The pros and cons of using email aliases for security – Krebs on Security

0

One way to tame your inbox is to get into the habit of using unique email aliases when creating new online accounts. Adding a “+” character after the username part of your email address – followed by a notation specific to the site you are registering on – allows you to create an infinite number of email addresses. unique mail linked to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can make account recovery difficult. Here’s an overview of the pros and cons of adopting a unique alias for each website.

What is an email alias? When signing up for a site that requires an email address, think of a word or phrase that represents that site to you, then add it preceded by a “+” sign just to the left of the “@” sign. in your email address. For example, if I registered on example.com, I could give my email address as [email protected] Then I just go back to my inbox and create a corresponding folder called “Example”, along with a new filter that sends any email addressed to that alias to the Example folder.

Above all, you never use this alias anywhere else. That way, if someone other than example.com starts emailing him, it’s safe to assume that example.com has shared your address with others or has been hacked and dumped. of this information. Indeed, security-conscious readers often alerted spam KrebsOnSecurity to specific aliases that suggested a breach on a website, and usually they were right, even if the company that was hacked didn’t realize it. account at the time.

Alex Holdenfounder of Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will clear their mailing lists of any aliases because there is a perception that these users are more security and privacy-focused than other threat actors. normal users, and are therefore more likely to report spam to their aliased addresses.

Holden said freshly hacked databases are also often cleaned of aliases before being sold on the subway, meaning hackers will simply strip the aliased part of the email address.

“I can tell you that some threat groups have rules about deleting ‘+*@’ email addresses,” Holden said. “We just got the biggest credential cache ever — 1 billion new credentials for us — and most of that data is changed, with aliases removed. identification for certain groups of threats is normal. They spend time trying to understand the structure of the database and remove any red flags.”

According to the breach tracking site HaveIBeenPwned.comonly about 0.03% of pirated recordings in circulation today include an alias.

Email aliases are rare enough that seeing only a few email addresses with the same alias in a hacked database can make it trivial to identify the company that may have been hacked and disclose said database. of data. Indeed, the most common aliases are simply the name of the website on which registration takes place, or an abbreviation or shorthand for it.

Therefore, for a given database, if there are more than a handful of email addresses that have the same alias, chances are that the company or website corresponding to that alias has been hacked.

This could explain the actions of Allekabelsa large Dutch electronics online store that suffered a data breach in 2021. Allekabels said a former employee stole data on 5,000 customers, and those customers were later notified of the data breach by Allekabels.

But the Dutch publication RTL News said he obtained a copy of Allekabels’ user database from a hacker who was selling information on 3.6 million customers at the time, and found that the number of 5,000 cited by the retailer was the number of customers who signed up using an alias. Essentially, according to RTL, the company had only notified those most likely to notice and complain that their alias addresses were suddenly being spammed.

“RTL Nieuws called over thirty people from the database to verify the leaked data,” the post explained. “Customers with such a unique email address all received a message from Allekabels that their data had been leaked – according to Allekabels, they were all among the 5,000 pieces of data that this former employee had stolen.”

HaveIBeenPwned’s Hunt concluded that aliases account for about 0.03% of registered email addresses by studying data leaked during the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’ alias user ratio was considerably higher than Adobe’s – 0.14% – but again, European internet users tend to be more privacy-conscious.

Although the overall adoption of email aliases is still quite low, this could change. Apple customers who use iCloud to automatically sign up for new accounts online are encouraged to use Apple’s Hide My Email feature, which creates the account using a unique email address that is automatically forwarded to a personal inbox.

What are the disadvantages of using email aliases, other than the difficulty of setting them up? The biggest drawback is that many sites don’t allow you to use a “+” sign in your email address, even though this functionality is clearly stated in the email standard.

Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (it’s not a problem if you create a new folder or rule for each alias ). Indeed, knowing an account’s email address is usually a prerequisite for resetting the account’s password, and if you can’t remember the alias you added a long time ago when your registration, you may have limited options for recovering access to this account if you at any time forget your password.

And you, dear reader? Do you rely on email aliases? If so, were they helpful? Did I forget to mention pros or cons? Feel free to express yourself in the comments below.

Share.

Comments are closed.