Wednesday, June 28, 2017

Getting the best protection from Two-Step Verification


With a new hack in the news every day and so many online accounts to manage, have you ever wondered just how safe you are when using Two-Step Verification? At Pobox, the security of your email is a top concern to us because your email account is the key that unlocks nearly all of your online accounts. Security recommendations change all the time, but we can help you stay up-to-date and make sure your email account is as secure as possible.

The National Institute of Standards and Technology (NIST) recently released a new draft of the Digital Authentication Guidelines to change their two-step verification recommendations. SMS-based two-step verification is no longer recommended. What is SMS?  You may better know SMS as text messaging. NIST does not consider SMS-based Two-Step Verification a secure method for Two-Step Verification anymore. SMS-based Two-Step Verification is a popular choice for many online services because a large majority of online users have readily accessible smartphones or devices with SMS capabilities. Unfortunately, its widespread adoption, attackers have been adapting their methods to steal users' information.

Determined attackers have used social engineering (i.e. lying) to get mobile phone providers to transfer their target's telephone number to a new device.  If this happens, the attacker can then access your messages to receive the one-time password and login to your account.  By the time you realize what was going on, the attacker will have already received the password needed to access your online account.

There are also other insecurities with Signaling System Seven (SS7), the protocol used to route your calls and messages, can also be used. Hackers can exploit these insecurities to hijack incoming phone calls and intercept your text messages. This is another way that an attacker can gain access to your online accounts that utilize SMS-based Two-Step Verification.

Pobox does offer SMS-based Two-Step Verification for lockout codes. Why? In the event an SMS lockout codes is used, Pobox will send you a message informing you that one of these codes have been used to access your account. An attacker cannot silently use SMS to bypass your security — you will always be informed. We also provide and recommend printable lockout codes, but based on the number of users who were locked out when that was our only option, we added SMS in this one limited case. Users can choose to delete their SMS lockout device, but make sure your printable codes are someplace secure!

So, what is the alternative? Pobox supports two primary methods — TOTP and hardware Yubikey tokens. The authenticator app produces time-based, one-time passwords (TOTP) that are only available for 30 seconds, which you can use to login to your Pobox account. You use an authentication app like Google Authenticator or other authentication apps to show the code on your phone, but it can't be transferred to another device. Yubikeys are little USB gadgets that produce codes. When you register your Yubikey with us, we know to accept future codes from that device.

Your online security should be a top concern, and this information can help you take the right steps in making sure your online information is safe and secure. If you’re reading this and are considering enabling Two-Step Verification on your Pobox account, please visit these setup instructions.

If you would like more information about why SMS-based Two-Step Verification is no longer recommend, feel free to view these great articles from Fortune, and or send us a message at

Monday, July 25, 2016

Security Matters! Update Yours.

Are you keeping your email secure?  At Pobox, we know your account is more than just a place to receive messages — it’s your identity in the online world. It's your username. It's how you identify that you are you electronically.

You don't share that online identity, and you definitely don't want to share it with a malicious user. A criminal taking over your accounts can break into your other online services like your bank, pretend to be you, and trick friends and relatives into handing over passwords or even money.

The recommendations on how to protect yourself online can be overwhelming, but don't despair! As part of FastMail's #securitymatters rollout, we're here with our top two suggestions.

1. Install a dead bolt

Passwords are like locks, and some doors are more important than others. Your email is the front door and master key to most of your online identities. If a malicious user controls your email, they can reset your passwords everywhere else (like your bank account).

The best protection? Just like in your home, it’s two sets of locks — two-step verification. (As time has passed, more services now refer to 2-factor authentication (2FA) as "two-step verification". They're the exactly the same, but you'll see the new language throughout the site.)

It combines something you know (your password) and something you have (your phone or a security key.) 

Everyone on staff has heard or dealt with a horror story of a stolen email account, so when we added two-step verification in 2014, we all turned it on immediately. A growing number of users add this extra protection step every month. Join them in protecting your account now!

Recently, two-step verification was in the news because hackers had convinced a target's mobile phone provider to transfer the targets phone number to them. As a result, NIST now recommends security codes not be provided over the network. At Pobox, SMS is only a backup lockout method. We email you every time a lockout code is used, whether it's sent via SMS or it's a printed code.

2. Protect your keys

The most common way for an attacker to get your password is password reuse. One hacked service can lead to a multitude with reused passwords. You can protect against these attacks with one simple tool: a password manager. A password manager makes it easy to use a distinct password for every service. Good password managers will even generate random passwords for you, making it impossible for someone to guess. Double your protection by using AllMail at a personal domain to use a distinct email address for every site, too.

Many browsers have a basic password manager built in. We prefer stand-alone tools like 1Password or LastPass — their syncing tools let you access your passwords on both your computer and your phone.

Since password reuse is one of the easiest ways to hack an account, app passwords are now generated for you. (Existing app passwords will still work, though you may want to update them if you know you used one of your "favorite" passwords.)

Get your ounce of prevention.

Online security is like getting vaccinated. Be proactive before you ever have a problem. If you haven't checked your security settings recently, head over to the Profile and Security section. We'll highlight what you should turn on to get standard or restricted security.

As part of this rollout, we're also simplifying authentication between Pobox and FastMail for Mailstore users. Starting today, a single login will log you in to both your settings at Pobox and your webmail at FastMail. We hope this will make your account smoother and faster for you!

Thursday, March 24, 2016

Upgraded webmail is here!

As you may know, Pobox was acquired by FastMail last November. Since then, we've been working hard to add their best-in-class services to Mailstore. FastMail webmail is a massive leap forward in terms of speed, device accessibility, and features. Today, we're pleased to announce access to FastMail webmail, calendars and contacts for all Mailstore accounts!

You can log in using your normal Pobox credentials at If you use two-factor authentication, please click "More" to enter your 2FA credentials at the same time.

What's different about FastMail

FastMail supports both Archive and Delete. 

Archive moves mail in the current folder into the Archive folder. Archived messages are kept for search or viewing in conversations. 

Delete moves mail to the trash, and should be for mail destined for permanent removal. Deleted messages will not appear in searches or conversations.

All your Pobox addresses have been set up as sending identities. You can edit or remove unwanted ones from the "Send Mail As" in your Mail Accounts settings.

What's new with FastMail

FastMail was designed from the ground up for speed, so you should notice improved performance across the board
FastMail has a full suite of access options -- webmail that's optimized for a range of device sizes, plus native apps for both iOS and Android

It has speedy full text cross-folder search, and keyboard shortcuts for power users. 

The calendars and contacts include invitations, improved support for use on other devices, and drag-and-drop editing.

App support (both FastMail's webmail apps, and within your own calendar and contact apps) is available today for users with standard passwords. App support for 2FA users is coming soon.

Delete for conversations can act on all folders. To match Pobox's behavior, it is currently set to act on the current folder only. Please be aware, if you switch to the "all folders" option, Sent and Mailstore Archive folders are included in "all".

When should you make the switch?

You can switch to using FastMail's webmail today -- there is no reason to continue using Roundcube (the webmail currently at

Please note: Both FastMail and Pobox Webmail access the same mail storage, so changes (deleting messages, replying, marking a message read) appear in both interfaces. For calendars and contacts, however, they are copies. Updates made to your calendars and contacts on FastMail will not be updated on Pobox, or vice versa. If you are a calendar/contact user, we recommend switching to FastMail at once, to reduce the likelihood of edits made on both platforms. However, if you notice any missing calendar or contact data in FastMail when you first log in, don't make any changes there -- tell us, so we can copy your information over to FM again first.

Roundcube will continue to be available for the next 30 days; after that, we will point to FastMail. If you spot any issues or problems with the migration to FastMail, please let us know right away!

Tuesday, November 3, 2015

Exciting News about Pobox and FastMail

Dear Customers,
It is with great excitement that I am writing to tell you about a new era at Pobox. After 20 years, I am incredibly pleased to announce that Pobox is joining the FastMail family to bring you the very best in independent email service.

As the email gurus among you know, when people discuss great places to get email, the company virtually always mentioned in the same breath with Pobox is FastMail. Quite a few of you are already both our customers! They are experts in IMAP, have an incredible webmail interface, and a full complement of smartphone apps, supporting push notifications, robust calendars and contacts, and other features you’ve told us are important to you. 

We’ll be adding our expertise in email forwarding and personal domains. Together, we'll be pooling our knowledge on deliverability, security and the robust and speedy email delivery we’re both known for. 

What changes are coming?

While it all sounds great from a big-picture perspective, I know you are all most interested in how your services may change. 

For Pobox Basic and Plus customers, you shouldn’t see any changes — our plans for the foreseeable future are to continue running all Pobox services as they stand today.

For Mailstore customers, there will be changes, and I hope you’ll agree that they are a significant upgrade in features! Over the next few months, we’ll be migrating your mailboxes to the FastMail platform — adding their great webmail interface, access to their smartphone apps, improved calendars and more. 

Current accounts will continue to have access to today's prices through 2017 (or your current expiration date, whichever is later.)

Why now?

Any acquisition always prompts questions. I will start by saying Pobox is doing great. Interest in independent email is high and growing each year, as the many of you who have joined in the last several years know. 

That said, we are a small company, and our tagline from the start has been “lifetime email”. To me, securing a future where accounts could truly last a lifetime meant joining forces with a larger entity — especially one who had our same values at their heart. Two years ago, FastMail bought themselves back from Opera, after Opera had a change of direction. That signaled to me the commitment of their management team and staff to the kind of email you expect. A chance encounter by our technical leads at a conference indicated a shared philosophy (and programming language!) After several months of regular communication with their team, I feel very confident that this move will mean Pobox will be here to provide your email service for many, many years to come.

The staff will be staying on, and we are happy to answer any questions or concerns you may have that I haven’t already addressed. While I know there is always concern going into any change of control, I hope all of you will end up agreeing that FastMail is a great steward for the service you already love!

Still in love with email since 1995,
Helen Horstmann-Allen
IC Group

Tuesday, August 18, 2015

All About Security: Level up your protection with AllMail!

I love to talk about the importance of strong, unique passwords, and how password managers (our favorite is 1Password) are your best friend. Why are unique passwords important? The way lots of accounts get hacked is:

1) Company A gets breached. Oh no! Hackers got username/password pairs.
2) Profit! They sell those username/password pairs to tons of Bad Guys.
3) Bad Guys try those username/password pairs at tons of companies.

If you reused the same username and password at Company B (or C, or ....), they now have access to your account. A password is only as secure as the most vulnerable company you gave it to.

With Pobox AllMail, you can go one step further than unique passwords. If a unique password is good, a unique username and password is even better. AllMail is a feature for Pobox accounts using personal domains. It lets you send mail for all the addresses at the domain to the same place. You get to check mail all in one place, but every website you use has their own unique address for you. You could use for one place, for another.

You don't have to tell us each address once you've set up AllMail. You can just 'make up' new addresses as you need them, and they'll work. You can be shopping at a store and when asked for an email address during checkout, give them one you make up on the spot. Warning: cashiers will often ask if you're an employee, or say, "Wow, you must really like our store!"

AllMail doesn't have to be every address at your domain. If you want to forward mail to your mom at, her mail wouldn't be included in AllMail. If one of the companies you gave an address to turned out to be spammers, you can also tell us to ban mail from that address in the future. (You can also remove that ban if you need that mail after all.)

Adding a domain is easy -- register a domain with us, or bring one you've registered elsewhere. Once your domain is created, adding AllMail is as easy as telling us where we should forward the mail! Right now, AllMail is only available for personal domains, but if you would be interested in using it at one of our subdomains (like, drop us a line.

AllMail is included free for up to 2 domains with a Mailstore account, and $10/year for a domain with a Pobox Plus or Basic account.