Does it make sense to have separate emails for each individual financial account (banking, credit cards) or is that overkill? I’m just thinking that if a hacker got access to one email they’d have all account information?

  • rezifon@lemmy.world
    link
    fedilink
    arrow-up
    24
    ·
    6 months ago

    I do this for every website, not just financials. As long as you have a quick and easy way to create the email aliases and you’re using a password manager I think it can be an easy and effective boost to security.

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      6 months ago

      I might actually recommend it for anything except financials. Financials are very important to have access to, and sometimes your email address is the only way to access your account.

      I want something very stable as my email address for such cases, because I don’t want to risk my email alias provider shutting down, or my self hosted setup to randomly die. Or even some weird “security measure” where the bank decides that any unknown domain is no longer ok.

      In such cases, I want my email address to be reliable. Email alias providers shut down from time to time, and I don’t trust my skills to set up a reliable self hosted option. If my setup breaks after an upgrade, I might be out of luck till I can change my email with the banks.

      Banks also have their own policies, and sometimes they make questionable decisions in the name of “security”. Companies already block certain alias domains, and there are stories out there of people being locked out of their online accounts after a domain was blocked. Banks are meant to be trustworthy so they may take an even harder stance on it. They may decide to restrict the common alias domains (ex. citing that spammers use them), or even restrict personal accounts to the big email providers (ex. Gmail).

      For example, some bank apps don’t work on phones with a custom OS (grapheneOS). Singapore went even further with:

      Local banks DBS and UOB are rolling out new anti-scam security measures that include restricting customers from accessing the banks’ digital services on their mobile phones if apps from unverified app stores – also known as sideloaded apps – are detected

      Ultimately it’s a lot of risk for a very small reward. If you use a different password for everything (you should), then someone knowing your email still won’t be able to do much. The bank itself would have way more information about you, so it’s not like you’re protecting yourself from the bank with a custom email.

      • rezifon@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        6 months ago

        You’ve used some phrasing that I am not really following. What exactly do you mean by “stable” in regards to an email address? And what is an “unknown” domain?

        • Otter@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Fair enough, I took some time to explain it better above :)

          (See edit)

    • hydration9806@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      6 months ago

      Although I agree with you, I don’t think that’s what OP was asking about based on this part:

      I’m just thinking that if a hacker got access to one email they’d have all account information?

      It seems they are asking if an separate email account for each service would be beneficial. My opinion is it would limit the attack if an email account was hacked, but definitely not worth the hassle. Email aliasing (like the comment above me says) gives you some of the benefits without needing to juggle multiple accounts.

  • panicnow@lemmy.world
    link
    fedilink
    arrow-up
    8
    ·
    6 months ago

    If you have an easy way to make emails on the fly like Apple’s hide my email feature then it really isn’t an issue to setup accounts with unique email addresses. Some sites don’t allow throw away emails from some providers, but I’ve never had that issue with Apples version since a ban on icloud.com emails would eliminate too many customers.

  • borZ0 the t1r3D b3aR@lemmy.world
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    6 months ago

    They’d only have all account info if the passwords were also the same and you didn’t avail yourself of 2fa/mfa. It’s better to have different strong passwords/long passphrases and use mfa. Separate email accounts become their own vectors for account hacking, not to mention that any personal security scheme you have that becomes too complicated with multiple accounts to juggle is it’s own security problem.

    • Schwim Dandy@lemm.ee
      link
      fedilink
      arrow-up
      5
      ·
      6 months ago

      Could you explain how separate emails would increase security risk? I ask because I’ve used separate emails for absolutely everything and it has only ever helped me with security( if I get a Microsoft security notice to anything other than Microsoft@mydoma.in, I know it’s not legitimate).

      I don’t mean in lieu of 2fa, strong pass, etc, I mean in conjunction. I don’t see how it could hurt.

      • borZ0 the t1r3D b3aR@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        6 months ago

        Sure. It can be “less” secure from a procedural perspective because it increases the complexity of the user accessing their info. The more difficult/complicated it is for the user, the more likely of user mistakes exposing their accounts in one way or another. Obviously there are password apps that allow for seamless login (some of those can also be problematic), which alleviates the complexity, but then you have multiple email accounts to manage on some level for the various services and websites you use.

        End of day, if it works, it works, but it’s important to pay attention to your user experience while also taking in to account the various tools (strong pass, mfa, etc) when setting yourself up. If you get annoyed that you have too many emails to manage, you might be more likely to not log out, or not use mfa, etc.

        edit wasn’t trying to say it was WAY more insecure to use separate emails, just that it probably wasn’t necessary if you have different pass and use mfa. Sometimes ‘more, better’ isn’t ‘more-better’.

        • umami_wasabi@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          6 months ago

          multiple email account? Not really. It is typically implemented using some email proxy or alias like anonaddy or simplelogin. By the look of it is multiple accounts, but in fact you’re just receiving mail forwarded to you in one account. All you have to do is append any strings as the user with your domain.

          (anonaddy and simplelogin requires adhoc address generation using subdomain by them or a domain owned by you with MX records pointing to their servers)

          disclosure: I’m a current customer of anonaddy. Never used simplelogin though.

          • OnePhoenix@lemmy.worldOP
            link
            fedilink
            arrow-up
            1
            ·
            6 months ago

            Thanks for the info. You’ll have to forgive my ignorance as I’m not super well-versed but, I was of the impression that alias software like anon and simple login were more for avoiding spam and unwanted emails from sign ups. Is it also effective as a security tool?

            • umami_wasabi@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              6 months ago

              Security wise, maybe. You might be more protected against cred stuffing but reusing password on multiple services at the first place is already a big no no.

  • delirious_owl@discuss.online
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    6 months ago

    I do, but I host my own email to make it easier.

    When you start getting spam on an account, its a nice indicator that the company was hacked. And if you didn’t get a notice from the company about the breach, time to close the account.

  • pe1uca@lemmy.pe1uca.dev
    link
    fedilink
    arrow-up
    1
    ·
    6 months ago

    I’d say it depends on your threat model, it could be a valid option.
    Still, how are you going to manage them? A password manager? You’d still be posing the same question: should I keep my accounts in a single password manager?

    Maybe what you can do is use aliases, that way you don’t expose anywhere the actual account used see your inbox, only accounts to send you emails.
    But I tries this and some service providers don’t handle well custom email domains (specially government and banking which move slowly to adapt new technology)