Prepping: “Stuffing-proof” Your Email

No, I don’t talk much about my role in the cyber-insurance world.  But, I have become much more informed than most and I want you to do one simple thing for me:

“Stuffing-proof Your Email”

Data breaches are happening at an ever-increasing rate.  We (the people I work with) anticipate huge growth in the number of breaches in coming months.

Even though some breaches are only PII (personally-identifiable information) breaches, if they relate an email address and snag a password, it opens the way for “stuffing” attacks.

Let me walk you through a typical case:

  1. It begins when a hacker manages to breach a website.  Let’s for the sake of this example assume it was a social media site.
  2. The hacker hasn’t gotten your credit cards.  Nor has the hacker gotten your street address or phone number.  But all they are after is your email address and password.  For some sites, a username is required.  But, an unfortunate number of websites (including most social sites) will log you on with an email and a password.
  3. Let’s make this a small breach.  2-million records.  We will load them up into easily written scripts.  The scripts look at two databases.  One is the PII data that has been stolen.  The other is the “stuffing list.”
  4. When run, the hacker’s program will insert your email and your password into the logon screen of, oh, 500 of the largest banks and brokerages in America.
  5. You turn out to be unlucky and what happens?  It’s like having the key to your home stolen.  They get in and wire the money (shadow banks are great for this) to themselves via a third-party cut-out.

That’s how email “stuffing” works.  Simple enough.

How do big companies try to get around it?  Well, any time they get more than a couple of password/logon attempts that fail, they block an IP address.  But, sadly for the IT departments, the “stuffers” are bright-enough to use multiple IP addresses and they happily continue to stuff.

Is there a way to protect yourself?  Sure.  And it’s simple.

All you need to do is “key” each of your passwords to the sites you use.

Just like setting up access control on a commercial building.  Not all employees have access to all areas.  I’ve had to, in the past, set up “security zones” so that a business knew who was able to access high-value resources and keep everyone else out.

The first thing you need to do, before we go spending a bunch of time of keying passwords, is to make sure your critical passwords are complicated-enough to be nearly impossible to crack.

My “core passwords” are 13-characters in length.  They include numbers, upper/lower case letters, and several of the so-called “special characters.”  Upper case 8 on most keyboards will generate a * for example.

Using the Gibson Research password tester, I figure my odds on the core passwords as:

Naturally, even though I trust everyone (OK, I trust no one) even on the tester I don’t use my actual.  I use proxy characters.  But, as you can see, my core password is pretty good.

Now, Let’s Key it to Specific Sites

Let’s assume now, that I have this really good password but one of my accounts is breached.

How can I “key” my really good password to only one site?

Let’s use an example of a three site user.  They may use Facebook, Twitter, and Spotify, for example.

All we need to do is add “Fa” somewhere in the strong password which keys it to Facebook.  So, strong (nearly unbreakable) core plus the letters Fa  (the first two letters of Facebook, right?) nailed on the ass-end of the strong core.  We just got even more difficult to crack.

anti-stuffing passwords

Wow, huh?

OK, we can do even better by going with four letters from the site.  Let’s run my core plus “Face” in it.  In other words, we add four total characters to our strong core:

Trillion year passwords

Now consider what happens when if (and this is an example only) there were to be a huge breach at Facebook.  That password would not open the Spotify account, nor would it open the Twitter account of our theoretical user.  Nor any of their bank or trading accounts.

What About Smarter Hacker Scripts?

Yeah, we need to have this part of the discussion, too.  Because hackers, as a lot, are very smart people.

It wouldn’t be too tough to run a search of (again, an example only here) a file of hacked Facebook data and look for all occurrences of “Fa” (case 1) or “Face” (case 2) and hold those out for further study.

However, at some point “mining” Bitcoins becomes a much more predictable way to maker money on the Internet.

What’s more, some wise-ass somewhere is bound to figure out that most people would put either the “Fa” or the “Face” at either the beginning or end of the solid core password.

Two further tricks to enfold into becoming “email stuffing proof” with all your accounts arise:

One is to reverse “Fa” and “Face” to “aF” or “ecaF” respectively.  The other is to place them inside the strong core at an easy-to-remember break.

OK, Enigma bonus points if you bust the 4-part “ecaF” into a 3 and 1 or 2 and 2 positioning split  or a further iteration.

The point is?

There are definitely things people can do on the “consumer side” that can reduce (almost to the point of eliminating) certain kinds of password risks.

I appreciate that it is a little bit of work and personal retraining, but it’s also a damn-fine way to reduce your risk.  Especially if, like so many people, you use common passwords between sites.

If it’s not keyed, it’s just a matter of time until you end up in a big data breach and once thee?  Here come the stuffers.

You don’t have to make it easy on the bad guys.  They aren’t going to make it easy on you.

Write when you get rich,

george@ure.net

7 thoughts on “Prepping: “Stuffing-proof” Your Email”

  1. If Old West criminals such as Jesse James, Hoodoo Brown or Billy the Kid or their gang members were alive today, they might well have been global financial data hackers – much easier targets with a far bigger returns.

    Lawmen like Pat Garrett, Bat Masterson and Wyatt Earp might’ve been cyber-crime unit investigators for the FBI.

  2. Something that bothers me about unmemorable, long, complex passwords is having to keep a cheat sheet or auto password app. What if that is taken or hacked? Or worse, quietly copied and carefully put back so the snoop attack isn’t noticed.

  3. Cyber extortionists sometimes include a compromised password in an email threat to prove they gotcha. If you have a unique portion in your passwords, then it is a lot easier to assess the real damage.
    If you need to keep a log to remember all the passwords, don’t write down common strings, just enough of the user name and the unique portion of the password to jog your memory.
    The biggest hacking threat is usually people in your inner circle and your complacency. Passwords are not to be shared. Give out as little real data online as is possible. Using gift cards to pay online is an option on some sites. Trust no one online.
    Email breaches are especially dangerous. Try and set your email up so your email account user name and your email aliases are different. Your admin account should be yet a different name and password. Only use the email aliases publicly. Memorize your acount and admin user names, and don’t record them electronically. All this prevents a data breach by a third party escalating to a hijacking of your email account.
    Last, never keep sensitive personal data or passwords in stored emails. If you have any reason to suspect a data breach, be sure to check your computer for management console breaches and scan for key loggers. Many of the antivirus scanners don’t scan for key loggers, and none can see a management console breach. Check your new acquistions in the BIOS utilities to make sure the computer isn’t already set up for remote management. If it is, get help immediately and don’t access anything requiring a password, including email.

  4. It doesn’t necessarily have to be a hacker. A gentleman I worked with had his ide toy stolen..because he bought something. He had great credit a good job and the loan officer seen his chance.
    Set off in his own direction co.pletely opposite of the direction my friend had planned.
    My wife moved out of a place she rented and the people that moved in simply called the utility companies and said they were her. They didn’t need any information.. and we ended up being liable for the bills..even when it went to court.. after two court dates the judge tossed it out..several months later they served her with garnishment papers..seemed when the judge ruled that she wasn’t liable for the debt. The company had other thoughts. Penned her name at the bottom of the sheet for the actual people that was liable sent the letter certified to an address totally alien to where she had ever lived. The post office of course sent it back. Them sending it back was like saying she refused to get her mail and she was the one they garnished.
    If someone really wants to take you they are..
    There was one individual that would get irritated with someone and file a lien against the property.. because of a lien there isn’t any notification that one has been filed well no one would find out till they died or tried to get a loan or sell it. The end results was it was them that had to prove they didn’t owe that debt.
    One gentleman discovered that individual had put a hefty lien on his farm..in order for him to sell that bit of land it cost him thousands of dollars to get the old lien corrected.
    My ex wife and her new husband went to the doctor in another city. Since my employer owned that clinic they figured since I worked for them it would be easier for them to just get the money from me.. I got it taken off but it would have been cheaper for me to just pay the bill.

  5. the point I was trying to make is.. sure there are individuals that will go through elaborate methods to take advantage of you.. but you can walk into any courthouse any where and go back to the tax room.. there your life is laid out and I am betting you will see a group of people all just going through peoples lives looking for the next big buck….everything is in those open files.. the cars the homes everything including your banking and work information. a few years ago it was the posh thing to take classes on how to find abandoned property buy them for back taxes.. and flip them. https://finance.zacks.com/buy-foreclosed-property-paying-back-taxes-11181.html . there are still tv shows on that they do just that..
    Take google earth.. they drive around the USA and up and down streets.. realtors list properties and do a virtual walk through.. this information is stored and you can literally go up and down any street in the usa.. if there was a sale then do the walk through of the properties on the streets.. for someone with evil intents it is fairly easy to check the streets out and know the layout of any property. do you pay any of your bills automatically.. same thing you just gave someone access to your bank account..no passwords needed

    there are many things that have been passed that are suppose to make your life easier.. take a pawn shop or a tow truck company for an example.. by someone unscrupulous these very laws can be turned to someone elses benefits laws meant for companies to be able to recoup their losses on debts… like the liens.. the person that was doing that around here.. made a comment to me.. I own you.. I laughed about it and told the owner of the gas station that and he said you better run down to the court house.. because this individual was quick to do that.. drop a huge lien on the property then walk away.. only to turn the persons life upside down later on.

  6. Hi y’all. Just a bit of info here. I used to have Comcast and they came to my home to do some repairs one day. The technician had a question about the work and showed me the work order form on his tablet. As he was scrolling through the form I saw my user name AND password displayed.

    I was shocked. Comcast said that technicians did not have access to my account but they sure as hell had access to my password. Which means they could have had access to my account at any given time.

    While I use strong passwords, I was just reminded that, for every account I have, my passwords are more accessible to a lot more folks than I realized, and not because I’m sloppy, or lazy, or ignorant.

Comments are closed.