Your email address is the center of your digital life. If you're like me, you have one main email address that you use for everything.
Social media accounts like Facebook, Twitter, and Pinterest will resolve back to my main Gmail account. Any services I pay for like Spotify and Netflix, I also enter my main Gmail account.
In some cases, I use the + trick (if you put in email@example.com the email still makes it to firstname.lastname@example.org, it'll just have the +service so you know if that address is being used in off-book ways) but the + trick is more about filing and management than security. People know that your main email is email@example.com.
The problem is that I would also use it for other things, like when I briefly signed up on Adobe.com to use their cloud services. Turns out me and 153 million of my closest internet friends had our emails, username, encrypted password, and password hints hacked in October 2013. The encryption was weak, so the passwords were very easily converted into plaintext (the breakdown of passwords is kind of fascinating… “iloveyou” is a very popular password!).
I'm fortunate in that I use different passwords for all accounts, so when I learned my Adobe account was breached, it was “okay.”
After that moment, I resolved to firewall my email system.
- One email address for high security, “classified” material – financial services and sensitive information.
- One email address for insecure, low security services.
Borrowing a Page from the USG
The United States Government has classified and unclassified systems and the basic premise is that the two shall never meet. Sensitive and important information lives in the classified world. Less important, less sensitive information lives in the unclassified world.
If the unclassified system is breached in some way, only the less important and less sensitive information is revealed. The classified system is safe.
Your banking and broker information is sensitive and important. Your Facebook page may seem important… but it's not. You might not be able to live without Pinterest or Playstation, but those aren't important. 🙂
I'd argue that credit card information is considered NOT important because consumer liability protections are exceptionally strong. All of my credit cards are $0 liability. Plus, the access point is often the card itself, not the online account.
Rules of a Classified Email Address
Here are my rules:
- Use your classified email address for accounts where high security is a must – banks, brokers, etc.. (not credit cards!)
- Only use your classified email in your strict circumstances, never elsewhere.
- Access that account only when you'd access the underlying financial accounts – from your home and never from elsewhere like your friends' house, hotel business center, gym, etc.
- Do not forward your classified email to your unclassified email, the two shall never meet.
- Use a strong password. Preferably a password manager like 1Password.
You can take every idea to its logical extreme depending on your desire for security vs. convenience. For example, you can create a unique email address for each account or you can save an old computer strictly for accessing those accounts (with no installed programs that could be malware). That I leave up to you.
The goal is to keep that email address as hidden as possible so it can never be hacked unless the bank is hacked.
The best thing about this is that once you set it up, it gives you peace of mind. If your unclassified email address is disclosed in a breach, you know that your classified email address is safe. And you will never get tricked by a phishing email because none of your accounts are linked to your unclassified email address.
Plus, email addresses are free! The only cost is in management.
Can I Search For Hacks?
Most hacks/breaches hit systems where security isn't a priority.
I was using haveibeenpwned.com to see if my email address was compromised. The site is run by Troy Hunt, a trusted and well-regarded security professional, and it collects all the publicly available personal data out there and makes it searchable.
If you look at the top 10 breaches, none were of what you would consider high-security systems. Adobe, Ashley Madison, some gaming sites, VTech, and forums. If you look at all the breaches, you start seeing a few tangentially financial sites (mostly gambling and payment systems) but you don't see banks or brokers.
Once a hacker gets your email address, it's trivial to start sending out phishing emails to get greater account access. With 152 million email addresses in the hack of Adobe, a success rate of 0.001% is still 1,520 accounts!
Gmail is pretty good about filtering out phishing emails but a better solution is to keep a secret email address only for financial services and other high-security systems.
(and remember, sites like haveibeenpwned.com only search for breaches that were made publicly available, plenty aren't disclosed)
Two other things I do…
Use unique usernames. No reason why your World of Warcraft username should be the same as your Wells Fargo. 🙂 When Adobe was hacked, it revealed usernames and encrypted (but weakly encrypted) passwords. If you have usernames and passwords, it's even easier to try the credentials at every bank.
Turn on 2FA! Turn on two factor authorization on all your financial accounts. Two-factor authorization is crucial and it's easy with smartphones. You must use it.
Do you use separate email addresses to keep things just a little bit more secure?