Open Wi-Fi. Wireless access points that don’t require an encryption key to access don’t protect your data as it transits through the air. This means that your username and password can be “sniffed” by anyone else using the access point as well. I haven’t been able to find any reports of malware-infected laptops running sniffers at coffee shops, but it’s really just a matter of time. The only way to protect yourself is to be sure that the websites and e-mail servers you use employ SSL (“https:”) for everything, not just logging in.
Man-in-the-middle attacks. Those same open Wi-Fi access points can sniff your password using a variety of so-called man-in-the-middle attacks, in which your computer sends information to the wrong website, which, in turn, passes it to the correct one—so that the communication channel seems fine.
Man-in-the-middle attacks are especially easy over Wi-Fi, but they can take place anywhere on the Internet. Man-in-the-middle attacks can also be implemented through malware. Here even SSL is not enough—you need to be sure that the certificate of the SSL-enabled website is legitimate (a forged certificate will tell your browser that it’s connecting to the right site using SSL). Most people also ignore certificate mismatch errors.
Phishing scams. Surprisingly, a fair number of users still fall for phishing scams, in which they voluntarily hand over their username and password to a malicious website. Typically users end up at these sites when clicking on a link they receive by e-mail.
Different website, same password. Finally, many websites (including major newspapers and magazines) require that you set up an account with an e-mail address and a password in order to access their content. Don’t use the same password that you use to access your e-mail—otherwise the website owners (and anyone who hacks that website) will be able to take over your other accounts, including your e-mail.
What happens if you follow all of these precautions and your e-mail account still gets compromised?
Here are some ideas:
Be an authentication pioneer. Google, E*Trade, and other firms have deployed systems that allow you to augment passwords with your cell phone or a handheld security token. Although these systems can be defeated with malware, they are still more secure than passwords alone. Currently you need to opt in to these systems. If you care about your security, you should be a pioneer and give them a try.
Be prepared. Google, Facebook, Apple, Amazon, and others allow you to take proactive security measures to protect your account in the event that the password is compromised. This includes registering alternative e-mail addresses, registering cell phone numbers for backup authentication, and providing answers to “secret questions.” Unfortunately, you have to do this before your account gets hacked, not after.
Be alert. Facebook allows you to provide a cell phone number that gets an SMS message whenever someone logs in using a different browser. This is a simple, effective way to monitor when someone other than you accesses your account. If your account is accessed, you’ll be in a race to change your password before the attackers do.
Maintain multiple accounts. Don’t put all of your eggs in one basket! Have accounts at multiple e-mail providers—and accounts at multiple financial institutions for your money, as well. That way, when you get hacked, at least you’ll have a backup.
Keep offline copies. Finally, don’t keep the sole copy of your precious data at some cloud provider—download your data to your home computer, then burn it to disc or copy it to a disconnected hard drive. That way, even if you lose your online access, at least you’ll have a copy.
Simson L. Garfinkel is an author and researcher in Arlington, Virginia, who focuses on such topics as computer forensics and privacy. He is a contributing editor at Technology Review.