Image via Wikipedia
Are you an Outlook user? Have you received a message telling you that your account needs to be reconfigured, and requesting that you enter your username and password?
Here’s an email message that we have seen sent out to internet users:
Image via CrunchBase
Original Post from Sophos. Author – Graham Cluley
As has been widely reported, high profile users of Gmail – including US government officials, reporters and political activists – have had their email accounts hacked.
This wasn’t a sophisticated attack against Google’s systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.
Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail’s login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.
So, what steps should you take to reduce the chances of your Gmail account being hacked?
1. Set up Two step verification
The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.
Google provides a facility called “two step verification” to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account – as they will be sending you a magic “verification” number via SMS.
The advantage of this approach – which is similar to that done by many online banks – is that even if cybercriminals manage to steal your username and password, they won’t know what your magic number is because they don’t have your phone.
Google has made two step verification easy to set up.
Once you’re set up, the next time you try to log into Gmail you’ll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.
Let’s just hope the bad guys don’t have access to your mobile phone too..
Here’s a video from Google where they explain two step verification in greater detail:
You can also learn more about two step verification on Google’s website.
By the way, note that two step verification doesn’t mean that your Gmail can’t ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it’s certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.
2. Check if your Gmail messages are being forwarded without your permission
Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.
Go into your Gmail account settings, and select the “Forwarding and POP/IMAP” tab.
If your emails are being forwarded to another address, then you will see something like the following:
That’s fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn’t.
If your messages are not being forwarded you will see a screen more like this:
Hackers want to break into your account not just to see what email you’ve received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That’s why it’s so important to check that no-one has sneakily asked for all of your email to be forwarded to them.
3. Where is your Gmail account being accessed from?
At the bottom of each webpage on Gmail, you’ll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven’t been using your computer) or from a different location.
Clicking on the “Details” option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up – especially if you spot a computer from another country has been accessing your email.
4. Choose a unique, hard-to-crack password
As we’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if they grab your password in one place they can try it in many other places.
Also, you should ensure that your password is not a dictionary word, and is suitably complex that it’s hard to break with a dictionary attack.
Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Don’t delay, be sensible and make your passwords more secure today
And once you’ve chosen a safer password – keep it safe! That means, don’t share it with anyone else and be very careful that you’re typing it into the real Gmail login screen, not a phishing site.
It should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don’t, you’re risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.
You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That’s one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don’t know what state the computer is in, and who might have been using it before.
6. Why are you using Gmail anyway?
Okay, I don’t really mean that. But I do mean, why are you storing sensitive information in your Gmail account?
The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn’t have that in their webmail account? Shouldn’t that be on secure government and military systems instead?
Always think about the data you might be putting on your web email account – because if it’s only protected by a username and password that may actually be less security than your regular work email system provides.
Last year, Google made Gmail access via HTTPS protocol default for all account holders to add a security layer. Now, Google has introduced another security layer upgrade with an advanced opt-in feature dubbed 2-Step Verification. This 2-Step Verification feature requires using a specific code to sign in to the Gmail account. Google either calls you (only if you are in U.S., I suppose) to give that code or sends the code via SMS or generates it via a mobile app for Android, BlackBerry or iPhone device. Gmail finally gets a bank account like security feature for sign-in.
Gmail’s 2-Step Verification advanced sign-in feature is optional and would be visible to all Google account holders at Manage Account page soon. This new security feature makes your Google account more secure and most importantly Gmail out of all Google services.
The 2-Step Verification stands for its name since it requires two major credentials: your Google account password and a six digit pass code obtained using phone. This requires the user to set up the opt-in 2-Step Verification feature from the Manage Account page. During the set-up process, you’ll be required to enter your phone number and also create certain backup pass codes just in case you lose your phone or it gets stolen. After completing the 2-Step Verification setup, you ll land on to an additional page once you log into your Google account using your login ID and password.
To prevent third-party sign-in or someone sneaking into your account, make the best of 2-Step Verification. Yes, it does involve an additional extra step but it certainly secures your account. Google had been testing this feature with Google apps users and it would be available to all Google account holders over a period of time.
Interestingly, this feature is in tune with the Facebook‘s new security features implementation.
Under fire for its recent disregard for user privacy, Facebook has made amends by tightening security and has now introduced two new features to enhance secure accounts – one-time passwords and remote logout.
One-time password is meant for people who access Facebook through public places like cybercafes. This is significant in a country like India where there is low PC penetration leading to a great chunk of the users accessing Internet from Internet Cafes. Unfortunately, this feature is restricted to U.S. only, but it may be extended to India as well. This feature is accessed by sending an SMS to receive a temporary password that expires after twenty minutes. Remote logout lets you, well, remotely sign off your Facebooks session. It’s useful when you log in through a friend’s computer or phone, but forget to log off.
However, if experts from IT security firm Sophos are to be believed, Facebook’s one-time password still leaves users vulnerable to security risks. According to Graham Cluley, senior technology consultant at Sophos, “If you believe a computer might not be secure in the first place, why would you use it to access personal accounts such as Facebook? A temporary password may stop keylogging spyware, giving cybercriminals a permanent backdoor into your account, but it doesn’t stop malware from spying on your activities online, and seeing what’s happening on your screen.”
Makes perfect sense, because the first rule of security is to stay clear of any unnecessary scenario that compromises security. So there’s no real reason to log into Facebook from public computers. However, for those who have no choice – like the ones who don’t have a PC – it’s an added layer of security. Like they say, something’s better than nothing.
