Friday 27 July 2012

Olympic Games Breach Disclosure Window Opens

The London Olympic 2012 Games has finally arrived, and will dominate media headlines around the world for the next couple of weeks. This is a great time for sports fans, but also a great time for firms to disclose data breaches. Yes, I know I'm being really cynical but let's see what breach notifications occur during this festival of sport. 
As I write this post Google have just announced they are in breach of a UK Privacy agreement - http://www.bbc.co.uk/news/technology-19014206, admitting to have not deleted personal data gathered as part of their Street View surveys. This personal data should of have been wiped over 18 months ago! But back to my main point with this post today, as with this awkward privacy announcement, the media coverage of it will be swiftly buried within the media's frenzy of Olympic headlines, hence why companies PR teams choose specific dates to publicly announce their data breaches. 

Saturday 7 July 2012

How to Protect Your Gmail Account from Hackers

Hackers target online Email accounts for a reason, they know if they can 'own' a webmail account, they can access it from anywhere and at any time, to use it as a tool and to harvest information of value. Fraudsters will often rifle through compromised Email accounts looking for information which will grant them access to more lucrative web accounts. A quick search of pretty much any Email inbox reveals information about various online accounts used by the user, many of which will have potential fraudulent earning revenue to a hacker. Typically Emails containing information about e-commerce websites and online banking accounts will light up a hacker's eyes. In this post I'm going to explain typical techniques employed by online fraudsters, to highlight the vital importance of protecting your main Email account.

No Account Username, No Problem
As a security feature some website accounts don't use an Email address as a username, but invites account holders to create one instead.  However if the hacker has access to the website account, more often than not there will be Emails containing the website account username. Furthermore with most websites ,a username can be requested over Email, which goes straight into the compromise Email account.

Passwords Finding
With an active lucrative website account identified together with a username, which may well be the Email address of the victim, obtaining the password which goes with it is child's play when the hacker is in control of the victim's Email account. Some websites will Email existing account passwords in plain text to the user, therefore the password can be found within account's Emails, or it can be just a question of requesting the password to be re-sent from the website. It can even be much easier for the hacker if the victim has used the same password with all their different accounts, as knowing their email address and online username together with a commonly used password is enough to steal their entire online life.

Password Resetting
Websites which don't Email passwords are still easy to beat if you control the victim's Email account. Nearly all websites provide a facility to reset a password, most ask for basic personal knowledge questions and then send a confirmation link Email to the compromised Email account, which then allows a new password to be created by the hacker. Those security questions aren't much of a problem, as the answers can be found within the reams of Emails and by accessing the victims social networking accounts. And personal details can be obtained from other weakly protected online accounts. Upon accessing an account the hacker just reviews the account profile for the necessary personal information,  sometimes website account profiles has the hacker bonus of listing security questions with the victims answers, the same typical security questions are asked for and used on most websites time and again. 

Your Online Email Account is essential to Protect, as it is the keys to your online identity
Gmail's Added Security Protection
If you are a Gmail (GoogleMail) user, good news, there is something you can do to increase the security of your Gmail account. It is not common knowledge but Google offers a free two factor authentication service called 2-step verification for all Gmail users. 2-Step verification significantly improves the security and massively increases the protection of your Gmail account from being accessed by hackers.

How to Set up Gmail 2-Step Verification wit your Gmail Account
Visit https://support.google.com/accounts/bin/answer.py?answer=185839&topic=1056283

How Does 2-Step Work? Why is it more Secure?
2-Step security works by requiring you have your mobile phone (registered with Google) in your possession each time you type in a password. When Gmail webmail is accessed for the first time on a PC, and every 30 days there after, Google 2-step forces password entry, which also requests a unique one-time verification code, at this point on your registered mobile phone you will instantly receive a text messaged with a one time code to type in.



This means you cannot log into your Gmail account without having possession of your mobile phone, hence two-factor authentication. So even if a hacker obtains your Gmail account password, the hacker cannot log into your Gmail account unless he or she has your phone as well, or are attempting access from your local PC where the password is required every 30 days.  These are not typical scenarios for the online criminal, they access webmail accounts on their devices.

Great for Webmail, but what about Gmail through Outlook, or on my iPad and iPhone?
Devices such as PCs (Outlook), iPads, and Smart phones which need to continuously access Gmail could be a problem with this system, but fear not, Google have thought of that. The 2-step system is able to create a unique and strong dedicated password for each device you have. Once each setup's password has been initially entered, the system doesn't request a mobile phone authentication every 30 days like the webmail access. However you can fully manage these devices and their passwords online, changing them as often as you would like, and you can even revoke the passwords instantly should your device be stolen. The main security advantage, is even if these unique device passwords become compromised, these passwords can't be used to access your online Gmail account, they can't be used to change your Google settings, nor can they be used to change any passwords.

So if you are a Gmail user and care about your online Email account security, consider their 2-step verification.