices" when they go into things assuming that the attacker knows their email address. Then you think about how to protect that email address, your passwords, and the enabled password reset methods at each financial site, rather than assume that the obscure email address will provide protection. Not only does this help users employ a better mindset, it also helps when the financial site allows someone to look up the username (email address) with a social security number.

Using a separate email for financial sites is still a good practice. It isolates your financial transactions from your everyday conversations and isolation is a best practice. It also allows you to lock down that email account to make it a harder target for attackers. Just don't count on the email address remaining unknown as part of your security practices.

andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Re: Email Security after equifax breach

Post by andyandyandy » Sat Oct 07, 2017 9:53 pm

Thank you all!
How often do you keep eye on 'financial email'? Since to keep it secure we possibly avoid on mobile?
Should we use 'financial email' only on dedicated financial laptop?

User avatar
BolderBoy
Posts: 3400
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Email Security after equifax breach

Post by BolderBoy » Sun Oct 08, 2017 9:48 am

Mudpuppy wrote:
Sat Oct 07, 2017 5:57 pm
BolderBoy wrote:
Sat Oct 07, 2017 4:22 pm
For your really sensitive accounts (financial) I would recommend changing your login username away from your email address. For the average hacker, knowing your email address is your username on XYZ site is basically giving her 1/2 of the access needed to get into your account.

If both your username and password are gibberish (longer = better), hackers - like burglars - will move on to an easier target.
I'm not convinced in this method. It strikes me too much as security through obscurity. From a psychological perspective, most people will employee more "best practices" when they go into things assuming that the attacker knows their email address. Then you think about how to protect that email address, your passwords, and the enabled password reset methods at each financial site, rather than assume that the obscure email address will provide protection. Not only does this help users employ a better mindset, it also helps when the financial site allows someone to look up the username (email address) with a social security number.

Using a separate email for financial sites is still a good practice. It isolates your financial transactions from your everyday conversations and isolation is a best practice. It also allows you to lock down that email account to make it a harder target for attackers. Just don't count on the email address remaining unknown as part of your security practices.
Opinions vary.

If one half of gaining access to a user's account is knowing the username, and that username is publicly available, well...
“Where you stand, depends on where you sit” - Rufus Miles | "Never underestimate one's capacity to overestimate one's abilities"

Mudpuppy
Posts: 5430
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Email Security after equifax breach

Post by Mudpuppy » Sun Oct 08, 2017 1:40 pm

BolderBoy wrote:
Sun Oct 08, 2017 9:48 am
Mudpuppy wrote:
Sat Oct 07, 2017 5:57 pm
BolderBoy wrote:
Sat Oct 07, 2017 4:22 pm
For your really sensitive accounts (financial) I would recommend changing your login username away from your email address. For the average hacker, knowing your email address is your username on XYZ site is basically giving her 1/2 of the access needed to get into your account.

If both your username and password are gibberish (longer = better), hackers - like burglars - will move on to an easier target.
I'm not convinced in this method. It strikes me too much as security through obscurity. From a psychological perspective, most people will employee more "best practices" when they go into things assuming that the attacker knows their email address. Then you think about how to protect that email address, your passwords, and the enabled password reset methods at each financial site, rather than assume that the obscure email address will provide protection. Not only does this help users employ a better mindset, it also helps when the financial site allows someone to look up the username (email address) with a social security number.

Using a separate email for financial sites is still a good practice. It isolates your financial transactions from your everyday conversations and isolation is a best practice. It also allows you to lock down that email account to make it a harder target for attackers. Just don't count on the email address remaining unknown as part of your security practices.
Opinions vary.

If one half of gaining access to a user's account is knowing the username, and that username is publicly available, well...
But that's my point, the username may very well be "publicly available" to a hacker with the victim's social security number through any number of "forgot your username?" prompts. Don't count on the username being hidden as part of your security plan.

User avatar
BolderBoy
Posts: 3400
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Email Security after equifax breach

Post by BolderBoy » Sun Oct 08, 2017 8:12 pm

Mudpuppy wrote:
Sun Oct 08, 2017 1:40 pm
BolderBoy wrote:
Sun Oct 08, 2017 9:48 am
If one half of gaining access to a user's account is knowing the username, and that username is publicly available, well...
But that's my point, the username may very well be "publicly available" to a hacker with the victim's social security number through any number of "forgot your username?" prompts. Don't count on the username being hidden as part of your security plan.
Ah. Okay, now I understand what you are getting at.

Without thinking about the implications of a "forgot your username" prompt, for many years I used my SSN as my username on one particular financial website. :oops:
“Where you stand, depends on where you sit” - Rufus Miles | "Never underestimate one's capacity to overestimate one's abilities"

Mudpuppy
Posts: 5430
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Email Security after equifax breach

Post by Mudpuppy » Mon Oct 09, 2017 11:33 am

BolderBoy wrote:
Sun Oct 08, 2017 8:12 pm
Mudpuppy wrote:
Sun Oct 08, 2017 1:40 pm
BolderBoy wrote:
Sun Oct 08, 2017 9:48 am
If one half of gaining access to a user's account is knowing the username, and that username is publicly available, well...
But that's my point, the username may very well be "publicly available" to a hacker with the victim's social security number through any number of "forgot your username?" prompts. Don't count on the username being hidden as part of your security plan.
Ah. Okay, now I understand what you are getting at.

Without thinking about the implications of a "forgot your username" prompt, for many years I used my SSN as my username on one particular financial website. :oops:
As I recall, for many years there was no option to change your username away from the SSN at one particular investment company. When I reactivated an account there, one of the first things I did was change the username away from my SSN to something alphanumeric. The username policies are not always wise, which is why I don't count on usernames being kept secret.

andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Re: Email Security after equifax breach

Post by andyandyandy » Mon Oct 09, 2017 1:24 pm

Few follow up questions on email(and phone security):

As per article below:

https://www.forbes.com/sites/laurashin/ ... cb30ff360f

we should have a google voice number too for financials. I tried and text messages to google voice won't auto forward to your cell phone(good).
but will we not to forward google voice to some physical phone(Let's say cell)? So will not it defy the purpose of cell phone porting freeze?
If hackers port cell phone to which google voice is forwarded- they get all the calls(no texts though) - unless we put google voice to 'don not disturb'.
But if we put GV to 'don not disturb' - then don't we miss important calls form bank? My credit card company called once when they found some suspicious activity.

Also would you have some recovery methods on your financials emails(Phone or email)? If yes- would it not defy the purpose again?
May be I am thinking too much :?

skjoldur
Posts: 125
Joined: Thu Sep 25, 2014 3:11 pm

Re: Email Security after equifax breach

Post by skjoldur » Tue Oct 10, 2017 10:29 am

andyandyandy wrote:
Mon Oct 09, 2017 1:24 pm
Few follow up questions on email(and phone security):

As per article below:

https://www.forbes.com/sites/laurashin/ ... cb30ff360f

we should have a google voice number too for financials. I tried and text messages to google voice won't auto forward to your cell phone(good).
but will we not to forward google voice to some physical phone(Let's say cell)? So will not it defy the purpose of cell phone porting freeze?
If hackers port cell phone to which google voice is forwarded- they get all the calls(no texts though) - unless we put google voice to 'don not disturb'.
But if we put GV to 'don not disturb' - then don't we miss important calls form bank? My credit card company called once when they found some suspicious activity.

Also would you have some recovery methods on your financials emails(Phone or email)? If yes- would it not defy the purpose again?
May be I am thinking too much :?
I have set up google voice with no forwarding. I login to see texts (and get voicemail). I think you are correct that if you forward the voice/texts to a phone number then you re-introduce the risk of having your phone ported.

I don't think I will use my google voice number for accounts like credit cards. The thing I am most concerned about is protecting my investment portfolio.

Gmail/google accounts have good recovery options. You can use a yubikey, google authenticator, and you can print out a sheet of one-use-only codes to store safely somewhere.

Rupert
Posts: 2670
Joined: Fri Aug 17, 2012 12:01 pm

Re: Email Security after equifax breach

Post by Rupert » Tue Oct 10, 2017 11:13 am

andyandyandy wrote:
Sat Oct 07, 2017 9:53 pm
Thank you all!
How often do you keep eye on 'financial email'? Since to keep it secure we possibly avoid on mobile?
Should we use 'financial email' only on dedicated financial laptop?
I think checking your secret financial email account once a week is enough. Never access it on your phone. It would be nice to have a separate computer for it, but you can also just use a different browser to access it, a browser you never use for checking your regular email account, general internet surfing, shopping, etc.

wassabi
Posts: 355
Joined: Sun Feb 02, 2014 8:06 am

Re: Email Security after equifax breach

Post by wassabi » Tue Oct 10, 2017 7:12 pm

A couple thoughts to keep in mind as you ponder email security:
  • Don't rely on Google Voice. Google has a history of killing off programs and they can certainly do the same with Google Voice. Google Voice is not a big source of revenue for them which makes it an even bigger target
  • Consider switching to a paid email service. Gmail and the other free services can work just fine if you employ the right security measures, but if something does happen you need to be able to contact someone and receive help ASAP. I use Fastmail and highly recommend it for anyone interested in a paid service from a company that respects privacy and a commitment to customers. If your account became compromised, at least you know you can reach out and have someone personally work with you in a very short amount of time to disable your account while the incident is investigated

User avatar
thecarrotfund
Posts: 35
Joined: Sat Jan 09, 2016 10:20 am
Location: Scottsdale, AZ

Re: Email Security after equifax breach

Post by thecarrotfund » Fri Oct 13, 2017 11:30 am

What is the process to create a financial gmail if I'm already using gmail? Thanks in advance. You all have been keeping me very busy freezing, changing passwords, etc.
"not all storms are in the forecast"

2015
Posts: 907
Joined: Mon Feb 10, 2014 2:32 pm

Re: Email Security after equifax breach

Post by 2015 » Fri Oct 13, 2017 2:58 pm

andyandyandy wrote:
Mon Oct 09, 2017 1:24 pm
Few follow up questions on email(and phone security):

As per article below:

https://www.forbes.com/sites/laurashin/ ... cb30ff360f

we should have a google voice number too for financials. I tried and text messages to google voice won't auto forward to your cell phone(good).
but will we not to forward google voice to some physical phone(Let's say cell)? So will not it defy the purpose of cell phone porting freeze?
If hackers port cell phone to which google voice is forwarded- they get all the calls(no texts though) - unless we put google voice to 'don not disturb'.
But if we put GV to 'don not disturb' - then don't we miss important calls form bank? My credit card company called once when they found some suspicious activity.

Also would you have some recovery methods on your financials emails(Phone or email)? If yes- would it not defy the purpose again?
May be I am thinking too much :?
As I posted above, I will be using Yubikey on a gmail account dedicated strictly to financial accounts. The two recovery methods will include the Google Authenticator app and printed Google backup codes. There will no phone number associated with this gmail account. See the link in my post above for a very easy explanation and steps on setting this method up.

I am not going so far as having a dedicated phone number for financial accounts because my phone interactions with financial institutions and other account vendors are almost nil, and when they do occur they are initiated by me when I have a question to which I cannot find an answer online. I have text and email alerts of all kinds on every one of my accounts, so no phone alerts are necessary. Due to the gmail account dedicated to financials having no phone number attached, hackers will be unable to reset my accounts, much less port my phone.

Rupert
Posts: 2670
Joined: Fri Aug 17, 2012 12:01 pm

Re: Email Security after equifax breach

Post by Rupert » Fri Oct 13, 2017 3:04 pm

thecarrotfund wrote:
Fri Oct 13, 2017 11:30 am
What is the process to create a financial gmail if I'm already using gmail? Thanks in advance. You all have been keeping me very busy freezing, changing passwords, etc.
Just open a new gmail account, and don't link it to your existing account. It helps if you use a different browser than you normally use. Otherwise, Google seems to link everything automatically.

andyandyandy
Posts: 258
Joined: Sat Jan 18, 2014 11:36 am

Re: Email Security after equifax breach

Post by andyandyandy » Tue Oct 17, 2017 8:20 pm

Thank you all for so many good advices! Few followup questions:

1) Since we are removing physical and cell phones , what will be the recovery method of your 'google voice mail'?
2) Same question for 'financial email' will it have a recovery 1) email 2) Phone? If yes what is the best way to set it?

Thanks!

Cunobelinus
Posts: 119
Joined: Tue Dec 04, 2012 5:31 pm

Re: Email Security after equifax breach

Post by Cunobelinus » Tue Oct 17, 2017 10:31 pm

Jeff Albertson wrote:
Sat Oct 07, 2017 1:11 pm
There are also postal mail security concerns associated with the Equifax breech and the post office's 'Informed Delivery' service. Authentication is weak meaning someone could sign up for the service posing as you.
A free new service from the U.S. Postal Service that provides scanned images of incoming mail before it is slated to arrive at its destination address is raising eyebrows among security experts who worry about the service’s potential for misuse by private investigators, identity thieves, stalkers or abusive ex-partners. The USPS says it hopes to have changes in place by early next year that could help blunt some of those concerns.
https://krebsonsecurity.com/2017/10/usp ... ers-dream/
I actually think that the USPS system is quite secure. It has successfully rebuffed me on no less than three occasions when I try to sign up, and I'm quite familiar with my personal information.

</sarcasm>

lazydavid
Posts: 1146
Joined: Wed Apr 06, 2016 1:37 pm

Re: Email Security after equifax breach

Post by lazydavid » Wed Oct 18, 2017 5:17 am

skjoldur wrote:
Tue Oct 10, 2017 10:29 am
I have set up google voice with no forwarding. I login to see texts (and get voicemail). I think you are correct that if you forward the voice/texts to a phone number then you re-introduce the risk of having your phone ported.
The risk returns, but requires a far more sophisticated attack if you set it up right. The key is to give everyone your GV number and no one your actual cell phone number. Get a new number if you've already given yours out--take advantage of a BOGO offer that typically requires a new line to get yourself a new phone in the process. :) Port your old number to GV and terminate that line of service.

A casual attacker who has access to a bunch of your information from various breaches will only have the GV number, which they're unable to port. A determined attacker who has targeted you specifically can probably find your real number eventually, but it's going to be a lot of work if you have at least decent security practices. Why bother when there are millions of easier victims?

mptfan
Posts: 4173
Joined: Mon Mar 05, 2007 9:58 am

Re: Email Security after equifax breach

Post by mptfan » Wed Oct 18, 2017 8:23 am

skjoldur wrote:
Tue Oct 10, 2017 10:29 am
Gmail/google accounts have good recovery options. You can use a yubikey, google authenticator, and you can print out a sheet of one-use-only codes to store safely somewhere.
Google has a new, more secure, security option.

viewtopic.php?f=11&t=230033
I eat risk for breakfast. :)

Post Reply