Is email secure?

The answer to this question cannot be given directly. The most common answer is “it depends”. Why is it like that? What it depends on? E-mail can be “reasonably” secure when applying certain rules, which are discussed below. Correspondence will be “fairly” secure if the recipient of our communication also applies the basic principles that guarantee this “fairly” security.

The beginnings of email

Let’s start our considerations with the history of e-mail, and date back to 1971, when the first e-mail was sent between two computers. Wikipedia states that “The email was invented in 1965. The authors of the idea were: Louis Pouzin, Glenda Schroeder and Pat Crisman. At that time, however, this service was only used to send messages between users of the same computer, and the e-mail address did not yet exist. The service of sending text messages between computers was invented in 1971 by Ray Tomlinson, he also chose the @ sign to separate the username from the computer name and then the Internet domain name. ”
In those days, it was hard to imagine Internet availability on such a scale as today, and no one thought that a significant part of the defense resources of entire countries and individual organizations would be allocated to ensuring security against all the complexity of cyber threats that have escalated in recent years on an unprecedented scale. And certainly this is just the beginning of the arms race between cybercriminals (and often state services), and companies, teams and people responsible for the security of organizations and individuals.

The basic method of communication

Certainly the e-mail service is the basic method of communication in business applications. It is used to send virtually any type of document, from commercial offers, orders, invoices, court letters, bank agreements, financial documents of companies, medical results of diagnostic tests, scans of identity documents. It’s hard to imagine the operation of any organization without using email. Today’s email address is more valuable than a person’s phone number. You can not answer the phone and the e-mail goes to the mailbox and at least the subject of the message will be read by the recipient.

In recent months, there has been some information in the media on how criminals, using e-mail, people from “attacked” companies made voluntary transfers of really significant amounts to the bank accounts of persons or entities that in reality were not the recipients they claimed to be.

Recently, LOT has transferred PLN 2.6 million to the bank account of a “pole” for leasing fees. A bank account on a pole means an account set up on a person having no idea that will be used for crime or a person who is not actually involved in criminal proceedings or for a false identity or a person who is, for example, a foreigner who is already on another continent. Money from the first account is immediately transferred to another in another country, preferably in the “tax haven”, next and subsequent transactions of purchase and sale of cryptocurrencies are often carried out. Money recovery in this case is virtually zero. Criminals are usually not caught, and if they fall it is due to their own stupidity, for example, showing the fact of the flow of cash through exclusive shopping for cars or real estate.

A few months ago, Cenzin, part of the Polish Armaments Group, also fell victim to a fraud of PLN 4 million. Earlier, you might have read about the Warsaw subway, which transferred almost 580 thousand zlotys for cleaning services. And how many cases have the media not been informed about? Many times more, because no one would like customers, suppliers or competitors to learn about this fact. In the event of such an event, this is a problem for both entities. For both the paying company and the actual supplier, because often the process of explaining a given event is many times longer than the payment date. It is not uncommon for companies that have fallen victim to fraud to wait for the court’s judgment on the whole incident. And the courts in our country act the way they do – cases drag on for many years, the competence of experts also gives a lot to think about…

Of course, this is just one way to get rich (in a way that is unlawful) by using information obtained illegally. You can imagine situations where a competitor breaking into a mailbox has excellent knowledge about the scope and value of commercial, design or other offers. Thanks to this type of information, a dishonest competitor is able to submit a bid slightly lower than the one proposed by our organization, and we will once again lose in the bidding procedure, wondering that the company “B” has won again and again “by a penny”.

A listed company should also maintain the highest level of confidentiality before publishing quarterly or annual reports. Why? Well, someone who has knowledge of the company’s financial results or plans is able to use this information to better purchase or sell shares on the public market. The number of such examples of the possibilities of using information obtained from mailboxes can be sizable. Certainly, the more the recipient is associated with large amounts of money, the more he is exposed to the deliberate action of hackers.

In addition, email messages are used to authorize access to various types of internet services – virtually every internet service, social networking site, SaaS model software require an email address when creating an account, usually a service login and password guarantee access. What else – usually if you forget your password, lose it, transfer your work to another or additional device, email is used to regain access or reset and create a new password. This point is very important from the point of view of the entire security ecosystem of a given person or organization.

What could have happened?

Security means being able to trust the communication page and ensuring the integrity of transmitted data. In the above cases, neither one or the other, nor both.

The first option is to take over the sender’s mailbox (or control over the computer or smartphone) and in this case send a message on his behalf with content that was not actually original. It is possible that the inbox was taken over and in this case it was enough to “replace” the e-mail attachment with a pdf document with the appropriate account number. There is one more probability that the e-mail was sent from a mailbox whose address seemed confusingly similar to the e-mail address from which the invoice usually came, and the content was consistent with previously sent e-mails. So we can imagine on one hand the sender’s address in place of or the use of Cyrillic characters and the replacement of e.g. Latin letter c (s) from Cyrillic. It is less likely that its content was “taken over” and changed.

Why are such attacks so effective? Because in most cases they are based on social engineering. The crime is planned well in advance, often the time to obtain information or the time from taking over an account to committing a crime is a period of many weeks, months, and often a year. Criminals know perfectly well what habits are in the company, how the work is organized, they know about the absences of the boss, they know about the procedures that apply in a given company. They know the names of the spouses, children, the hobby of the person they want to manipulate, they know where she was on vacation, they know about problems or addictions. All this information is usually used to authenticate the sender or the content of the message (e.g. greeting the husband or wife and children in the content), find the right moment (absence of a supervisor who cannot ask for an opinion or approve an action).

Why is the use of email unsafe?

The email account is easy to take over. First of all, due to the use of low-power passwords that are easy to crack, not changing them for years, and also using the same password for an e-mail account as for other websites. In the event of a security incident, leakage or theft of data on one website, online store, blog or anywhere else, it will turn out that the person loses control over all accounts where they used the same password by logging in to this e-mail address.

An e-mail account is a favorite target of phishing attacks where a cybercriminal sends a message as a fake e-mail server administrator asking for confirmation of the recipient’s identity. The e-mail user may naively or unconsciously enter the password to his or her mailbox directly.

The use of open wireless networks must be strictly avoided. Imagine the situation that we logged into the network without authentication available in the fast food establishment. There were two networks called FastFood_WiFi and FastFood_WiFi_Free. We chose the second one. And this second network was used by cybercriminals, who set a trap by creating, for example, an imitation of a webmail service that looks identical to the familiar email service we use every day. The user entering in the browser’s address bar in no way suspects that entering the CORRECT e-mail webservice address in fact logs in to a fake and provides full credentials of his identity. During this time, criminals can log in to the website, change the password, and use our identity with impunity for some time … .. of course, this may be the site of another frequently used service, and logins and passwords are often repeated …

I have already presented many times the role of social engineering in taking over identity and related services. More than once reading the report from such a case, I stated that the script “Italian work” or “Oceans Eleven” is “cake”. For those interested, please refer to the material describing the takeover of the CIA director’s email account by a fifteen-year-old from the USA 😊

Let’s remember one more thing that you are often a secure operator of your mailbox, but the recipient of your message does not apply the minimum security rules … then everything you send to him is exposed to being taken over by unauthorized persons.

How to be safe after all?

I don’t know if you have noticed that crimes related to the use of any physical violence are less and less “popular”, bank robberies with less weapons, or ransom abductions. Most of the activities moved into the digital world. It is easier to deal with VAT fraud, pseudo-economic activity or cybercrime, both in the area of ​​crime organization and more confidently because of the possibility of avoiding consequences for criminals. In the latter case, criminals usually become elusive. It is very difficult to prove anything to anyone, and one can usually dream of recovering lost money, because the flow path covers many countries geographically, linguistically, culturally and legally distant from each other.

How can threats be avoided? First of all, applying the rules I wrote above. In addition, apply procedures in companies that will prevent, for example, changing the account number on the contractor’s account and making a transfer, e.g. without annexing the contract. Train employees and make them aware of what actions can be dangerous or irresponsible. Use appropriate technology that will hinder phishing attacks, use 2FA services, i.e. two-factor identity confirmation (e.g. by entering the password and code that came as an SMS – although the SMS itself may also be broken, because you have probably heard about ways to obtain a duplicate SIM card ….)

The best way is to use data transmission tools that provide the highest level of security by encrypting with the appropriate strength along with the lack of the use of a “trusted” third party to confirm the identity of the communication parties. Nowadays, there are simply no such trusted websites.

Author: Przemysław Kucharzewski – for 25 years associated with the IT industry, in particular the construction of the sales channels, enthusiast of cyber security, manager, journalist, currently associated with Cypherdog. Privately, a father of two children, a fan of mountain biking, cooking and good rock.