Security review: top 5 best & popular email services for 2019

Falcongaze Analytical Center has already made some researches concerning cybersecurity predictions for 2019 and now is ready to present a top for emails. Not just about their technical details but life cycle including scandals and protective qualities.

Place 5 for Yahoo Mail

Yahoo Company has launched email service in 1997.  At the beginning of 2000, Yahoo Mail had tens of millions of users. And by December 2011, 281 million people used the service what placed it to the third position around the world. However, in general the business didn’t go smoothly. Yahoo got stagnation for a long time, which led to sales negotiations with Verizon.

In 2016 Verizon got a reason to bargain and bring down the price. Two huge data breaches happened at Yahoo Mail. The volume of leaked information amounted 1.5 billion accounts. It would seem that the figure is not the most impressive in the history. However, in October 2017 Yahoo updated its previous message naming 3.5 billion accounts as stolen.

Who has stolen all these arrays and how has the intrusion happened – all this remains secret. We just know that the incidents are not connected in any way. In the first case when 500 million accounts were compromised, the company blamed hackers who “acted with support of a government”. In the second, 3 billion of leaked accounts, – “unknown third party”. To somehow mitigate the consequences, Yahoo created a web-page containing a guide for affected. The joint work of PR and technical support helped to stop significant outflow of customers.

Hackers stole users’ personal information, hashed passwords, secret questions and answers. During several years, offenders could log into compromised accounts. In addition, insecure Yahoo! Mail was blocked in the US Congress because the service less phishing messages than filters of other email services.

The leaks brought down the price of the company. Initial cost for the deal with Verizon was $4,8 billion. However, after the information about the leak spread, Yahoo depreciated to $ 350 million. Although at the turn of the millennium the company was valued at $ 100 billion.

In 2015, when the email service was most vulnerable, Yahoo Mail got a two-step authentication. This protection requires additional code to log into account, which is generated in the application or sent to user via SMS. Yahoo wanted to remain a successful company and this forced the company to participate in Bug Bounty program where it paid $ 14,000 premium for detecting vulnerability in ImageMagick. This service allowed to steal image files from email.

Yahoo Mail has some nice features. Such an immense storage for incoming messages doesn’t have any of email services – 1Tb. In December 2017 the service pleased with the update, which reduced the amount of ads. However, in April 2018 the company has changed the security policy and now has the right to read and scan emails, personal messages, videos and photos and use these data for marketing.  We place Yahoo Mail on the 5th position.

Place 4 for Aol.com

Email service Aol.com is one of the oldest. It appeared on March 21, 1993 and experienced both ups and downs since then. Now Aol as well as Yahoo belong to Verizon and are running by Oath Company. Aol Company along with all its various services including e-mail was acquired in 2015 for 4.4 billion. Note that in 1999 it was valued for 222 billion.

Verizon had its own email. However, after the AOL purchase it automatically became the owner of AOL Mail. So in March 2017 the company dropped its email business because it naturally did not need two services.  And given that AOL Mail had a larger customer base, the choice was made in its favor.

It would seem that the golden age has passed. But the company does not give up and has in its management board Tim Armstrong, an executive who has left Google for Aol. Eventually AOL Mail has developed a new functionality, which makes the service competitive in a dynamic market.

Just to mention here some features: the email has an unlimited inbox storage with maximum attachment limit up to 25 MB; it is free but places ads on users’ pages; AOL has protection against viruses and spam; it offers different domain names such as @ aol.com, @ love.com, @ ygm.com (you've got mail), etc.

In April 2014, AOL Mail experienced a serious security incident. Hackers stole personal data of about 500 thousand users, 2% of all service customers. AOL Mail soon coped with the leak and informed users to change their passwords.  In October 2018, due to some technical problems email stopped working throughout the United States for a day.

But more unpleasant is the fact that Oath has changed the security policy for AOL and Yahoo. So the users became a victim to targeted ads. Also mention here the rumors about the liquidation of one of the webmail services - AOL or Yahoo. Following the experience of the previous Verizon email. However, both services have a significant customer base. Therefore, it’s unlikely to be dropped just as easy. We put AOL Mail on the 4th place.

Place 3 for Outlook.com

Hotmail email service came into sight in 1996. Microsoft simply purchased a successful and promising project in 1997. And made it a popular free email. Being one of the first, Hotmail became the world's largest service by mid-2012.

A funny security incident happened in 1999 when hackers revealed a vulnerability in Hotmail.  Anyone could log into account using password “eh”. That time it was called "the most widespread security incident in the history of the Internet".

In July 2012, another email service replaced Hotmail under the name Outlook.com.  This was a try to completely distance from the old brand, which symbolized braked and buggy email system for many users. The company set a goal to compete on equal footing with the new leader represented by Gmail. The changes led to 400 million active users at the beginning of 2018.

Let’s pay attention to some interesting email features. After registration users get access not only to email services (new and old) but to OneDrive (SkyDrive) file storage and Xbox LIVE. So to say, we register for all occasions. Email provides 5 GB storage, which increases over time. The service uses two-step authentication. For instant messages you can use Skype, which icon is located in the upper right corner of the page.

In November 2018 Privacy Company stated that Microsoft covertly collects personal data about users of its services including Outlook. The encrypted stream is sent directly to servers located in the United States. The news surfaced during pilot testing of Microsoft cloud services by the government of the Netherlands. This probably will lead to revise the decision to rely on cloud. Microsoft promised to fix the software and solve the privacy issue. We'll see.

On August 8, 2017 Microsoft launched a new beta switch which empowered users to test upcoming features; faster inbox update; improved design; search with emojis. Microsoft implemented the Photos Hub which became the 5 Outlook component.

Outlook users notice service benefits: intuitive design; convenient built-in tools (calendar at hand); configuration of the reading pane for preview messages; integration with other Microsoft services. However, Outlook Mail has fewer features and no Lab similar to Gmail Labs. Again, it has incorrect data collection policy. So we place Outlook Mail to the 3rd position.

Place 2 for Protonmail

In 2013 several employees from the European Organization for Nuclear Research created encrypted webmail ProtonMail. They located servers and a headquarter in Switzerland to avoid American and European regulations.

ProtonMail was created in the wake of increased control over internet messaging by US National Security Agency. So the email arose to protect privacy.

And in September 2018, the news came that the email service got its 5 million user. Not so much like famous giants have but very remarkable. Considering the email security features and powerful global trend for data protection and privacy. However, ProtonMail popularity increase struggled to surprising phenomenon – Google was hiding ProtonMail from search results for a long time.

ProtonMail stands out from many others email servers with ability to encrypt letters before they go to server. Email messaging between ProtonMail users is always automatically encrypted. Messages to users of another email service are encrypted optionally. When encrypting, ProtonMail uses algorithm with password, which must know both sender and recipient.

The email service uses two passwords to log into email. The first is for user identification (Password) and the second to decrypt the data stored on the server (Mailbox Password). The whole procedure takes place in the browser directly and ProtonMail servers keep only encrypted data. Only user knows Mailbox Password so ProtonMail cannot restore or change it. Therefore, even court cannot force the service to decrypt messages.

ProtonMail creators admit being inspired with Gmail functionality, Lavabit security level (similar encrypted email with dramatic fate) and some additional capability of Snapchat. Now only 10 people are involved in development of the project. To improve email functionality, the company does not hesitate to use crowdfunding and gets great results.

Since its inception, ProtonMail has suffered several DDoS attacks and even had to pay a ransom. There were some vulnerabilities too. Thus, Mike Cardwell discovered a flaw, which allowed to run arbitrary JavaScript code on PCs and get access to email accounts of unsuspected users. This information appeared when the flaw was fixed. 

We put ProtonMail to the 2nd place. It is secure. Grants protection from both hacker activity and government regulations that restrict internet freedom. The email service has paid tariffs with extended functionality. For example, mail box size up to 20 Gb and personal domain names. Moreover, the reputation to this service is accompanied by blocking on a government level. As it happened in March 2018 when Turkish authorities closed access to protonmail.com.

Our best for Gmail

In October 2018, Gmail stated to have passed the number of 1.5 billion active users. Scammers and hackers attack Google more than other resources. From 50% to 70% of delivered messages are spam. So, Gmail is forced to keep up and develop new technologies.

Gmail users’ passwords from time to time appear in different data bases. There were 5 million passwords compromised in September 2014.  Gmail suggests two-factor authentication for protection where you can use USB token.  

Some issues occurred to phishing filtering. In 2016 SecureState expert discovered that Gmail’s malware detection filters do not always work. To make system disable for malicious macro in Office documents it was enough just to divide the keywords into parts. In May 2017 Gmail warned users about phishing newsletters which disguised as Google Docs.  The mailing did not lead to a fake page but acted atypically – inside the service. 

Such news spoil the reputation. Gmail is able to detect 999 from 1000 malicious emails, but one still remains. That is why at the end of May 2017, Google launched a new phishing detection system. This is a machine-learning model, which selectively delays 0.05% of messages for a thorough analysis. The new model also uses reputation and similarity analysis on URLs.

The May update has included a tool for data loss prevention. If a user writes a response message outside the company domain, the system will display a warning. The warning will not appear in case of recipients from user’s contact list or regular contacts.

Not only phishers but government secret services are trying to get information about Gmail users. In March 2016 the company reported that almost 1 million email users were potential targets for cyber attacks by government hackers. Therefore, Gmail decided to send special security instructions for such users. For example, there were attempts to hack Pavel Durov account, so he received a warning notification, which he uploaded to Twitter.

It is no secret that email services monitor users as well. They scan emails for virus and spam. Google also scanned mail to personalize ads. This practice caused outrage. And so, in June 2017, Gmail service stopped that.

Gmail is on top of our rating for: timely security updates, new filters, warning when sending outside the company domain and notification for potential targets. Add to this the interface updated in April 2018 which continues to develop the concept of Material Design.

 

The SecureTower DLP system

  • Protection against data leaks caused by employees
  • Control of employees' work on computers
  • Identification of potentially dangerous employees (risk analysis)