Dropmyemail not a secure way to back up your email? (Dropmyemail responds)
September 27, 2012 by laurenceputra
Note: Scroll down to see Dropmyemail’s response to the article.
A couple of weeks ago, the internet was abuzz with news about how Whatsapp was insecure and users should not be using it.
I did a bit of checking and found that a couple of local startups may have potential security problems as well. In the field of computer security, one of the biggest no-nos is to store a user’s password in a way that could be regenerated easily, either by the system administrator, or by rogue hackers on the internet.
And as it turns out, a local startup, Dropmyemail, is a gold mine for such attacks. Users are required to give Dropmyemail their username and passwords to store. Dropmyemail will use them to log in to their email accounts and grab all their emails over to its servers.
With over half a million users, Dropmyemail’s database is sure to be a treasure trove for hackers and the like. In any case, even if Dropmyemail does encrypt the passwords, they still have the key to decrypt the passwords somewhere on their server. And their developers will be able to see your passwords.
To add on, despite holding on to your sensitive data, in their terms of service, there’s this line:
Dropmyemail cannot be held responsible for any breach of security and the possible compromise of your data as no means of virtual data storage is 100% safe. By use of the Service you expressly accept that Dropmyemail (its employees, affiliates agents, sub contractors) has no liability in the event of a security breach or compromise or loss of your data
Just to recap, storing passwords of users is something that is a complete no-no in the tech world. And despite doing so, they are saying that they are not liable if your passwords ever do get hacked out of their system. So, what can you do if you still want to back up your email securely?
For one, most email providers have an autoforwarding function for every email that comes in. What you can do is to autoforward it to another email address by another provider, for example, Gmail.com, Outlook.com, Hotmail.com. If you really want to let the other provider grab email for you on a regular basis, GMail and Outlookdoes this for free too.
And in all honesty, I’d rather trust Microsoft and Google with my password than some startup that tells me that it’s not liable if my password is ever released to the public.
Dropmyemail publicist Peter Yu responds:
1) On how storing user passwords is discouraged and that it is disingenuous for Dropmyemail’s terms of service to say that the company cannot be held responsible for breach of security despite going against recommended practice.
In truth, there is nothing different from what Dropmyemail does and when Amazon stores credit card information along with the CSC. Amazon’s patented one click shopping is the pinnacle of storing personal information and it is what most people in the tech world aspire to achieve – convenience and ease for the consumer.
13.1 We shall not be liable to you for any breach, hindrance or delay in the performance of a Contract attributable to any cause beyond our reasonable control, including without limitation any natural disaster and unavoidable incident, actions of third parties (including without limitation hackers, suppliers, governments, quasi-governmental, supra-national or local authorities), insurrection, riot, civil commotion, war, hostilities, warlike operations, national emergencies, terrorism, piracy, arrests, restraints or detainments of any competent authority, strikes or combinations or lock-out of workmen, epidemic, fire, explosion, storm, flood, drought, weather conditions, earthquake, natural disaster, accident, mechanical breakdown, third party software, failure or problems with public utility supplies (including electrical, telecoms or Internet failure), shortage of or inability to obtain supplies, materials, equipment or transportation (“Event of Force Majeure”), regardless of whether the circumstances in question could have been foreseen.
2) On the fact that even if Dropmyemail encrypts the passwords, it still has the key to decrypt them somewhere on the server. Its developers will be able to see the passwords.
Dropmyemail partners with Amazon Web Services to back emails on their servers. Amazon S3 Server Side Encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 Server Side Encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt all data.
When given the opportunity to not store email passwords, we take full advantage of it like in the case of Gmail which we use the OAuth authorization process (no password stored). However this is not always the case and at times when we have to store the password, we store it securely and in a proprietary manner.
3) Users interested to backup email can simply autoforward all email they receive to another email provider. “I’d rather trust Microsoft and Google with my password than some startup that tells me that it’s not liable if my password is ever released to the public.”
The main purpose of Dropmyemail’s email backup service is not just keeping a copy somewhere else in the cloud.
First, autoforwarding emails to another email provider does not prevent hacking (According to CommTouch’s State of Hacked Accounts, 1 in 5 emails and 540 million accounts yearly are hacked while 62% of those are unaware).
Second, autoforwarding emails also do not prevent email outages where many email inboxes were not only unavailable, some were even emptied (In April ’12, an estimated 33.2 million Gmail users suffered email outage).
Third, Dropmyemail even protects emails from accidental deletes and backsups the drafts/sent folders as well.
Fourth, If our users suffer any setback to their emails, with one click we can restore their email inboxes.
Fifth, Dropmyemail also allows users to migrate their emails between their accounts with one click.
These are just basic functions (besides our File & Attachment manager/Automated Virus Scan) that we provide that greatly improve users’ email experience than autoforwarding emails. Dropmyemail may be a startup, just like all those working hard in BLK71, but we maintain ethical practices no different from the big companies.
Just because startups are smaller companies, does not mean we do not strive towards and succeed in keeping our users’ personal information safe.
In extreme situations, even trustworthy and established multi-national corporations like Microsoft/Google are susceptible to mistakes. Some times major leaks in confidential information are due to their own fault/s and other times they fall prey to malicious attacks. The usual remedy after their faux pas is often an apology and a renewed promise to do better but there is no fool-proof way to keep all information safe, all the time. Here are high profile examples of these companies losing personal information:
Update: Laurence has published a response to Dropmyemail’s response on his blog.
Find out more about SGE’s research arm: SGE Insights, providing customized in-depth research reports to help you navigate the business of technology in Asia.
About The Author
Laurence is a hacker who simply wants to make the world a better place. He is currently studying in NUS School of Computing, and is particularly passionate in the fields of Distributed Systems and Computer Security. In his free time, he hacks out tools to solve his personal pain points, including Instasyncer. More about him over at Geeksphere.net.Read other posts by laurenceputra