Gmail account protection

How many cases have you done that involved possible unauthorized access to a webmail account? Probably quite a bit, if your client base and caseload is a bit similar to ours. Remember, this isn’t just about the average home user whose Hotmail account got hacked by guessing the secret question; there are numerous examples of people who (for a variety of reasons) use their personal webmail occassionaly or on a regular basis for receiving and sending workrelated e-mail.

These cases are often hard to solve: there are of course some tricks with using ‘digital traps’ to catch the person who is viewing the inbox, but such mechanisms don’t always work in the current world of spam-protection. And if you are doing bad things, you might be looking out for traps :) The webmail providers are often very reluctant to provide any information on when and from where an account was accessed, even when the requester is the owner of the account.

Google has introduced a little new feature that might help in signaling and maybe even preventing these types of mailbox abuse: remote sign-out and IP information. At the bottom of your Gmail inbox, just below the line that states what percentage of your mailbox’ capacity you are using, is now a line that says: last account activity x minutes ago on this computer.

With that line comes a ‘details’ link, that will show you an overview of the last sessions on this Gmail account. This is listing IP-address, date/time information and also the type of access (for example browser – the regular web-interface, but also POP3 or IMAP).

If someone suspects that someone is accessing their Gmail account without their consent, it might be good to keep checking that link once in a while. There might be a line stating ‘last activity from [IP-address]‘‘ which could be an indication that something has indeed been going on (provided you check you Gmail only from one computer, otherwise it could also be that you see a notification of yourself accessing Gmail from – for example – your work). Or you might see a date/time or IP-address in the list of sessions that you can’t match to your own activity.

Google’s suggestions on what to when you suspect your account has been compromised are quite straightforward and sufficient for the average user: change your password and change your secret question. That should keep the ‘good guessers’ out, provided there is no keylogging software or other malware on your PC.

However, when there might be valuable personal or company data at stake, there is always the choice between keeping the bad guys out versus keeping them under surveillance for some time. In such a case, it is probably good to talk to a qualified forensic investigator to discuss the options.

Anyhow, this seems like a useful feature that will hopefully help people to determine whether something is going on with their account. A very good decision to disclose this information (that is available to Google anyway) to the user, who can be considered as the ‘owner’ of this information (for his account only of course). Hopefully people will be able to interpret this information in the right way and will it help them in making a good decision on what to do to protect their e-mail.

July 14, 2008 | By: Jelle | Filed Under internet 

Comments

4 Responses to “Gmail account protection”

  1. Code on July 16th, 2008 11:14

    Very nice feature… but it doesn’t work with IE6 (and maybe with other browsers).
    You can use the direct url of the page!
    Follow these steps:
    1) change your browser’s user agent string (eg use “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)”), close the browser and reopen it in order the change to take effect. From now your browser will be identified as IE7
    2) Log in to Gmail with your account, et voilĂ , “Last account activity” is available on the bottom of the page. You click it and the popup opens. Save the url of this page, which will work on all browsers, then undo the changes you made to the user agent string of IE6 and restart the browser.
    When you are logged onto Gmail and you need the “Last account activity” page, simply use the url you previously saved.

  2. aliblock on July 31st, 2008 19:37

    I clicked on “Details” and it only showed me the six most recent activities. How do I go back further to see the last few weeks or months?

  3. Jelle on July 31st, 2008 20:59

    Hey ‘aliblock’, I don’t think there is a way to look further back. It’s an overview of the ‘last account activity’. Might be a feature request to Google ;)

  4. Bookmarks about Gmail on January 23rd, 2009 10:30

    [...] – bookmarked by 6 members originally found by numimarks on 2008-12-30 Gmail account protection http://www.forensicsblog.net/?p=13 – bookmarked by 2 members originally found by FalsePositives on [...]

Leave a Reply