Practical E-Mail Security Lessons from Ashley Madison

September 19, 2015

2:00 pm

Unless you’ve been truly off the grid the past few weeks, you’ve heard about the hack of Ashley Madison, the website dedicated to making extramarital affairs as easy as online dating.

Are you one of those unlucky would-be Romeos whose account details on Ashley Madison are now bared to hackers, crooks, journalists, and security analysts?

Yes? Oops. Well, here are some suggestions for how to avoid this kind of stress in the future.

No? Whew! But that doesn’t mean you’re safe from future attacks of this kind, even if the sites you tend to spend your time on are more reputable.

So let’s take a look at the lessons from the Ashley Madison hack from a security and privacy perspective.

Morality is not the lesson

First, let’s talk about what should not be the lesson: Morality.

A lot of the snickering schadenfreude out there about Ashley Madison users getting their comeuppance through public shaming misses the point. This kind of attack could have happened to any special interest site on the Internet for any reason (and it does, as I’ll discuss shortly).

This time the attack was on (mostly) men that wanted to have an affair, and the attackers’ reported motive was the unscrupulous practices of Ashley Madison’s business policies, especially the company’s offer of “deletion” of account information for a fee, which apparently was a service that didn’t quite deliver on its promises.

But next time the attack will be on a completely different service with different users and for different reasons. These kinds of attacks happen all the time.

Don’t believe me? Let me give you a real-life personal example of a similar kind of attack on a more mainstream site. I have an account on Forbes.com, and I got notice from Forbes in February of last year that their site had been hacked and email addresses and hashed passwords had been downloaded. Why was Forbes.com a target? Well, turns out an organization called the Syrian Electronic Army took exception to articles about Syria and decided to get some payback.

Not a subscriber to Forbes.com either?

Do you shop online? Zappos and Living Social have been victims of hacks in the past few years.

Are you a techie? Gawker/Gizmodo/Lifehacker were breached.

Are you a gamer? Sony’s PlayStation Network was hacked.

Do you have health insurance? Anthem was hit by an attack.

I’ll stop with the examples. You get the idea.

So no one’s activity online, no matter what your interests, is really safe.

Okay, so what are some of the practical lessons from the Ashley Madison attack?

First lesson: Use multiple email accounts

These days, everyone who is active online should be using multiple e-mail addresses. You should have one e-mail address for work, one for people and businesses you know and trust, and at least one address for everything else.

The reason should be obvious at this point. E-mail is a key to your privacy kingdom. If someone has access to a primary e-mail account, even just knowing what the address is, they can often find out a lot about the person who has it.

Why is this a problem?

Some 15,000 government workers reportedly used their government e-mail addresses to sign up for Ashley Madison. Many more used their business e-mail accounts to sign up, and they are now facing the consequences of being exposed. As an example, the executive director of the Louisiana GOP is trying to explain he was using Ashley Madison for “opposition research.” So you need to think carefully about what e-mail address to use when you register for a website.

You should think about your e-mail addresses (and how you use them) like the rings of defense in a fortress. Castles had different lines of defense that were progressively stronger, and so should you.

The Citadel: Your business e-mail address

Never sign up for anything not business-related with your business e-mail account. This should be an absolute rule. Even more true if you work in government, in education, in media, or in any high-profile position. Let me say this again because it is so important: Only use your business e-mail for business sites and services. Sites that you wouldn’t mind if your boss or colleagues found out that you had signed up for.

Example of “citadel” e-mail accounts:

john.smith@acme.com

john.smith@acme.edu

The Inner Wall: Your primary personal address (or school address)

Obviously you need a primary e-mail address for your friends and family and a small number of important websites that you trust or simply have to trust like those of financial institutions. This primary email is likely the Gmail, Yahoo, Apple, or AOL account you’ve had for some time.

But this account should only be used with friends, family, and those handful of critical sites like your bank and your insurance company and your utilities. Don’t use your primary e-mail address for registering for any other websites, including online shopping, games, or promotional offers.

If you’re using this account for other sites, go to those sites and change the e-mail to your second address below (the “outer wall”).

Example “inner wall” e-mail accounts:

johnsmith_777@gmail.com

john_smith_jr@yahoo.com

The Outer Wall: Your “everything else” address

This should be an additional Gmail, Yahoo, or other online e-mail address you create just for signing up to all those other sites and services out there that you’re interested in – everything from social media to shopping to news to blogs. Using this second address instead of your primary address will help inoculate you when (not if) these sites are hacked. I know it’s a pain to have another e-mail address, but the added security is well worth it, and you don’t have to check this email every day. You’re mostly going to receive marketing here.

Example “outer wall” e-mail accounts:

johnsmith_signups@gmail.com

johnsmithspam@yahoo.com

Additional Defensive Line: Your “other” address

Okay, now let’s say you’re interested in something online that you know might be a little risky or potentially embarrassing from a security or privacy standpoint. Let’s say you want to sign up for something like Ashley Madison, or any dating or adult site. You can obviously choose not to sign up for these because of the risk. But if you really want to, then create another e-mail address that doesn’t use your real name and isn’t in any way tied to your real identity.

Example “other” e-mail accounts:

big-country-fan@gmail.com

oaklandraidermain@yahoo.com

Want to take this idea to the next level?

Optional Skirmish Defenses: Throw-away e-mail accounts

For many sites you have to register for on the web, you really only need an e-mail account to confirm your registration. You may not want or need the site to know your e-mail address after that.

In these cases, you can sign up for accounts using a “disposable” or “throw-away” e-mail account. These accounts last for only a short period — long enough for you to confirm the account with the website you want to register for. Sites like the ones below offer these accounts free and they are anonymous. I’m guessing a lot of Ashley Madison users wish they had used one of these right about now.

Disposable e-mail providers include:

Guerillamail

10minutemail

Mailinator

Example disposable e-mail accounts:

edjyomfo@guerillamail.com

g9725647@trbvm.com

Second lesson: Don’t use personal information

Like with Lesson 1, there are going to be some sites and services like your online bank where you have to use real personal information. But for almost any other site, if you can avoid it, you should.

Use a fake name

When signing up for most websites, there’s no reason to use your real name. Just make one up.
This is especially true if your name is distinctive. If your name is John Smith, you may not have much to worry about if your name is released from a hack. If your name is Xavious Thorplewood, you really need an alias.

Use a fake address or a PO Box instead of a home mailing address

Again, with most websites, there is no reason to use a real street address. Make one up. If it’s a site for e-commerce and you need goods delivered, use a PO box if at all possible.

Don’t use a “real” phone number

Never input your home number into a web form and don’t use your mobile number, either. I know some of you are thinking: But what if I’m signing up for a dating site, and I want those women/men to be able to call me? This is what virtual phone numbers are for. Get a Skype virtual number or a Google Voice number. You can take the calls online or forward to your mobile phone.

Third lesson: Don’t use your real credit card

Most sites you sign up for don’t require a credit card. If it’s an e-commerce site that you really think you’ll be using often (like Amazon), go ahead and use your credit card. But if you’re signing up for a dating site or an adult site or a gambling site, forget about using a card from your wallet.

I know some of you might be asking, “But what about when I really do want to sign up for the premium features at Ashley Madison or Seeking Arrangement or whatever my fetish site might be?” This is where gift cards come in handy.

Go to the supermarket or drug store and buy a prepaid Visa gift card. Don’t get a prepaid credit card. Don’t get a refillable gift credit card. Get a prepaid fixed dollar value gift card with an amount that covers the first month or two of the subscription you want to buy.

Then, register this card online using the instructions on the back of the package. When you register the card, don’t use any of your real information. Use your fake name and address. Then use the card to sign up for your payment or subscription on the website you’re interested in.

Fourth lesson: Use different passwords

One of the simplest things you can do is also one of the most effective:

Use a different long password on each and every site you sign up to. Make sure the password is not just a number and not a word in the dictionary. Multiple words separated by spaces or dashes work well as passwords.

I know it’s a pain, but better passwords are absolutely necessary in today’s world of constant data breaches. If you re-use passwords like most people do, you’re in constant risk of multiple accounts being compromised from a single hack.

How do you keep track of the dozens or hundreds of long passwords you’ll need? Use a password manager.

Did you like this article?

Get more delivered to your inbox just like it!

Sorry about that. Try these articles instead!

Morgan Slain is an expert on password management and identity protection. Slain has been quoted in Mashable along with other mainstream and tech media. He has more than 20 years of experience in technology including web and mobile. Morgan Slain is the current CEO of SplashData, the leading provider of security applications and services for over 10 years. www.teamsid.com

Leave a Reply

  • (will not be published)