CNN continues to report on the compromise of email addresses and names from Epsilon systems over the weekend and the potential impact it may have on net citizens. There is fear and uncertainty that comes with any compromise, but it is important to understand where this activity sits in the process of successfully obtaining money for the thieves.
Email addresses by themselves have value and can be sold. But that does not directly impact the owner of the email address. In order for the owner to be impacted financially, they must be convinced to give up some piece of their identity that can then be used to take money from them. These pieces of identity include credit card numbers, social security numbers, checking accounts, etc.
So, how does an evil-doer go from your email address to a credit card?
Ultimately, the bad guys must send emails either to your email address (or from your email address to your friends) with some tantalizing message that effectively requests you provide their credit card, social security number, or other (more valuable) piece of information. So, having your email address stolen is bad, but it is only the first step in stealing something of greater value from its owner.
If your address was one of those compromised in the recent hack of Epsilon, then you should have received a notification of the breach by now. It is important to be aware that if Epsilon and its customers are managing this matter correctly, you will receive an email notification of the compromise but will not be requested to provide any additional information (such as logging in or providing credit card information). Be aware of any email that indicates that you need to login or provide any information. Doing so is a common ruse (phishing attack) that allows the bad guys to go from first base to second and get more information from you that can be either further leveraged or directly used to steal money from you or your friends.
As we consider best practices for network security and protection, unified threat management systems (UTMs) can provide a level of computer network security that keeps users safe when emails are compromised. Remember, if you receive an email with a request for data, it very likely that the email contains a website or URL that will redirect you to a website that may look legitimate but will actually be a site that is well-known for propagating phishing attacks. Given that UTMs monitor all traffic to and from your network, they are able to filter SPAM in addition to blocking any attempt by you to access malicious websites thus keeping your from unintentionally giving up more than your email address. To extend the baseball analogy, UTMs keep bad guys from getting to second base.
The compromise of the Epsilon database is bad, and I believe it will not be the last compromise that occurs. Furthermore, end users cannot be expected to know every bad website out there. They also are unlikely to stay abreast of the activities in network security and compromises like those at Epsilon. However, IT administrators (especially those for small businesses) can implement defense-in-depth security controls, such as UTMs, to help keep them safe and keep the identity thieves from making a home run.