With the increasing number of data breaches these past few weeks, targeting email service providers and the end-user data they host, many people are asking, “Why hack into a system just to steal email addresses? Why not target a bank or other entity with a bigger financial windfall for those committing the crimes?”
The answer might surprise you: personally identifiable information (PII) is still the preferred currency of hackers and spammers.
Hackers have the ability to somewhat easily sell this stolen data and make money. In fact, many of them sell email addresses and general PPI data over and over again compared to breaking into a bank account just once or using a stolen credit card a few times before it’s cut off. Having a stockpile of live email addresses also affords hackers continued free access to consumers’ computers that they infect through malicious emails. The hacker then has a back door through these contaminated computers to hide additional online crimes.
Many of us need to recognize that email addresses should be classified as valuable data and consider the security standards used for financial data. So how does security apply to email addresses?
One of the steps that needs to occur early in an email relationship is to provide end users with a notice that your brand might use third-party services. Also, explain how you’ll maintain their data on your own servers. As a brand, you should perform proper annual security reviews of how PII is stored and transferred around your network and through any third parties you work with.
As a sender, you need to use proper email authentication models, like Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM) to protect your domain and brand from misuse. When authentication mechanisms are applied, both the originating and receiving systems can correctly and reliably validate who’s accountable for the message. The Messaging Anti-Abuse Working Group’s (MAAWG) whitepaper Message Sender Reputation Concepts and Common Practices can put you on the right track.
Ensure that consistent branding is used throughout all your normal communications. This creates greater transparency between bulk mail senders and receiving operators, and helps distinguish legitimate mailers from spammers. The MAAWG regularly updates its Sender Best Communications Practices that also advocate technologies and additional easy-to-implement practices to make email a more secure and reliable communication channel.
Last but not least, third-party service providers and bulk email senders must use up-to-date and common security practices in their data centers, such as proper firewall configurations, intrusion detection systems, adequate encryption types such as SSL to data in transit — but also encrypt data at rest — and ensure that a proper two-factor authentication system is in place for those who have unlimited access to system critical services.
Security is an ever-moving target these days with new technologies being launched every day and more and more information being stored about individuals. Keeping current on industry changes and participating in coalitions like MAAWG will help you understand how to better protect end users.
Dennis Dayman is a board member of the Messaging Anti-Abuse Working Group and an expert in working with e-marketers on securing their email campaigns. He’s also the chief privacy and security officer at Eloqua.