Home-made security

exactus · 18 Jul 2016, 09:52 PM

Is this a good security idea or is there a flaw in my logic:
.
I want to be able to access my email on my smart phone,
but don't want to risk 11 years of email spread over multiple folders
falling into the wrong hands if I lose my phone or leave it on the train...

So, I purchased a $20 a year FM subscription with a gig of storage.
(even a $10 lite account will do the trick).

I then created some rules on my main FM account choosing which emails are
forwarded to myname-mobile@fastmail.com (i.e. my FM mobile app).

Result: I get to read email from my main account with the assurance that my
main Fastmail account can't be compromised.

It's not rocket science, but it works really well...
.

janusz · 18 Jul 2016, 11:04 PM

Quote:

Originally Posted by exactus

with the assurance that my main Fastmail account can't be compromised.

It still can, e.g. by a weak or stolen password

BritTim · 19 Jul 2016, 01:38 AM

Your idea is a reasonable low-tech solution, but it should be unnecessary if your phone has good security.

kijinbear · 19 Jul 2016, 12:49 PM

I've been doing exactly that for a couple of years.

The main account has 10 years of email history. I never log into it from untrusted computers. My smartphone counts as untrusted because of the ridiculous amount of permissions that every app seems to want these days, not to mention the risk of theft. (It's also an older model without a dedicated chip for encryption.)

Some email gets forwarded to the "proxy" account. I read it on my phone, reply if I need to, and delete both the original and the reply immediately. The main account is automatically copied on any email I send from the phone, so I get to keep all my records regardless of what happens to the phone.

If someone steals and unlocks my phone, they'll see at most a couple of recent emails, nothing more.

The phone doesn't even have the account password, only an alternative login that can be invalidated at a moment's notice.

JamesHenderson · 21 Jul 2016, 07:43 PM

Quote:

Originally Posted by kijinbear

I've been doing exactly that for a couple of years.

The main account has 10 years of email history. I never log into it from untrusted computers. My smartphone counts as untrusted because of the ridiculous amount of permissions that every app seems to want these days, not to mention the risk of theft. (It's also an older model without a dedicated chip for encryption.)

Some email gets forwarded to the "proxy" account. I read it on my phone, reply if I need to, and delete both the original and the reply immediately. The main account is automatically copied on any email I send from the phone, so I get to keep all my records regardless of what happens to the phone.

If someone steals and unlocks my phone, they'll see at most a couple of recent emails, nothing more.

The phone doesn't even have the account password, only an alternative login that can be invalidated at a moment's notice.

I use an alternative login for all my clients and webmail (so I basically never use my master password unless updating a setting etc).

Because of this, I am happy to have my (only) main email account on my phone as I can revoke access immediately if lost. I think the 2FA (that Fastmail will implement next week) effectively does the same thing (by requiring unique passwords for each client).

kijinbear · 22 Jul 2016, 09:17 AM

Quote:

Originally Posted by JamesHenderson

I use an alternative login for all my clients and webmail (so I basically never use my master password unless updating a setting etc).

Because of this, I am happy to have my (only) main email account on my phone as I can revoke access immediately if lost. I think the 2FA (that Fastmail will implement next week) effectively does the same thing (by requiring unique passwords for each client).

I use alternative logins in addition to the proxy account. I think the two techniques are complementary, not meant to replace each other's role. Most mail clients cache things aggressively, so even if you invalidated the login, a lot of old data could still be exposed to the thief.

As for 2FA, I would trust it more if the second factor were something other than an app on the very same phone. Yubikey would be fine.

18 Jul 2016, 09:52 PM	#1
exactus Senior Member Join Date: Dec 2003 Location: Melbourne, Australia Posts: 120	Home-made security Is this a good security idea or is there a flaw in my logic: . I want to be able to access my email on my smart phone, but don't want to risk 11 years of email spread over multiple folders falling into the wrong hands if I lose my phone or leave it on the train... So, I purchased a $20 a year FM subscription with a gig of storage. (even a $10 lite account will do the trick). I then created some rules on my main FM account choosing which emails are forwarded to myname-mobile@fastmail.com (i.e. my FM mobile app). Result: I get to read email from my main account with the assurance that my main Fastmail account can't be compromised. It's not rocket science, but it works really well... . Last edited by exactus : 21 Jul 2016 at 05:31 AM.

19 Jul 2016, 01:38 AM	#3
BritTim The "e" in e-mail Join Date: May 2003 Location: mostly in Thailand Posts: 3,095	Your idea is a reasonable low-tech solution, but it should be unnecessary if your phone has good security.

19 Jul 2016, 12:49 PM	#4
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	I've been doing exactly that for a couple of years. The main account has 10 years of email history. I never log into it from untrusted computers. My smartphone counts as untrusted because of the ridiculous amount of permissions that every app seems to want these days, not to mention the risk of theft. (It's also an older model without a dedicated chip for encryption.) Some email gets forwarded to the "proxy" account. I read it on my phone, reply if I need to, and delete both the original and the reply immediately. The main account is automatically copied on any email I send from the phone, so I get to keep all my records regardless of what happens to the phone. If someone steals and unlocks my phone, they'll see at most a couple of recent emails, nothing more. The phone doesn't even have the account password, only an alternative login that can be invalidated at a moment's notice.