Have you ever forgot your password? No panic, there’s usually a password recovery function. Just click a link or a button, and you can reset your password using a link you get to your mail or phone. That’s convenient.
But have you ever reflected over what can go wrong? Let’s take an example, which is both realistic and common. You are using Gmail and one day you get a notification that someone is trying to break into your mail account, but the vigilant technicians at Google stopped it. You just have to log in to confirm that you are the real owner of the account, and everything is fine again. Damn, a closed mail account is the last thing I need right now! Let’s get this fixed ASAP!
Anyone can fall for phishing, because sometimes the mouse hand is faster than the brain. It’s one of the most important tools in modern cyber criminals’ toolbox.
Ok, the hacker got access to your mail, but you have luckily read about password security and selected unique passwords for all your important accounts. So the damage should be limited. But wait! Someone has been in your Facebook account and money is missing from PayPal. How is this possible, they all had different passwords. This must be related to the hacked mail somehow, but how?
That’s right. The e-mail breach was the key to hacking the other accounts too, despite the unique passwords. This is an important lesson that the password reset function makes your e-mail extremely critical. Once it’s in the wrong hands, all the crooks have to do is to try all the commonly used services and attempt a password reset with your mail address. It will succeed if you have used the same mail to sign up. Many services require that you use a mail address as your main user ID. This is sensible because mail addresses are unique, but it makes your mail address security critical at the same time.
How to protect yourself against this trick? You have to use a mail address when signing up, but it doesn’t have to be the same address you use for daily business. The best defense is to use two addresses, one for ordinary communication and one for signing up at services. Nowadays it’s easy and free on for example gmail.com or outlook.com. The key to this strategy is that your account sign-up address remains secret and isn’t used for anything else. Strictly.
This brings you several advantages:
Nobody can reset your passwords with your ordinary everyday mail. That’s the address that is more likely to be compromised. It’s very unlikely that your secret account-address, which would be useful for password resets, will be attacked.
It’s easier to recognize phishing. It’s spam that hits your ordinary mail, but real notifications about your account should come to the other account.
It might be convenient to have account notification in a separate account. They will not clutter your main mailbox and important real notifications will stand out better in the secret mail’s inbox, which usually is quite low-volume. (This morning I had a mail from Twitter about a possible password leak in this mailbox. It was the only new message.)
Well, the optimal solution would to have a separate mail for all important accounts. That would optimize security, but it would not be very convenient to create that many mailboxes. The really important point is anyway that the accounts are registered with something else than your everyday mail address.
Note that some services may show your e-mail to other users, which isn’t nice with a secret address. That increases the risk of leaks, which could lead to spam and phishing against that mailbox. If you can see others’ addresses, look for a setting to hide yours.
Another risk worth noting is that any system may be hacked or have some other kind of data leak. So you can never be 100% sure that notifications received in this inbox are real. Exercise the same caution with them as for your main mail. But it’s clear that this arrangement will almost completely reduce phishing and spam to the secret address.