Picture yourself filling out the following form. Maybe you’re signup up for a new account at a blog, or forum, or gallery, or the latest Web 2.0 social gadget. Look at the fields, and imagine what you would put into each one.
Now — and answer honestly — did you just give this unknown website the password to your email account? If you’re like most people, then you probably did.
Most people have just a handful of passwords that they use for everything. Often one password for banks and other high-security sites, and one for “normal” sites, like forums and email. But if someone knows your email address, then they they know where to to go to check your email. And now you just gave them the password to your account. Whoops.
So, what can the bad guy do with your email password? Just about anything, it turns out. When it comes to your online identity, forget bank accounts and social security numbers — your online identity is your email address.
First, he can set up filtering and redirection rules so that important messages from important companies, (like your bank) will be forwarded to somewhere else, where you’ll never see them. Then he can read through your mail history to see what assets you might have that are of value. And finally, he can start sending “I forgot my password” requests, and grant himself control over everything you own.
What’s more, it’s not just your bank account and credit card that you’d have to worry about. For example, if you run a website or work for an important company, the hacker can easily leverage your email account to attack these assets as well. He can (permanently) transfer ownership of your domain away from you, for example. And many of the most sophisticated attacks against major corporations are traced back to someone’s email account getting compromised.
Your email account is the key to your kingdom. Be very, very cautious with it.