Schneier on Security
A blog covering security and security technology.
« Stratfor on the Phoenix Serial Flashlight Bomber |
| Russian Nuclear Launch Code Backup Procedure »
June 26, 2012
E-Mail Accounts More Valuable than Bank Accounts
This informal survey produced the following result: "45% of the users found their email accounts more valuable than their bank accounts."
The author believes this is evidence of some sophisticated security reasoning on the part of users:
From a security standpoint, I can’t agree more with these people. Email accounts are used most commonly to reset other websites’ account passwords, so if it gets compromised, the others will fall like dominos.
I disagree. I think something a lot simpler is going on. People believe that if their bank account is hacked, the bank will help them clean up the mess and they'll get their money back. And in most cases, they will. They know that if their e-mail is hacked, all the damage will be theirs to deal with. I think this is public opinion reflecting reality.
Posted on June 26, 2012 at 1:57 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Or even simpler still - your bank account won't give access to your email, but your email will probably give access to your bank. Bank + email will always be more valuable than bank by itself.
It's an issue that merits further study. Objectively, though, I think loosing control over one's money is usually a bigger problem than an email getting hacked. Just let people relying on a debit card suddenly find out it's locked or empty. That will change their perspective a bit.
...or perhaps significantly more people who took this survey use e-mail than online banking.
Money is just money, no matter how important. Your e-mail is your life, personal things, it's personal. Losing money is bad, but people stealing it, won't know anything about you by having your money.
Well, if someone compromises my email account, they can use it to reset my banking password.
I guess I don't really understand the statement: "I think this is public opinion reflecting reality."
Aside from that, from a threat perspective and the potential impact exploitation of these mediums have, I would agree that e-mail is of much higher value for plenty of reasons. The risk is much higher than a transient experience of fraudulent financial transaction, that is, unless of course the transactions are materialized into something much more devastating like a nuclear weapon or airborne HIV.
If I change my bank account, there's a much shorter list of people to notify, and lately, its almost required to move your bank account to get rid of fraudulent withdrawals.
If I change my email account, I have to notify everyone...
@ Nick P,
"...account, they can use it to reset my banking password."
Not if you use Bank of America or Barclays or similar ...
They will send you a code SMS to your mobile phone to validate your request. Welcome to Multi Channel authentication ;)
Even if your bank account is hacked, every transaction made is traceable. So I agree that the public probably know that the bank will be able to clean up the mess, and will most probably clean up the mess for the customers. Information stored in email accounts can be sensitive for the users and they may well value them more than just their bank account details.
The problem is that most people have no money on their bank accounts. There are leaving pay check to pay check.
So if the bank account is hacked, most people do not loose much...
There are attacks for that sort of authentication. Commonwealth Bank of Australia recently had a customer lose funds after the fiends social engineered his mobile provider to churn his number to another sim (and then did the reverse once they'd received the SMS).
He didn't notice until the funds were transferred off-shore.
"There are attacks for that sort of authentication." ...
Yes, there are -- Agreed. But this puts another barrier. So a simple email compromise event will not be sufficient. Having a barrier such as this will compel the attacker to move from a simple attack mechanism to a compound attack tactic, such as the one you mentioned. And this barrier will also not work as effectively if the *smart* phone is stolen with all the accounts on it (SMS, emails, and bank accounts), in which case the barrier (Multi Channel Authentication) ironically becomes a weak link.
Money loss will damage you. It can often be repaired. As a professional, my reputation can damage me far more.
In practice, my work e-mail can damage me the most. Thest and misuse could damage my reputation, credibility, be used to impersonate me with external contacts, and provide fraudulent damaging messages to my internal work contacts.
I rate them my work email, Banking, and then personal email.
I don't see how the survey question -- "What type of online account is most valuable to you?" -- gets at anything about security. When I read that question, I think about which online services I use most, not about which ones would cause the most the most problems if hacked. Of _course_ I think email is more valuable than online banking. Writing checks once a month to pay my bills wasn't _that_ much harder than doing it electronically. Polling data doesn't convey good information unless you ask the right questions.
That said, I think that having my bank account hacked would be less painful for _me_ than having my email hacked, for the reasons Bruce cites.
@Patrick: That's kinda spinning it. If all your bank accounts got zeroed, you might not have lost *much*, but you still would have lost *everything*. (Excepting money under the bed / behind the couch, which isn't going to pay that overdue bill...)
If your bank account is hacked you will probably know about it either by yourself or when the bank alerts you. If your email account is hacked, you may never know about it if the hacker is clever, and you are not alert. Change your passwords frequently, and pay attention to your last login dates. Some accounts tell you when you last logged in ;)
Which one is more valuable depends on the contents of your emails (including your contacts), and the amount of money you have in the bank and who hacked your account, and for what purpose, and the current situation one happens to be in when they realize an account had been hacked...
Two factor is different than two channel.
There are banks that let you reset their online banking password with an e-mail? My bank still uses snail-mail for that, using the same kind of envelope they use to send ATM card PINs.
They also use the chip on the debit card, a reader and a flicker code on the screen for two-factor authentication.
Although they do have weird rules about the account password: Maximum of 5 characters, no special characters are allowed, minimum 1 number and letters. And the account gets locked after 3 failed login attempts, I don't know how to reset that yet.
So, a weird mix of paranoia and ATM-card style security.
But yes, I worry more about my E-mail account than my online banking because every loss above 100€ from fraud is the responsibility of the bank here IIRC.
I would simply state that *both* are valuable, and it would be a hassle if *either* was hacked.
@Wael: "Change your passwords frequently"
...which is IMHO one of the worst security advices *ever*.
Change your password iff you have plausible reason to believe it is compromised.
Feel free to ignore my stupid-ass advice. You may change your password when (or if and only if) your account is compromised -- Will not hold that against you.
Changing a password that has not been compromised does not provide extra security but it does increase the chance that you'll forget the password and have to use some mechanism to recover it that may reduce your security.
That was "Nick". I always post as Nick P without a linked website. Good point though.
My credit union accounts are much more valuable than my e-mail accounts - those are where my money is!
But my credit unions will not provide any password information or resets by normal e-mail. You can use their encrypted e-mail (within their web site) or go visit in person or answer lots of questions over the phone (and they can verify the phone number since you call a toll-free number).
@ Nick P
I don't understand the "P" significance.
1- keeping your password static gives others more time to guess. Clever attackers know not to reach wrong password threshold (anti dictionary attack lock mechanisms). They will wait and try another day.
2- You will not always be able to detect a password compromise. Someone maybe just reading your emails, and marking them unread if you have not read them.
3- Keyloggers, shoulder peaking, cameras, logging in from other computers at hotels, all present enough risk.
Of course there is a price to pay in terms of inconvenience, forgetting the new password, updating all accounts on all devices...
The problem is we don't have "Complete Awareness". Can you always guarantee you will detect your password has been compromised? We can compensate for that lack of "Complete Awareness" by exercising another parameter; "Total Assured Control", that we do posses in this case – which is changing our password.
@ Nick P
Got it. Two different Nicks :)
re 1. Even when an attacker maintains a low rate of tries as not to trigger wrong password lockout logic, it won't help (and failed login records analysis will catch her). Given a strong password, the whole process of enumerating through the password space at a slow rate would exceed account user's lifetime by a large factor. A strong static password (or -phrase) is sufficient against this attack vector.
re 2. If the attacker is smart and able enough to hide her activities *after* getting your password in some way, so you can not detect the intrusion, you're out of luck anyway. The harm is done.
re 3. Changing password regularly does not help against keyloggers, shoulder surfing etc. The attacker can use the password almost instantly. The harm is already done. It does not matter if you routinely change the password a month later. If you think there is a good chance your password has been just compromised, change it as securely and as soon as you can. You may be lucky to outrun the attacker.
There's one corner case in which changing the password regularly can help. It can marginally help if the attacker:
- was able to get the password once and is unable (or unlikely) to get it again after you change it
- is unable to escalate the privileges using the password
- is able to hide its activities on the account from you or the system administrator
- is not going to do any visible damage or changes
In such a case, changing a password by routine would lock the attacker out after some considerable time, but a harm is already done. This is a valid protection if you do not care about your data being sucked up for some time but care about your data being sucked up forever - a rather unrealistic situation.
There's one main problem with unaudited on-line surveys like this: the results are completely worthless.
Apart from that, though, they are really cheap!!
@ Peter A,
What you say is absolutely correct. With one exception: "harm is already done":
You don't know that.
I changed my password for one email account I had for 20 years 3 times. For some other accounts, I never changed it. You have to decide what works for you best.
What do you guys think is a good mail host to use? I was using FastMail.FM until there were rumors of acquisition by Facebook. Now I am using Runbox but I am not sure how much attention is given to security at this Norwegian firm. Or is it okay to stick with Gmail?
Personally, my email account(s) are more important to me than my banking password. My email account gives me access to basically every online account I have, I'm worried about dominoes. I've never even considered the idea that my bank might reimburse me if I get hacked, I'm just a layman.
You mightn't be able to get into my bank account from my email, but if you spent long enough, you could probably find a way into my money. How many people have accounts on ebay or steam or bookdepository or somewhere that remembers billing information? (not me, I don't have enough money for online shopping ;) )
For once I disagree... the personal nature of email and the fact that it is the key to unlocking all those other accounts is enough for me to value it more highly than any other account.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.