The Perils Of Free Email Accounts

Never conduct business on a personal email account.  I have written previously on the dangers of communicating via email with clients, but the assumption was that the communication was taking place within the company network.  Many, including myself, have also taken to free email accounts like gmail, hotmail (now called Windows Live), and yahoo.  The problem with using these services is the “consumer-grade” security placed on the accounts.

The “hacking” into Vice Presidential candidate Sarah Palin’s Yahoo! account this past week illustrates the ease in which anyone can not only read your emails, but can take control of your account.  I use the word “hacking” lightly – it was nothing more than using publicly available information and taking advantage of weak password recovery questions.

For example, for Yahoo, all you need to answer is one recovery question to reset your password.  For most people, the easiest answer wins.  Much of the time, the answer is publicly available – or easily guessed.  This is exactly what happened with Governor Palin’s account.  The account was breached by simply using the password recovery feature and answering a single question – and in this case, the answer was already in the public domain.  

In her case, the intent appears to be (based on the bragging online by the perpetrator) on finding more dirt on the Governor (there was none to the poor criminal’s dismay), but I am willing to bet in many other cases there would be business-related communications taking place.  

Company policies have become more secure by requiring strong passwords and changing them often.  However, there are no such requirements for most (if not all) free email accounts.  

The ease in which someone can get control of a free email account is ridiculous.  It takes relatively little skill in social engineering to get someone to give up information that may in fact be the password on their account.  A few such examples can be read by clicking here.

There are ways to determine if someone in the organization is conducting business through their personal emails – though in many cases it can’t be determined by your IT people.  However, if the person at some point contains the business email address in the thread (the history) of the email, that information can be found and researched in your mail server logs.  

It may not be a bad idea to have your IT people do an audit of the mail server logs to determine if you may be vulnerable.  And a policy announcement pertaining to any restrictions you have in place (and you should have restrictions on using non-business email accounts to conduct business) wouldn’t hurt either.