There is a raging battle across the net about which email provider is the best to use. This is usually based on accessibility, ease of use and security. Depending on what you need an email account for that really depends on the person. I personally like Gmail for all my legitimate day to day needs. There are just so many things you can do it; I like versatility and most importantly I like to know WHAT is going on with my account.
For those on HTS (or visitors reading), that have and use Gmail, I am going to comprehensively cover some security measures on protecting your account, and some red flags to look for if your account is compromised that if you catch quickly, you may be able to save yourself from some serious damages. There is no guaranteed way to prevent a hacker from getting to your account. But there are ways to make it much more difficult. Fortunately, most hackers strive for easy targets (all those skiddies) and will likely give up when they see some of the measures you have put into place to prevent them from getting in.
**I want to encourage that if you have a Gmail account to login and follow along with this article for the full hands on learning experience.**
This should be a no brainer. Unfortunately, this is the most blatantly ignored rule on the internet! Using simple passwords is easy on the brain for trying to remember, but it makes the hacker drool when they discover that your password is simple. It’s a dead giveaway that all of your other accounts are going to be easy to get into as well. I’ll tell you a true story; I was asked by friend of the family to test his network security in his home for him. His WPA2 password was “hockeydude”. Once I was in I directed myself straight to the router homepage and found his email listed as the account holder. As it turns out his email password was “HockeyDude1234” which I was able to figure out in a couple of guesses knowing the password requirements for that particular host. Once I was in his email I now had a list of emails that linked his account to Facebook, his Bank, Netflix, and a naughty chat site. The entirety of the attack took 14 minutes. 12 to crack the wireless (lucky dictionary selection) and 2 for everything else. When you are creating your Gmail account or need to update your password you are shown a Password Strength Meter that shows a reading of how strong the automated checking system feels your entered password is.
DO NOT let this fool you into thinking that you have a strong password if you get a strong reading. After playing with it a bit I was able to get a strong reading with “1234567qwert”. Gmail unfortunately does not restrict the number of failed attempts to access an account! After a few attempts you will be prompted by a CAPTCHA to prevent brute forcing. This won’t stop a persistent hacker that believes they can guess it with some time and luck. Don’t be lazy. Use good passwords.
Account Recovery Options
Follow me to your account settings and then into your Account Recovery Options, you will be prompted to enter your password again for security reasons. This is put into place just in case are you victim to either session hacking or accidentally forgot to log out on your or a public machine.
Let’s first look at the security question option at the bottom. Gmail allows you to choose between six different premade questions with an additional seventh option to write your own question. If you choose to rely on your security question if in the event you forget your password, it’s not so much the question you select (or write) it’s the answer. If you choose the question, “What was your first phone number?” and enter your current phone number, you are not being crafty. Hackers WILL figure that out if they already know your phone number. Think smart. If you have a super secret phrase or password that you have NEVER used for anything else, use it for your answer instead of the actual answer to the question. It can even be as simple as, “OMG I love muffins!”
Moving up the page now to the Additional Email and Alternate Email options; I’ll put it simply. NO! It just leaves a trail for hackers to follow. I really really do not recommend using these options. If you forget your password, utilize the question option or the phone option (covered here momentarily). Sometimes when you request your password to be sent via email it is not encrypted and in visible plain text. Just ripe to be intercepted. Gmail does not do this but there are other email services that do.
Cell Phone and 2-Step Verification
EVERYONE should configure this part if you have not done so already. This is the strongest method of security you can have setup to protect your account! Wait Limdis, what are you about to make me do? 2-step verification requires that you not only enter your password but also enter a code that is texted to you. You can opt to have a trusted location that will not require you to require a code but will require one for each login attempt from an unknown location. That means that if a hacker DOES get your password and tries to login you are going to get a text message!
Go on and head up to the top of the page now to enter in your cell phone number. To my knowledge, Google does not release your number. That’s not to say they won’t to authorities, remember this article is geared for 100% legit email accounts. You can change and remove this number at any time. So don’t worry it’s not permanent. Now, head back to the main account page and select to edit the 2-step verification settings.
From here you will see a nifty little step by step process on how to set this up, which even includes a video. At the end of the setup you will be sent a code for verification. I have tested the response times for these texts and in my experience they range from 18-37 seconds and look like this:
Once you finish with the set up steps the very first thing you want to do is to make a copy of your Printable Backup Codes. It should be the 4th option down on the page you are looking at. If you don’t see it go back to your account settings, Edit option for 2-step verification, now it should be the 4th option down. The Printable Backup Codes are specifically created for your phone if in the event your phone is dead, no signal, or stolen. Save these in a very safe place and make sure nobody EVER finds them.
There is also a mobile application barcode you can scan for a code as well if you desire to go that route. That is the 3rd option. Be sure that if you login to your account via your phone you will need to get this setup as well. The 5th option down labeled “Application-specific passwords” and is designed for external logins, such as phones, outlook, etc. This is also pretty straight forward. But can be a little confusing at first. Create a name in step 1, such as “phone” and it will create a password for you to use.
Applications and other services cannot realize that they need to wait for a verification code. Instead enter these specifically generated passwords for your login. Let me say that again. If you set this up and are using an app, enter your email for the username and then the generated password to login. NOT your actual password. You can monitor the dates used and all activity login from these apps in this section and can revoke access at anytime you feel uneasy about open connections.
I personally have no interest in setting this up myself. I’m a little too paranoid to login with my phone. However, I do realize that some of the readers may have jobs/lifestyles that require them to do so. If you seek to utilize this option just refer to the “Learn More” option just below the application-specific passwords link.
Has My Email Been Hacked?
You should be confident at this point that nobody has access to your account. But you should still be vigilant in checking and ensuring that nobody does. I want to go over now what I like to call “red flags.” Red flags are actions taken by hackers that are visible. If you are familiar with my lingo on HTS I also refer to “loud actions” a lot. The difference is that loud actions get your attention immediately. Red flags are visible footprints left the by hacker, but you have to look for them. To those black hats out there reading this you better pay attention to this part if you like to explore email accounts that don’t belong to you. Gmail has a mini logging system that you can view at any time. I say mini because it doesn’t keep a huge log, just recent logins. For those that are following along, go to main page to where you can view your emails. Now look to the very bottom right of the page.
Here you will see a list of all logins for your account. There will be an additional notification if there are multiple sessions active. You can kill other sessions with a click of button if you don’t recognize them. Some of you might have already noticed the option to disable unusual activity. It takes a week to disable this feature, for your own safety in case you don’t know it’s being turned off. Unusual activity alerts work like this: If you try logging in from a strange IP address it will prevent the user from gaining access without further information. You will also get a notice via email/text. I have tested this using TOR and had my IP spoofed to appear as if I was in Germany. I was blocked and asked from which town and state I usually log in from to verify my identity. If you have the 2-step verification enabled, you are going to get a text message anyway.
Something that not a lot of people are aware of is automatic email forwarding. This can be a very devastating hacker tool if it has been implemented without your knowledge! The hacker will get every email you receive the instant you receive a new email and never again will they need to log into your account leaving logs for you to find. There is NO indication this is happening either, UNLESS YOU CHECK! If any of those following along discover they are a victim to this IMMEDIATELY copy down and remove the email address listed and change your password!
Now click on the “Forwarding and POP/IMAP” tab. The option will be the very first listing under this tab. It should be blank and have a button to add a forwarding address. If you are interested in perhaps setting this up all that you need to do is enter an email and apply. A verification code will be sent to the other email address with a link to verify the forward. The email address doing the forwarding will then to go back into these options and enable the forward. To those worried about this and to the black hats, Gmail now puts an alert at the top of the screen for 7 days when auto forwarding has been enabled. As long as you don’t wait more than a week to check your email, you will see if someone is trying to do this to you.
Phishing should not be a new term for you. If it is then you need to do some research. But basically phishing is designed to trick you into giving up your password. This can come in the form of “legit” looking emails, to fake websites designed to look like Gmail (or other mail clients and websites). The first thing you should look for before you ever log into your account is if HTTPS is in the URL. For those that have been following you have noticed that several times throughout this article you were asked to provide a password when changing your settings; this is normal. It would NOT be normal if you were browsing facebook or another site and you were linked back to Gmail asking you to login again, sometimes randomly. That is when you need to look for the HTTPS. If you are in still in question, close all windows and go back to Gmail directly providing your login information. Which reminds me, I wasn’t going to cover this because it shouldn’t have to be covered. DO NOT EVER give facebook or other networking sites your email login information so they can find your friends. That’s stupid, and dangerous. Now back to phishing. I just so happen to have a phishing email for you to see! I’ll show you what a real email from Google looks like compared to a fake one.
Notice first the name and email address associated with the email. Google Team – firstname.lastname@example.org. There are no attachments, and nothing stating that I should do anything! Google will never ask you for your password or ask you to re-verify your session or anything of that nature – ever. So don’t fall for that. Now let’s look at a phishing email:
Here we notice this email is from Jen and her email address is email@example.com. My name is not “User” the last time I checked. The ONLY thing that looks like it’s related to Google is the attached image. Well, Google won’t send you an attachment. So I’m not opening it. Neither should you if get something like this. Report it immediately, like this:
Lastly, keep an eye on your sent message folder and an eye on your trash folder. If see things out of order it might be time for a password change. If you notice items that have been read that you know you never opened, it might be time for a password change. If it’s been awhile since a password change, it’s time for a password change. If you feel nervous about something and that your email might be at risk, it might be time for a password change. Keep your mailbox clean. Remember you can view emails and change them to appear to be unread, and if the hacker has half a brain they will ensure to remove all their red flags.
There are lots of items about Gmail that I did not cover. I hope that you not only learned a little bit about protecting yourself but also a little bit about how hackers can operate. If you do or do not use Gmail, try and break into your own email account. It’s a great learning experience and you will learn a lot about how the process works. You cannot get into trouble attempting to hack your own email account unless you brute force the site, don’t do that. If you have any questions feel free to PM me or leave them in the comments.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 7 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.