How many cases have you done that involved possible unauthorized access to a webmail account? Probably quite a bit, if your client base and caseload is a bit similar to ours. Remember, this isn’t just about the average home user whose Hotmail account got hacked by guessing the secret question; there are numerous examples of people who (for a variety of reasons) use their personal webmail occassionaly or on a regular basis for receiving and sending workrelated e-mail.
These cases are often hard to solve: there are of course some tricks with using ‘digital traps’ to catch the person who is viewing the inbox, but such mechanisms don’t always work in the current world of spam-protection. And if you are doing bad things, you might be looking out for traps The webmail providers are often very reluctant to provide any information on when and from where an account was accessed, even when the requester is the owner of the account.
Google has introduced a little new feature that might help in signaling and maybe even preventing these types of mailbox abuse: remote sign-out and IP information. At the bottom of your Gmail inbox, just below the line that states what percentage of your mailbox’ capacity you are using, is now a line that says: last account activity x minutes ago on this computer.
With that line comes a ‘details’ link, that will show you an overview of the last sessions on this Gmail account. This is listing IP-address, date/time information and also the type of access (for example browser – the regular web-interface, but also POP3 or IMAP).
If someone suspects that someone is accessing their Gmail account without their consent, it might be good to keep checking that link once in a while. There might be a line stating ‘last activity from [IP-address]‘‘ which could be an indication that something has indeed been going on (provided you check you Gmail only from one computer, otherwise it could also be that you see a notification of yourself accessing Gmail from – for example – your work). Or you might see a date/time or IP-address in the list of sessions that you can’t match to your own activity.
Google’s suggestions on what to when you suspect your account has been compromised are quite straightforward and sufficient for the average user: change your password and change your secret question. That should keep the ‘good guessers’ out, provided there is no keylogging software or other malware on your PC.
However, when there might be valuable personal or company data at stake, there is always the choice between keeping the bad guys out versus keeping them under surveillance for some time. In such a case, it is probably good to talk to a qualified forensic investigator to discuss the options.
Anyhow, this seems like a useful feature that will hopefully help people to determine whether something is going on with their account. A very good decision to disclose this information (that is available to Google anyway) to the user, who can be considered as the ‘owner’ of this information (for his account only of course). Hopefully people will be able to interpret this information in the right way and will it help them in making a good decision on what to do to protect their e-mail.