A few years ago, when I dedicated myself to repair home computers, it occurred to me to print some professional visit cards so that my clients could easily contact me. In addition to including my phone number, which only allowed to send text messages because WhatsApp was barely taking its first steps, I added my email.
I still remember leaving the printing press with a handful of cards in my hands, excited to start distributing them. But as soon as I cross the door, I realized that I had made a mistake: I used my main email. Until that time, it had remained relatively “secret”, but that changed at the moment it was printed on my cards. And it was the same email that I used as an access door to my digital life. I had just exposed it without realizing it.
A concern invaded me instantly, accompanied by several questions about the associated risks. What if someone tried access my accounts without permission? Could I use the mail that was on my cards along with the information about me on Facebook to try to guess my security response? And what would happen to the services I had linked?
The risk was minimal, I should not expose my main email. My immediate reaction was to create an exclusive secondary account for other services, while the direction printed on the card was only for professional contact. If your security was compromised, the impact would be limited. My accounts on electronic commerce platforms, social networks and other services would continue to have a recovery account other than the main one.
Having a single email address for everything was a mistake
To better understand why this caution is important, let’s put us for a moment in the mind of a cybercrime. If as an attacker he can access the main mail of a victim, I can easily explore his entrance tray to discover what other services he uses. For example, when you find Amazon emails or social networks, you could request restore passwords directly. If the victim also made the frequent mistake of reusing the same password – and somehow I have achieved it – I would not even have to strive a lot: it would be enough to try that key to access to multiple platforms, generating a serious domino effect.
The aforementioned solution was only temporary. It served me for a while, but we live in such a dynamic world that forces us to evolve, not only to take better advantage of technology, but also to guarantee our safety and privacy. Over the years, keep a contact email and another “secret” ceased to be enough. I discovered that my contact email was not so public or the “secret” so private. Although the latter was not on my card, I trusted any online service that asked me to register. And, as we know, companies, no matter how big they are, do not always protect the data of their users. There have been notorious cases of leaks, such as Yahoo’s of 2016 or Quora of 2018.
Although I had never shared it directly with other people, the amount of spam and fraudulent emails that I received made me suspect that my email address had been filtered on the Dark Webthat dark internet area where personal information circulates as a currency. After all, my email was probably part of some database sold to the highest bidder. Of course, among the undessed emails there were also classic scams such as that of the Nigerian Prince.
LinkedIn, at that time, publicly showed the email address of the users who enabled that option in the privacy settings. In addition, there were those who collected this data for mass shipments, which explained the amount of newsletters and unre requested messages that came to be connected to certain people.
I soon understood that I needed more than my own emails, because, like many, I had had others assigned by third parties, such as the University or those of work, which are usually deactivated by disconnecting from the institution. I decided to take the necessary measures to improve this aspect of my digital life, which meant Create other mail accounts. Thus were structured:
- Contact email: Public address so that anyone can write to me.
- Private mail for services: Exclusive for login and recovery of accounts.
- Work mail: For everything related to my professional activity.
- Mail for Newsletters: To receive and manage subscriptions without saturating other accounts.
- Mail focused on privacy: Proton mail account with end -to -end encryption and tracker lock.
In all I tried to apply the maximum security measures: two -step verification, passkeys, recovery keys, robust passwords, etc. In addition, I incorporated the use of a password manager to avoid the risk of reusing credentials and to generate unique and safe keys for each service. I opted for a reputed manager who allows me to store them safely without depending on memory or physical annotations that can be violated.
I also started using “Log in with Apple” with my private email for services, which allows me to hide my real address through random emails (@privaterelay.com). To this I added the Temporary ICloud+ Correos (@icloud.com), Ideal for records on platforms that do not inspire me confidence or whose data protection policy raises doubts. To reinforce security, I implemented multiple recovery methods. Thus, if a method does not work, I always have another access road.
This is essential because any recovery method can give problems. If I lose my mobile phone and it is my only access road to my account, I would be in a serious inconvenience. However, having both a telephone number and an associated email, I can recover access without depending on a single factor. The same goes for alternative verification codes: if I do not have immediate access to my phone, I can use one of those previously stored codes to log in safely.
Having multiple access recovery methods is not a luxury, but a necessity. In a world where everything goes through digital, losing an important account can become a serious problem. It is like depending on a single entrance door without emergency exits: if you block or lose your key, you could get caught. However, in cybersecurity it is not about finding an infallible solution, because I think it does not exist. What really matters is to raise barriers enough to violate the system Not worthwhilethat it is so expensive and complex that the attackers prefer to find another goal.
A clear example is the Sim Swapping, a technique that allows cybercounts to kidnap a telephone number to receive recovery codes and take control of other people’s accounts. This attack demonstrates why SMS as an authentication method are not so safe. But this is just one of many possible attacks. Threats constantly evolve and it would be impossible to cover them all here. What was safe yesterday, today can be a weak point, and what protects us today could be irrelevant.
Images | Brett Jordan | macrovector | Justin Morgan | Giorgio Trovato
In WorldOfSoftware | My data has been filtered, now what: the steps you should always take that there is a massive filtration on the Internet that can affect you
In WorldOfSoftware | APK “with a bug”: the risk of using other routes to access free premium spotify after the closure of several clients
