Pixels in emails

goodValue

I recently had an email from my bank.
In it, they said that they send pixels which allows them to find details about email accounts.

What technology allows them to do this?

And can a hacker use it to compromise email accounts?
If so, how can you protet your account?

Neil_Jones

Turn off the "load images in email" or similar option.

[Deleted User]

They are called tracking pixels or web beacons and are generally harmless and used to determine who has opened an email, when they opened it and what device they used.

The sender embeds an 'invisible' 1 pixel image into the email but each email recipient has a different link to the 1 pixel image on the web server providing the images.

Because the code that links to the 1 pixel image is unique to the recipient, the sender can track when the email was opened by the recipient, unlike all the other images in the email which will either be embedded or use a common shared link that all recipients use.

Because the image is essentially being opened by a web browser (either the email client or actual web browser) then certain information is provided by that browser about the type of device the email is being viewed on. Typically the browser version and operating system along with screen resolution are shared. The IP address will also be visible and therefore they can use that to determine an approximate location of the recipient.

Hackers can't use them directly to compromise your email account, but could use the information collectively to determine whether emails addresses are valid and what devices and locations are being used and then target them with further phishing emails specific to that user. So for example they could use the tracking pixel data to craft a phishing email related to your local town or your type of mobile phone which may lead you into thinking it is something genuine.
 
If you practice good internet and email hygiene you have no greater risk from these tracking pixels.

And always make sure all your email accounts have a complex password AND 2 factor authentication enabled - I cannot stress this one enough - your email account is your gateway to password resets and other personal information. Don't just look into it - do it now.

k_man

Just to add to the above

... always make sure all your email accounts have a unique complex password AND 2 factor authentication enabled

goodValue

And always make sure all your email accounts have a complex password AND 2 factor authentication enabled - I cannot stress this one enough - your email account is your gateway to password resets and other personal information. Don't just look into it - do it now.

Thanks for such a detailed response.
There is one thing that I don't understand. I thought that, on a web page, you needed to click on a button or a link, to send information back to the originator. Is there a message sent back when the email is opened?

I use Yahoo mail, and AFAIK,  there is no two factor authorisation. Are there other precautions that could be used with Yahoo mail?

Neil_Jones

goodValue said:

And always make sure all your email accounts have a complex password AND 2 factor authentication enabled - I cannot stress this one enough - your email account is your gateway to password resets and other personal information. Don't just look into it - do it now.

Thanks for such a detailed response.
There is one thing that I don't understand. I thought that, on a web page, you needed to click on a button or a link, to send information back to the originator. Is there a message sent back when the email is opened?

I use Yahoo mail, and AFAIK,  there is no two factor authorisation. Are there other precautions that could be used with Yahoo mail?

https://help.yahoo.com/kb/SLN5013.html for Yahoo two factor authentication.  You add it to your Yahoo account, not your mail account.

[Deleted User]

goodValue said:

And always make sure all your email accounts have a complex password AND 2 factor authentication enabled - I cannot stress this one enough - your email account is your gateway to password resets and other personal information. Don't just look into it - do it now.

Thanks for such a detailed response.
There is one thing that I don't understand. I thought that, on a web page, you needed to click on a button or a link, to send information back to the originator. Is there a message sent back when the email is opened?

There is no message sent back, your email reader just makes a request to read the tracking pixel from the server so it can "display" it in the email - even though you won't actually be able to see it.

So if I wanted to track an email sent to two people, I would put a tracking pixel in email 1 to person 1 at the following link:

www.myserver.com/trackingpixel001.jpg

And in email 2 to person 2 I put the tracking pixel at:

www.myserver.com/trackingpixel002.jpg

All I need to do is check if a request is made to view the tracking pixels. When that request is made, I know which person has read the email.

This is done on a much bigger scale and there will be millions of possible addresses for these tracking pixels, each one tied to just one email sent to one person.

As for revealing more information, just viewing a web page (or indeed a tracking pixel) sends information to the originator of the web page about you and your device. It works something like this for both a web page and a tracking pixel:

1. You type moneysavingexpert.com in to your browser address bar (your browser may send this to the browser provider to check the safety of the site). 
   
   
2. Your browser asks your computer for you default DNS provider and then asks your DNS provider for the IP address of moneysavingexpert.com and the DNS provider gives out 104.17.46.83 - This reveals what websites you are visiting to your DNS provider (usually your ISP)
   
   
3. Your browser then sends a request to connect to 104.17.46.83. For the server at 104.17.46.83 to accept the request, it needs to know your public IP address. This reveals your location and your internet service provider / mobile phone carrier.
   
   
4. Next your browser will ask the remote server for the web page, in doing so it will identify itself with data such as the following (there is even more data available - I'm just showing key things to make the point)
   
   
   
   
   
   
5. So in terms of the tracking pixel, none of the above is really needed to know you have read the email, but all of the above helps enrich the tracking data. The tracking pixel will reveal that you read you email on your mobile phone at 3:06 pm in Bolton and again at 5:17 pm from your home in Stockport on your laptop.
   
   
6. From the above the web server can build a "fingerprint" of your device. This can be used to track you across different websites without using cookies - when a website see the same combination of IP address, browser and hardware information then it knows it is probably the same person accessing the website. 
   
   
7. If you login into one of them websites, eg Facebook, then a lot more information can be linked to that fingerprint and all of that data can be aggregated into some sophisticated tracking that can build a picture or what your search for, what websites you use etc. 
   
   
8. That data can be extrapolated to make assumptions about your demographics, political views, gender, economic status etc.

Not trying to scare you because that information is mostly only used to target you with relevant adverts, but the ease of getting that data is something that people don't actually realise.

k_man

I don't use Yahoo mail, but this may help

https://help.yahoo.com/kb/SLN5013.html

goodValue

Neil_Jones said:

Turn off the "load images in email" or similar option.

I've now found out where this is in Yahoo Mail.
There is a note saying that Dynamic Messages will also be disabled. Do you have a link that describes what these are?

goodValue

There is no message sent back, your email reader just makes a request to read the tracking pixel from the server so it can "display" it in the email - even though you won't actually be able to see it.

I can't say that I fully understand this, but I do find it fascinating.
If I read it a number of times I think I'll get a better understanding.

From what you said, I get the feeling that the server withholds information about the pixel, so the email reader has to send another request to the server to get the details about the pixel. And it is this request that supplies all the information about my email account and hardware to the server.
Is that correct?

goodValue

Neil_Jones said:

Turn off the "load images in email" or similar option.

Would this also stop me getting ads based on my location?