January 9, 2012

How NOT To Get Hacked

Every day e-mail accounts get compromised. This is not unique to any one e-mail provider; it happens to them all. When an account is compromised, it tends to be used for any one of a number of common reasons:
  • To send out spam advertising to all the contacts stored in the account.
  • To send out scams to all the contacts stored in the account attempting to steal money from them.
  • To gain access to other accounts from information stored in messages. This could be other e-mail accounts (to send spam) or bank and financial accounts.
  • To gain access to private information or to destroy information stored in the account.
Besides the obvious embarrassment and potential financial loss to you or your contacts, other results can include:
  • Loss of all your contacts (deleted so you can't warn them of the scam).
  • Loss of all your e-mail history (deleted for various reasons).
  • Loss of your entire e-mail account (deleted when the hacker is done with it).
While Gmail* has ways to recover lost or deleted accounts, contacts, and sometimes e-mail, it's best if the account compromise never happened in the first place. To that end one needs to be aware of how e-mail accounts can be compromised and what steps to take to prevent it.

Below is a partial list of ways accounts can be compromised. It's not an exhaustive list, but it includes the most common methods and a few of the less common ways.  The first two are the most important ones to be aware of and guard against.

Common Password Usage

This is the practice of using the same password for multiple web-sites.  It can be hard to remember a lot of different passwords, so many people take the short-cut of repeating password usage or, in the most extreme case, only using a single password for every account they have.  While Google's e-mail servers are extremely secure, that can't be said of every web-site in the world.  Hackers will compromise less secure web-sites and steal the account registration database.  That typically includes an e-mail address and password for each account.  For people who use the same password everywhere, the hacker just got the e-mail address and password and can directly log into the account.

So the single best, and most important thing you can do to keep your e-mail account secure is to use a unique password that you don't use anywhere else.  This is more important than the password length or complexity neither of which help if they harvest the password from another site.


At its core, phishing is the process of someone asking for your password and you giving it to them.  Of course it's not that simple.  The request may be buried in a long e-mail about policy changes, or account verification.  It may tell you to sign in to your account, but the link provided doesn't actually go to google.com (even though it may perfectly mimic the Gmail sign-in page).  Often it includes threats of account loss or deletion to encourage (that is scare) you to provide the information.

Whatever form it takes, the bottom line is the same:  they have the account name and password and can log in any time they want to.  And of course the best phishing scams are the ones where the user never realizes they were phished.  They just suddenly lose access to their account with no idea why or what happened.

No reputable web-site (Gmail or any other) will ask you for your password in an e-mail.  Never ever reply to a message with your account password.  Never!  And even if the e-mail looks totally legitimate, always verify that the link you follow really ends up at the correct site before you enter any information.  Always!

Keyloggers and other Malware

A keylogger is a utility installed on a computer that captures every keystroke as people use the computer.  It's not too hard to search through the resulting information to find e-mail address and passwords entered by people logging into accounts.  As with other methods, someone now has direct access to the account.

This problem is usually found on public computers, like at a school, library or workplace.  Anyplace where a computer is not physically secure and anyone can use it and potentially install programs on it.  It can also be a risk in a home or work environment if anyone else has access to the computer.  And since keyloggers are a different class of problem, they may not be identified by the anti-virus software running on the computer.

The best defense from this class of attack is to never use a computer that you are not 100% sure is safe.  Also, never leave a computer you own logged in (or without a locking screen-saver) when you are not physically present.

Logging Out

This is related to the physical security of the computer(s) used.  If anyone has access to the computer, you must always log out of any accounts when leaving the computer unattended.  Otherwise anyone who walks up has full access to all accounts (including e-mail) that may be active.

Browser Auto-Fill

This is similar to the above in that it relies on a secure computer.  If you have your account login information saved in your browser (so it automatically fills it in for you) then anyone else using the computer can also log into the accounts.  If the computer is not physically secure, then it's important to not have account information saved in the browser (or in any files saved on the computer).

Password Guessing

This is a brute-force process of guessing the password to an account.  It's made easier if the hacker knows you and can make guesses using family/pet names, locations, etc.

There are basically three levels of brute-force attacks.
  • Someone with personal knowledge of you (often a spouse or ex-spouse, girl/boy-friend, etc) who can figure out your password. These are people who know your kids/pets/parents/etc names or what you're probably use as a password. They might even know your actual password.
  • Using trivial or common passwords. This includes using trivially guessed (and unfortunately all too common) passwords like: "Password", "123456", "qwerty", etc. If your password is on the following list you're at-risk: http://mashable.com/2011/11/17/worst-internet-passwords/
  • Use of a program that tries dictionary words/combinations just trying to figure out the password. This is what is typically thought of as a "brute-force" attack.

In reality, most modern password systems have protections in place to prevent this.  After some number of incorrect guesses the system will do something to prevent further guesses.  It may lock the account for a while, or require the manual solving of a Captcha (the squiggly letters), or something else. Gmail has this sort of protection.

The best defense against any sort of brute-force attack is to follow standard password generation safeguards:  no common words or proper names, no patterns (123456 or qwerty), use mixed case and include numbers or punctuation, etc. And of course, make sure no one else knows your password.

Network Packet Capture

This is the process of using hardware or software utilities to monitor the raw traffic on a network to try and capture account login information.  The risk here is typically when using unsecured wireless networks, like the type provided free at various businesses.

While this is a real threat, it requires someone with the right tools and a good knowledge of network protocol.  The odds of such a person sitting next to you at that coffee shop are pretty small.

The best defense against this risk is to never use an insecure wireless network.  If the network doesn't require an encryption key to use, then you probably don't want to connect to it.

Server Attack

As discussed above with common password usage, this is the process of hacking a provider's e-mail servers to gain direct access to the login database or e-mail accounts.  As an end-user there is nothing you can do to guard against this sort of problem other than using only reputable companies for on-line services.

Again, Google's e-mail servers are extremely secure (both from network and physical access) so the risk of this is infinitesimal.

Extra Protection

Google offers an extra layer of protection for accounts beyond a password. This extra layer is called 2-Step Verification (2SV). It further restricts account access based on both something you know (your password) and something you have (a physical device). Typically the device is a pre-registered mobile phone where you can receive the 2-step verification codes. When signing into your account you need to provide both the password and this code to gain access. That means that if someone were to obtain your password (through a phishing scam for example) they still could not access your account because they would have no way to get the 2-step verification code.

Recently Google added another type of physical device you can use that eliminates the hassle of obtaining and entering codes: Universal 2nd Factor verification (U2F). This uses a small USB security key as the something you have part of 2-step verification.

Closing Thoughts

Protecting your e-mail account is sort of like keeping yourself healthy. You pay attention to the most common threats (heart disease, effects of smoking, accidents) and typically ignore the ones with a very low probability (getting hit by a meteor, getting struck by lightening, being bitten by a snake). They're all bad, but they're not all equally probable.

For account security, put a lot of effort into the first two methods listed above.  Use unique passwords.  Be very suspicious of any request for private account information.  And be aware the security of any computer you use (which one could argue includes always logging out and not storing account information on the computer).

Finally, always keep your account recovery settings up-to-date so if anything does happen to your account one day, you are in a better position to recover it.  This is critical because if you don't have a secret question or if your recovery e-mail is no longer valid, it can be very difficult to recover an account.

How about this idea:  do it NOW.

Settings -> Accounts and Import -> Change Account Settings -> Change password recovery options

Additional Reading

Choosing a smart password: https://support.google.com/accounts/answer/32040
Google account security info: http://www.google.com/help/security/
How to recover a lost or compromised account: http://gmailaccountrecovery.blogspot.com/

* Gmail is a trademark of Google, Inc. This page is not sponsored by or affiliated with Google.