In the aftermath of the Carleton University Students’ Association (CUSA) election, the Change 2017 slate alleged that someone hacked their shared email account. The university was only able to track the access to their account to the fourth floor of the University Center’s public student WiFi, meaning whoever hacked Change’s email essentially got away with it.
Scary stuff.
So what exactly does any of that mean?
In the information security industry, this type of hack is referred to as unauthorized access which simply means using a resource like an online account, computer, or network without permission from its owner.
Different things will have different security measures in place to prevent unauthorized access, which range anywhere from checking the “I am not a robot” checkbox on a login page, to a full retinal scan, depending on the sensitivity of the resource. These are called authentication methods. Some accounts will use two or more authentication methods, depending on the specifications of the owner.
Sounds complicated, doesn’t it? Think about going to an ATM. ATMs require two authentication methods. One is your bank card (which is something you have) and the other is your PIN (something you know). Would you feel comfortable with your money if one of those two checks were not required? Information security is no different, you just have much more flexibility with how secure you’d like it to be.
Here are a few recommendations for how to make you or your organization much less vulnerable to an email hack:
- Use a strong password.
When choosing a password, make sure to balance security with convenience. Anything you have to write down to remember is actually much less secure than a more simply-crafted passphrase. I usually recommend choosing four unrelated English words, and make yourself a phrase you will remember. Make sure to add some capital letters and a symbol or two.For example, “Pumpkin7MonkeyVodkaLoonie!” is a much better choice than something that looks complicated, such as “7Hd^*y;;cfaFf9.”Once you’ve chosen a password, do not share it with anyone. Make an effort to change it at least once or twice a year.
- Use different passwords for different websites or computers.
According to HaveIBeenPwned, a repository of data breach information, data from over two billion user accounts has been stolen from 189 websites, including LinkedIn, Tumblr, Adobe, and MySpace. If you use one of these services and use the same password across all your platforms, all of your accounts are at risk. Although not recommended, even simply adding a suffix to each of your passwords (‘_1’) will protect you from these types of breaches.
- Enable Two-Factor Authentication (2FA) if available.
Google, Twitter, Facebook, and many others all provide the option to add 2FA to your account. Enabling means a bad actor will not be able to access your account even if they know the username and password. Typical delivery methods for 2FA are SMS or by phone app, with the latter being preferred. Once enabled, platforms will typically allow you to “trust” devices, so your secondary check will only be required when the system doesn’t recognize the device you’re coming from.
- Don’t share email accounts.
Student organizations are notorious for creating a catchall email account for themselves and distributing the password to several people in the organization. This is very poor security, and can be easily avoided by setting up email rules and filters in individual user accounts. This allows everyone to have their own username, password, recovery questions, etc. and makes the shared email account much less vulnerable to a hack.
- Set a recovery email address.
In many cases, when you submit a password reset request and you do not have a recovery email set, platforms will revert to recovery questions (which people can often guess the answers to), or to ask for previous passwords to confirm the identity of the user. Setting a recovery email address provides them a much more reliable option to guarantee you are the user requesting the reset. Use your Carleton email account!
The internet is an ocean of information and people, and there’s always going to be bad actors. If you follow these tips and ask lots of questions, staying secure is easy!
– File photo