On the Necessity of Having Strong Email

One of the things you should do to better protect your crypto coins and associated operations is use a strong, well-protected email account. Ideally, it should not be publicly known and should not be used for your regular communications. I happen to know just the right email service for the job. However I will link to it only at the end of this article, because first I want to talk a bit about why I think it is necessary to use a separate email for your crypto coin stuff.

Why a separate email account?

Internet users fall into two categories: those who have had their user data stolen from multiple web services, and those who will have the same happen to them very soon.

When cyber thugs hack some company and take away with the data, they may get your email address and password for that particular service, and can possibly derive valuable information about your patterns of behavior. Even if you follow good security practices and never reuse passwords, the bad guys may still try to break into your email by using carefully crafted phishing and social engineering attacks on you.

Keeping clear of phishing is outside the scope of this article, but if you use one email address for your regular logins — cloud services, news sites, e-shops, forums and the like — and have another one for your crypto coin-related activities, you greatly reduce the possible surface for a phishing or a social engineering attack.

Email as a key to recovery

Most if not all crypto coin related services rely on two-factor authentication (2FA). Sometimes they rely on SMS codes and often they support Google Authenticator or (the superior) Authy. However people are clumsy and inept, and may lose access to their 2FA token if their phone gets stolen or destroyed. Because having to deal with angry and scared users is a customer support nightmare, some services offer the option to restore access via email.

A very recent example for me is Exodus (a universal local coin wallet that I have written about) which allows you to enter an email address as a safety measure. In case your local wallet gets destroyed or you forget the password, you can use that email address to get a recovery link.

A smart cyber data thief who has broken into your mailbox can easily try to initiate this recovery process and drain your account while you’re on vacation. He doesn’t need to know you are using Exodus; he just has to pass all users on his stolen lists through the wallet recovery script he’s written and if the Exodus sysadmin doesn’t have a feature in place that prevents such attempts (which is highly unlikely; all companies in this field are still essentially toddlers), the damage will be done.

Email as a backup codebook

You can use a secure email account to send to yourself confidential data such as one-time passcodes or the seed words for your wallets. Obviously, you should first encrypt your data locally and this method does add a certain amount of risk. But we have all more or less gotten used to how email works. Doing stupid things like locking yourself out or deleting the wrong message might be less likely in your mailbox than in KeePass.

Enhanced email use with tags & labels

Email has a little known and tremendously useful tag & label feature that can be used for filtering. Taking the fictional address [email protected], we can use the plus sign to ‘label’ emails. E.g.:

[email protected]

or

[email protected]

Both of these messages will be delivered to [email protected]. You can configure your email client to do some filtering according to these tags. However you can also use this feature to create slightly different login credentials for different accounts. (e.g., your login for Coinbase could be [email protected]). This gives you two extra benefits:

  • You will know who is spamming you or has sold your email address to spammers, because spam will arrive to the particularly tagged version of your email address
  • You will further diversify your login credentials

Now even if the website where you registered with [email protected] gets hacked, this login username will be worthless anywhere else.

True, if a human sees [email protected], he will know your actual email address, but this is highly unlikely. Hacked data is shared in large dumps with hundreds of thousands or millions of login credentials bundled together. These are parsed by scripts written by the crooks, and to these scripts [email protected] is totally unrelated to [email protected]

The drawbacks

A good, safe email service may still get hacked. But if it uses client-side encryption like the service I am about to recommend, your data will still be (relatively) safe. Such a service may also be DDoS’ed or otherwise shut down temporarily or permanently, leaving you hung out to dry. But there is nothing 100% safe in life anyway, and by observing the security measures outlined so far, you will be so far ahead from other internet users so as to be untouchable.

The Proposed Solution (Drum Rolls)

ProtonMail: Secure Email based in Switzerland
ProtonMail: Secure Email based in Switzerland

The email service I have had in mind this whole time is ProtonMail. It is based in Switzerland, which has very strong privacy laws that should keep away overly zealous governments (I am looking at you, USA, UK and EU). It also offers client side encryption, meaning your emails are encrypted with a private key derived from your login password. ProtonMail do not have access to your unencrypted data, so even if they suffer a breach or are legally forced to hand over your data or their servers get hacked, you will still have time to change your login credentials where needed, or empty the compromised wallets.

Here is an overview of the ProtonMail security model. The ProtonMail Threat Model is another interesting read (for cybersecurity nerds like me, that is).

ProtonMail is free to use and has a 500MB mailbox limit. You can support them by donating or buying their swag, or just grab a subscription, which is nothing if not affordable (starting from $4/€4 per month, $48/€48 per year).

 

Update (16. Aug 2017): As if all of the above wasn’t enough already, ProtonMail have just announced automated bitcoin payments from within their system. Awesome stuff.

Please consider supporting this blog by clicking on the banner below when purchasing bitcoin equipment.
Ledger Nano S - The secure hardware wallet