Watch your Gmail accounts

[kongli]

A couple of days ago I tried to log into my gmail account and it then warned me that it had detected suspicious acticity on my account and took me to a page which prompted me to put in my cell phone number in order to recieve a text and then enter it back in for verification.

I tried this a couple of times, but each time it said the code didn't match. Today, I just got a message to my other email account that gmail has disabled my account permanently due to 'violating terms of service'.

Not sure why they would disable my account but it is definetly a pain because I was subscribed to at least one pay site through that email. ugh.

Anyone know of other good email servers to use? or should I just make a new gmail account?

[roddy]

Sounds like someone got access to your account details and has been using them to send spam. I'd just register another gmail account, but I'd also want to know how they got the details.

[kongli]

So how do I figure out those details?

Thanks.

[ansileran]

Unless you really know your way around networking (or you're a hacker yourself), I don't think you're ever going to find out... This is the same as asking the question : "What are all the ways that a dedicated hacker could have to hack your computer ?"

Things like this happen all the time, no matter which country you're in. I was lucky to have been warned by some friends last time my hotmail account got hacked.

Just to be sure, run a complete scan of your harddrives, you may have a spyware installed somewhere. The rest is basic internet safety rules :

1- Don't let your webbrowser remember your passwords, nor any website

2- Change passwords OFTEN

3- Set complicated passwords

4- On your email account : do not open emails from unknown senders or with unspecified topics

5- Check sent emails, spams and deleted elements on a regular basis, and empty folders

...

These are a pain, I know, but it remains the best way to protect you accounts... Of course, if a skillfull hacker decides to get into your computer, there isn't much you can do...

Good luck anyway !

[skylee]

Hi ansileran, I am getting old and I find memorising new things increasingly difficult. Could you advise me of an effective way to remember the password if I carry out items 1 to 3 in your post #24?

[ansileran]

Well, everyone has it's own way to remember things... And just to edit on what I wrote, a complicated password (for a computer) simply means that it has numbers and upper case / lower case letters in it. It doesn't have to be like Hk2346lzfKJ ! ^^

And, if you have trouble remembering them, you can still have them written on a piece of paper with you. Not the safest thing to do, but hackers don't usually attack you physically or rob you before breaking into your computer. Keep a copy at home and, if you loose the sheet, change all your passwords immediatly...

[morpheus]

1- Don't let your webbrowser remember your passwords, nor any website

2- Change passwords OFTEN

3- Set complicated passwords

Well, I have good news for you guys. A recent study has shown that changing passwords is practically a waste of effort. (See Please Do Not Change Your Password ) The catch is that most passwords are stolen through certain direct means like the one in this thread (DNS spoofing to fake servers) rather than obtained by "guessing" it. (Brute-force "guessing" attacks are the major reason it is advised to change passwords in the first place.) It is also becoming common practice to limit the number of login attempts, so a brute-force attack like that is impractical if the password is fairly long and complex. (Long and complex passwords always had some power to repel this kind of attack, but the new practices make things much safer.) This fact lessens the risk associated with keeping the same password for a long time.

I do recommend setting different passwords for banking vs. everything else, however. It is theoretically possible for someone running a small website to figure out your password and then use THAT to snoop on you at other websites. If one website has faulty security, all your accounts could be compromised. This risk is also small, and you can prevent it completely anyway. If you don't change your passwords often it is possible for you to remember at least 5 or so. It's like learning phone numbers.

Hi ansileran, I am getting old and I find memorising new things increasingly difficult.

Instead of keeping passwords on a sheet of paper, I like index cards with a binder clip. Use one card for each account. If you add new accounts you can write on more of them. Some websites are requiring security questions in addition to passwords to log in, so index cards are nice for that too. It's a flexible system. I've been thinking of writing my passwords in a book but I never had the motivation to do it in several years because the index cards are doing their job well.

[pancake]

Skylee: Use a password manager.

[ansileran]

Passwords managers are a bit more secured as just letting your webbrowser store your passwords, but they still are listed in a file on your computer. Every time you unlock this file, all your passwords become accessible and there are spywares designed to look for this... Of course, being paranoid about computer security is annoying, so I guess it just depends on what your passwords protect : I would never use such a thing to store the passwords for my bank accounts but it might be fine for other things...

[pancake]

Ansileran: What kind of Internet banking is only protected by a password though? Challenge/response authentication (by means of e.g. RSA SecurID) is the way to go for real security.

[skylee]

What kind of Internet banking is only protected by a password though?

From what I know many banks' internet banking seems to require no more than a username and a password (e.g. Bank of China HK, Standard Chartered HK, Citibank, etc).

HSBC (HK) provides each user with a security device that generates a security code that you input when you access its internet banking. I find it very troublesome as it requires me to carry that device (although it is small). Some other banks text a second access code for input to their webpages, and this I think is more user-friendly.

[pancake]

From what I know many banks' internet banking seems to require no more than a username and a password (e.g. Bank of China HK, Standard Chartered HK, Citibank, etc).

Wow, that's just making things too easy for the criminally-minded. I can't believe that anyone is willing to bank with them.

HSBC (HK) provides each user with a security device that generates a security code that you input when you access its internet banking. I find it very troublesome as it requires me to carry that device (although it is small). Some other banks text a second access code for input to their webpages, and this I think is more user-friendly.

Personally, in a security vs. convenience tradeoff, I would prefer to have banks err on the side of security. Though the GSM network is hardly invulnerable to snooping, at least they are way ahead (security-wise) of the cowboys relying on static authentication credentials.

[ansileran]

I have accounts in three different banks in France (other than HSBC) and the only thing require before tranferring funds is to enter your password again, so if someone steals it, then this person won't have any trouble emptying the account... Of course, the way you enter your password is more secured than simply typing it and it can't be registered by your webbrowser.

[skylee]

But then there are other security measures other than passwords and codes, e.g. you need to pre-register at the bank in person, showing your ID, if you plan to transfer funds to other banks or to accounts other than your own using internet banking.

[ansileran]

Not for me... I do it all online, just enter the account number I wish to transfer funds to...

[valikor]

I dealt with the same issues described earlier in this thread (a month or two ago), and just today Gmail warned me that it had detected a possible unauthorized access of my account.

Unknown China (unitedlayer.com:207.7.138.117) Sep 6 (1 day ago)

I'm not entirely clear on this, since it says that it came from China, and used an "unknown access type", but the IP address appears to be in San Francisco.

[roddy]

That's a Witopia IP address - not only has it tried to access your Gmail account, it's made numerous posts on these forums. Nothing to worry about, assuming you're a Witopia user (or of some other VPN, there could be reselling going on).

[valikor]

I don't have a VPN but I must have used a friend. I guess it's a false alarm then. I wonder why it waited a whole day before warning me... otherwise I probably would have figured it out.

[roddy]

I've started getting the account access warnings from Gmail also - all associated with VPN use, guess it does look a bit dodgy if you're logging in from China one minute and Washington DC the next. I'm actually a bit surprised my online banking hasn't spotted this as some kind of issue.

[Matty]

I've had a look, I couldn't find anything unusual when trying to log into my GMail account.

There's a few potential solutions I could think of to make your account safer:

1) Method 1

Having 2x GMail accounts, one as your main and another as a proxy account.

The proxy account which downloads email from the main account via POP, and setting up the proxy account to send emails on behalf of your main account.

I may write a paper on this later with more specific instructions.

2) Method 2

Or get a "free" * google apps email account. You'd have to have your own domain name (.com) for this which costs about $10 per year.

Your sign in address would then be http://www.google.com/a/yourdomain.com and your email could be anythingyouwant@yourdomain.com

This would skip the need for accessing http://www.gmail.com

You could also set this us to get messages from your old gmail account on it's own.

NOTE: yourdomain.com can be anything you choose that isn't taken.

IMPORTANT NOTE: Once you have a for your own email it's hard to get rid of as you'll lose it when/if it expires. So if you do this be prepared to pay $10 per year forever.

If you're interested in this, I can help, I've done it a hundred times (ok maybe about 10 really)

3） Method 3

You could use a client such as Thunderbird to download messages via POP and essentially skipping using the website - I can't guarantee they can't exploit this...

NOTE: ========> Make sure the client leaves a copy all messages on server before the first download

========================

I can't guarantee any of these but they're just some ideas.