Email Security

[Roger Frazee]

A few weeks ago the contact information for our club's new officers was posted on the our region's web site.  Shortly thereafter, our president's email was spoofed and a phony email was sent from the president to the treasurer, requesting help in withdrawing funds from the club's bank account.

 

This has raised concerns among the region board members, and we are trying to come up with a better way to provide contact information for the club without exposing private email addresses on the web site and in the newsletters.

 

How does your region protect its members from identity theft?

[Bob47]

I have not had any problems that I know of and the whole idea of trying to hide peoples' email addresses is a fool's errand. Email addresses get out. And email addresses are not the spawn to identity theft. Careless people are what cause ID theft.

The real answer is to get smart about your email, use a good spam filter, be super careful about clicking on links, and never xfer money in any fashion without verbal confirmation.

 

 

So, maybe you say on your site:

"We protect our members from ID theft by making sure people whose addresses appear on the site are aware of it; have the option to opt out of it, and by making sure they are well aware of safe email practices."

 

 

It was probably a coincidence that you posted the email addresses and shortly after your president’s email was hacked.

Edited January 30, 2018 by Bob47 (see edit history)

[ply33]

It is possible to obfuscate email addresses using JavaScript when posting on web sites. There are some cookie cutter examples that are easy to find. I've "rolled my own" for a couple of reasons one of which is I figure the email harvesting people may have figured out an easy way to parse the cookie cutter examples. Even though I've had my webmaster email posted on publically available websites for over 10 years I have no evidence that it has been harvested.

 

Either use a GPG plug in on your email client or get a personal email certificate from a commercial supplier (there may be free ones available nowadays, I haven't checked because I run my own certificate authority). With either of those you can digitally sign your important email. No one can spoof that. If the party you are working with does the same as you, then you can encrypt the contents of the email from end to end. I would highly recommend that for any correspondence having to do with money. It boggles my mind that banks don't do and require this, the technology has been around for years now. Note: Email headers, including the subject line, cannot be encrypted so be careful what you put in the subject.

 

Or, use an end to end encrypted messaging service when dealing with financial transactions. At this point in time, it appears that Signal by Open Whisper Systems is the best that a mere mortal can use.

[Larry Schramm]

I have one email account that I only use for financial transactions and do not give it out for any other purpose.  

 

I have several email accounts that I use for different activities. 

 

Not perfect, but provides some security.

[R W Burgess]

1 hour ago, Larry Schramm said:

 

 

I have several email accounts that I use for different activities. 

 

Not perfect, but provides some security.

 

Gee Larry, multiple passwords. I have trouble remembering 2. ?

[ply33]

6 minutes ago, R W Burgess said:

 

Gee Larry, multiple passwords. I have trouble remembering 2. ?

 

Get yourself a password manager! Now! Not later today! Not tomorrow! Get it now!

 

With a password manager you only have to remember one password (the one for the password manager). Then all your other passwords are saved in an encrypted file. It makes it possible to have a different password on every account/website/email service you have. Another thing it will do, at least it did for me, was make the number of accounts you have really visible. Between banking, brokerage, shopping, hotel, airline, utilities, you probably have more online accounts than your realize. And if you are on a any social media sites (this AACA counts as one for me) the number will be even higher.

 

I have a friend who relied on having only a couple of passwords for everything. Turns out one of her accounts got hacked and before she even knew about it she was locked out of her email and all her bank accounts, etc. Took a while and a lot of effort to deal with that. Not a good thing. And to this day she does not know which company's server was hacked.

 

If (or more likely when) some company's server is hacked and the password and ID for my account on that service is compromised I have comfort in knowing that only that one service has been compromised for me, everything else is still safe. My typical password is something like URC4HlTz4a89Nm1ZH65ode6N9TrvdapR. That is not a real one, but like my real ones was generated by a random process and pretty much impossible for me to even type much less remember. But I can easily copy and paste a password like that as needed. And every single account has a different password. I use the longest password string the site allows to make brute force attacks on decrypting it more difficult.

 

If the site used good storage techniques a brute force should be the only way to crack the password. However many sites don't use best practices and if they are hacked then all accounts on it are compromised. You won't know about it until much later: In general companies have a very bad record about detecting hacks and an even worse record in letting their clients/customers/members know about it until long after the fact. You will probably find out, as my friend did, that a hack occurred when your email and bank accounts are not accessible.

 

Rule of thumb: If a site has a way to remind you of your password then a bad guy can trivially get your password when they hack that site's servers. Never re-use a password on such a site or account.

 

A good site will not save your password but rather a salted cryptographic hash of your password. If they do that then the site doesn't even know your password and a hacker will have a to use a slow brute force method when they analyze information on the account database that they stole from the site.

 

I happen to use KeePass as it is available on all the different phones and computers I own. It is also open source so I can look at the code myself. If you aren't confident in you ability to spot issues the others will. Open source allows everyone to audit the code and from experience I can tell you that when a security issue occurs with open source two things happen very quickly: First the word gets out quickly to everyone, second the fix happens very quickly.

[Larry Schramm]

8 hours ago, R W Burgess said:

 

Gee Larry, multiple passwords. I have trouble remembering 2. ?

 

I keep all of the passwords on an flash drive in an excel file along with a copy in a safe place.  There are lots of different ones.

 

Last time I checked, there were about 275 passwords on the list.  Don't try to remember them anymore.

[Standard Eight]

Hi Roger,

 

When I was managing our regions website we did the following (with one of the goals to never expose members personal information):

1. We purchased our own domain name (for example  aaca_club.com)

2. We then used a low cost hosting service (we used BlueHost at that time) which allowed us to now only host our website using our domain name but also allowed us to have 50 or so email addresses with our own domain (for example email@aaca_club.com)

3. We would then setup an email address for each officer/position within the club (for example president@aaca_club.com)

4. Then on the hosting service we would forward each one of these "club" email addresses to the personal email address of the person holding that position in the club (this way any mail sent to president@aaca_club.com was forwarded to the president's personal email address saving them the need to login to a separate email system).

5. When new club members took new positions we simply updated the email forwarding rules

6. But on our website the only email address that were ever visible to the internet were the "club" created email addresses (personal email addresses were not on the website).

 

This won't necessarily stop any spam/scam email but it at least isolated this email to the club's email addresses and not the club members personal email addresses.

 

Bob

Edited January 30, 2018 by vwlfan (see edit history)

[Standard Eight]

10 hours ago, ply33 said:

If (or more likely when) some company's server is hacked and the password and ID for my account on that service is compromised I have comfort in knowing that only that one service has been compromised for me, everything else is still safe. My typical password is something like URC4HlTz4a89Nm1ZH65ode6N9TrvdapR. That is not a real one, but like my real ones was generated by a random process and pretty much impossible for me to even type much less remember. But I can easily copy and paste a password like that as needed. And every single account has a different password. I use the longest password string the site allows to make brute force attacks on decrypting it more difficult.

 

I follow this same security thought process by using a password manager.  Every site I use has its own unique randomly generated password.  I have no idea what my actual password is for this forum but my password manager simply fills in the password automatically when I open the login page for this site.  And today's password managers automatically sync between all your devices so as soon as I add/change a password on say my desktop it is automatically sync'd out to my laptop and my phone.

[Roger Frazee]

51 minutes ago, vwlfan said:

Hi Roger,

 

When I was managing our regions website we did the following (with one of the goals to never expose members personal information):

1. We purchased our own domain name (for example  aaca_club.com)

2. We then used a low cost hosting service (we used BlueHost at that time) which allow us to now only host our website using our domain name but also allowed us to have 50 or so email addresses with our own domain (for example email@aaca_club.com)

3. We would then setup an email address for each officer/position within the club (for example president@aaca_club.com)

4. Then on the hosting service we would forward each one of these "club" email addresses to the personal email address of the person holding that position in the club (this way any mail sent to president@aaca_club.com was forwarded to the president's personal email address saving them the need to login to a separate email system).

5. When new club members took new positions we simply updated the email forwarding rules

6. But on our website the only email address that were ever visible to the internet were the "club" created email addresses (personal email addresses were not on the website).

 

This won't necessarily stop any spam/scam email but it at least isolated this email to the club's email addresses and not the club members personal email addresses.

 

Bob

 

Good information, Bob, thanks.

 

Our region's web site is provided by the National AACA, via Higher Information Group.  I recently contacted HIG about setting up an information email address.  They struggled with the request for awhile and never did come up with one that worked.  

 

The AACA guidelines specify "club / officer contact information."  Until the recent email-theft incident, we listed the email addresses for every officer and board member in the club, plus an "info" link for contacting the webmaster.  Now, we only publish the info link.  

 

I think an acceptable solution would be to provide an info link, plus the email address for the club president.  That would limit the email exposure to two email addresses, rather than a half-dozen; but I'm not sure  that would comply with the guidelines.

 

 

 

 

[Standard Eight]

34 minutes ago, Roger Frazee said:

Our region's web site is provided by the National AACA, via Higher Information Group.  I recently contacted HIG about setting up an information email address.  They struggled with the request for awhile and never did come up with one that worked.  

National's ability to host region websites is a great service and deal for clubs.  But I can certainly see and understand how supplying and managing email address for all the local regions would quickly get to by unmanageable for HIG. 

[24T42]

I got a Gmail account for the club (this is the only one that appears on the web site). I have any emails forwarded to my personal email account. I then forward the email to the correct person. This isn't ideal but in 15 years I have never had a problem.

[Roger Frazee]

2 hours ago, 24T42 said:

I got a Gmail account for the club (this is the only one that appears on the web site). I have any emails forwarded to my personal email account. I then forward the email to the correct person. This isn't ideal but in 15 years I have never had a problem.

That's a good idea.  Simple and effective.  I like it!

[John_S_in_Penna]

My e-mail was listed on our website, as I was a club officer.

Quickly, I began getting junk e-mails from unknown and

unwanted sources.  I immediately had our website manager

remove the e-mail address.

 

For the newsletter itself, don't list e-mails if you post

your newsletters on your website.  Simply delete that page

on the website version.   If you produce, instead,

a good printed newsletter and distribute it only via mail,

you don't have that problem.

[John_S_in_Penna]

I've never had any problems even after years of having

my phone number listed on our region's website.  (Glad to report!)

 

Phone numbers on a website are extremely helpful to others.

Numerous times I've used them from other websites when

I wanted to confirm the date of an event, or reprint an article.

So listing phone numbers is beneficial without any noted downside.

Edited January 30, 2018 by John_S_in_Penna (see edit history)

[Roger Frazee]

13 hours ago, John_S_in_Penna said:

I've never had any problems even after years of having

my phone number listed on our region's website.  (Glad to report!)

 

Phone numbers on a website are extremely helpful to others.

Numerous times I've used them from other websites when

I wanted to confirm the date of an event, or reprint an article.

So listing phone numbers is beneficial without any noted downside.

Maybe I'm being overly cautious, but phone numbers get spoofed as much, if not more, than email addresses.  I get robo-calls every day from stolen cell phone numbers, offering me the chance to lower my credit card interest rates.

 

Also, once a phone number is hacked, it can also be used to send malicious texts.  

 

While it may have been a good idea to publish phone numbers in the past, it seems like a dangerous practice today.

 

 

[John_S_in_Penna]

8 minutes ago, Roger Frazee said:

Maybe I'm being overly cautious... 

While it may have been a good idea to publish phone numbers in the past, it seems like a dangerous practice today.

 

I'd say that, if a club gave no way to contact its officers--

other than some impersonal blind message box--the

scammers would have won.  Potential members couldn't

call to ask questions;  people from other regions would remain distant.

 

Knowing other hobbyists, and making a lifetime of connections in

the hobby near and far, is what really enhances the enjoyment of our cars.

 

Let's allow for interpersonal contact in some manner, and keep our ties strong.

THIS is what strengthens the AACA or any club!

Edited January 31, 2018 by John_S_in_Penna (see edit history)

[Standard Eight]

56 minutes ago, Roger Frazee said:

Maybe I'm being overly cautious, but phone numbers get spoofed as much, if not more, than email addresses.  I get robo-calls every day from stolen cell phone numbers, offering me the chance to lower my credit card interest rates.

 

Also, once a phone number is hacked, it can also be used to send malicious texts.  

 

While it may have been a good idea to publish phone numbers in the past, it seems like a dangerous practice today.

 

 

Roger,  On a some other websites I work with, as a result of the security and spam issue you mention, I purchase a virtual phone number online (about $2/mo - much like the mentioned gmail account to forward email) and then simply forward that phone number to one or more personal phone numbers.  This virtual number is then used on the website providing both an easy standard phone number for contact and the ability to isolate and protect personal user phone information. - Bob

[Jim Bollman]

These days you can't hide from spammer/scammers. My eMail and phone number is all over the web and I get my share. My 90 year old Mother has never touched a computer and has very little presents on the internet and she gets more scam calls and paper spam than I do.

 

An old trick that use to work was to put information you didn't want harvested up as an image so it was harder to machine read.

[Kenneth Carr]

We had the email addresses published for all officers. Some of 

the officers complained of getting an excess of bogus email.

 

I removed all of their addresses and inserted a contact form next

to the list of officers. If anyone wants to contact an officer they

must use the contact form that is next to the listing of officers. They must

give their email address and name and indicate in the body of

the message area who they want to contact.

 

All email is directed to me (I am the webmaster). If I think it is something

that our executives would like to consider I forward it to them.

If it is bogus I delete it. If I know that it is something that we are not

interested in (according to club policy ... for example we do not

connect members with people wishing to hire a car) I respond to

the sender and so inform them.

 

It works. Please see our page that lists executives and explains how

to contact them. 

We also list the email addresses of members but the area of the

webpage where these are is password protected. It is for member

use only.

 

 

[John_S_in_Penna]

On 2/3/2018 at 12:39 PM, Roadmaster71 said:

...according to [our] club policy ... for example we do not

connect members with people wishing to hire a car...

 

Usually situations like that are for weddings.

Our AACA region gets occasional requests like that

and tries very much to find members who can fulfill them.

What better way to introduce people to antique cars!

They'll have pictures of themselves proudly posed

with your antique, in their album for many decades!

 

One bride and groom actually designed their outfits

around my car.  My convertible was from 1961, so the

bridesmaids' dresses were early-1960's style with

pillbox hats.  Even the colors of their outfits (yellow-cream

with black accents) matched the color of the car!

I had no idea of the lengths to which they were going

until I showed up driving the convertible.

 

Since hobbyists can't usually take money, most of these

favors are done free of charge.  The brides and grooms

are VERY appreciative.

[Kenneth Carr]

18 hours ago, John_S_in_Penna said:

 

Usually situations like that are for weddings.

Our AACA region gets occasional requests like that

and tries very much to find members who can fulfill them.

What better way to introduce people to antique cars!

They'll have pictures of themselves proudly posed

with your antique, in their album for many decades!

 

John , I agree that using our old cars in such an event can

be very fulfilling. I recently did this for my son at his marriage this

past summer (see http://www.idlenot.com ).

 

Unfortunately there are various legal and insurance entanglements that can

result from such arrangements, for hire or not, and that

is why we do not use the club to facilitate such arrangements. Of course

our members are free to do as they please just as I did for my own son.

18 hours ago, John_S_in_Penna said: