Is Your Email Address Worth More Than Your Credit Card Number?

By Rich

It used to be that we didn’t care too much if someone stole a pile of email addresses. At worst we’d end up on yet another spam list, and these days most folks have pretty decent spam filters. Sure, it’s annoying, but it was pretty low on the scale of security risks.

But I’m starting to think that email addresses – depending on context – are now worth far more to certain attackers than credit card numbers.

As annoying as credit card fraud is, it’s generally a manageable problem. For us as consumers it’s mostly a nuisance, because we are protected from financial loss. It’s a bigger problem for merchants and banks, but fraud detection systems and law enforcement together manage to keep losses to an acceptable level – otherwise we would see Chip and PIN or other technologies, as opposed to PCI, as the security focus.

In terms of economics, we have seen bad guys shift to lower-level persistent fraud rather than big breaches. They’re stealing a lot, but the big lesson from the Verizon Data Breach Investigations Report is that they are stealing smaller batches, and are much more likely to get caught than in the past.

Your email, on the other hand, may be far more valuable. Not necessarily to random online street criminals (although it’s still valuable to them, too), but to more sophisticated attackers. At least if they get your email address with ‘interesting’ context.

Let’s look at the main method of attacks these days. From APT to botnets, we see one consistent trend – reliance on phishing to get past user defenses and gain a beachhead on the target. Get the user to click a link or open a file, and you own their system. “Spear phishing” (highly targeted phishing) has been identified as the primary attack technique currently being used by the APT – they will shift once it stops working so well.

Now think about last week’s breach of Sega, or back to the Epsilon breach. In these cases emails, first names, and context were obtained. Not just an email, but an email with a real name and a site you registered to receive email from.

We like to hammer users on how stupid they are for clicking any link in a storm, but what are the odds of even the most seasoned security professionals defending themselves from every single one of these attacks with, in effect, detailed dossiers on the targets? When you get a correctly formatted email with your name from a site you registered with, there’s a reasonable chance you will click – and they can easily afford to send more fishing messages than real mail (spam has been up as high as 90% of email on the Internet, and these are much better at looking legitimate and getting past spam filters).

Don’t play coy and claim you’ll check the From: address every time – these all come from services you don’t know personally, and often from a third party domain as part of the service.

Considering everything an attacker can do with those resources, I suspect email addresses + context might be the new bad guy hotness. Hit every TiVo subscriber with a personally addressed phishing message, perhaps modeled from the last email blast TiVo actually sent out? Gold.

No Related Posts

Rich - I’m putting my email address into your blogsite!!!  How are you securing that.  Obviously email w/o context may not be that useful.  So now maybe I’ll stop using my vanity email address and go back to my obtuse one.  Though I suspect with enough searchable stuff in the ether, someone can put these together and map them back to me.  And how would JMPC, Target, etc tokenized email addresses been useful for Epsilon.  Of course Epsilon could have tokenized the addresses, the names or the company affiliations, but then the token server would need to be protected—and why would that have been any better protected than the original text?

By SteveA

@Rich - I agree! – consumers are slowly starting to realize that identity theft is even more severe that payment card fraud these days so my advice to our clients at Protegrity is to treat all PII as if it were payment data including things like email. Then just be sure to know where your data goes and audit regularly. Of course we also recommend the use of modern data protection methods like Tokenization which, as you know, can be the most cost effective method of protecting PII!

By Ulf Mattsson

PII is a poor term to describe information which should have “some” sense of privacy/protection.  NPI, non-public information is better.  So when people refer to PII what do they really mean?  Is this akin to an SSN?  Not sure how we can put SSN and email address into the same classification level - when was the last time you saw someone hand out a business card with their SSN on it (ignoring the guy from lifelock).  Gee 35 years ago I probably should have kept my CB handle to myself!

By SteveA

Spot on Rich.

NIST already defines Email address as PII under 800-122. It seems everyone’s turning a bind eye to the contextual aspect today - conveniently.

“One of the most widely used terms to describe personal information is PII.  Examples of PII range from an individual‘s name or email address to an individual‘s financial and medical records or criminal history.”

In my opinion, what’s often worse is that an email address is also now a primary index to social networking sites (facebook, LinkedIn etc) which immediately presents more gold to mine for a spearphishing attack to present a APT payload - even if the attacker doesn’t have complete access, its all too easy these days to build a personal profile from one data element.

TIme to turn that gold into straw again where its stored - including email addresses ? I think so.

By Mark Bower

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.