Google Mail Security

Just how secure is a Gmail account? And what lengths does one have to go to in order to regain access to an account if it is hacked?

Every year, hackers gather at the DefCon convention in Las Vegas to show off their latest tools. At the last DefCon event, one of the attendees, 'Hamster' showed off how the cookies sent by your computer when signing into a Google account can be copied, allowing the account to be cloned by the hacker, and all the implications that carried.

I'm pretty sure this happened to me whilst travelling through London's Heathrow Airport recently. All was well when I boarded the flight home, but on landing, I had lost access to my Gmail account, the principle email account I use. A new password was in place, the secondary email (for password recovery) had been altered, and my security questions wiped.

Google carries more of my online service than any other company. It carries my email, and I rely on the auto-complete for many addresses; Google Docs hosts a number of shared documents for myself and projects I'm involved in; and Google Calendar gives me access to the timetable of the community radio station I'm involved in. In short, not only could I not get access to my day to day life, or three years of archives... someone else had.

Luckily I've never committed any passwords or financial information into Gmail - so beyond a failed attempt to get into eBay and PayPal, I didn't suffer any financial damage. Google returned access to me within 48 hours of reporting the account as 'compromised,' but it's a timely process that, given the number of people using Google for business critical tasks, you can't take for granted will work in your favour. So what should you be doing?

Advertisement - Article continues below
Advertisement - Article continues below

Gather information

If your account is compromised, Google's Help Centre will be looking for information to prove that you are the owner. Glance at this form just now and if you can't answer all the questions (without looking at your Google account) then find them out, write them down and keep it somewhere safe (and not in a Google-based repository).

My major concern, if I had to start from scratch again, was my contacts and email addresses. Gmail allows you to export these as a vCard or CSV file - click on Contacts on the left hand side of the web interface to get this option. There's no reason not to get this file on your hard drive today.

Be careful when browsing

While Google signs you in via a secure web page, the online applications will use regular http, which the RABBITT hack (as detailed by Hamster from DefCon) exploits. The simple workaround is for you to always type (note the s after http) when logging into Gmail, and similarly forcing https with the other services. This will keep the entire session on a secure http connection, not just the login. It's always important to log out as well, to end the session and effectively 'expire' your connection.

The exploit requires you to be browsing over Wi-Fi, so crowded and popular hotspots (such as Heathrow...) should be avoided. If you have to check your mail, consider using Google's java client for a smartphone, or using a POP3/IMAP mail client rather than the web browser interface. If wireless connectivity is essential, consider investing in a 3G data modem for use in your country of origin. In the UK, monthly subscriptions start at 10 for 3G data services, including the hardware needed to connect.

Advertisement - Article continues below

Trapdoors for when it goes awry

And what should you do if it happens to you? Well the first is to report it to Google as soon as possible - and keep a note of what you send via the forms. But to keep everything running, there are two 'trapdoors' you might want to consider putting in place.

The first is to not give out your Gmail address, but rather an email address you control (maybe on a private domain) that simply forwards everything received into your Gmail account. If you loose access to the account, then you can point your forwarding address to somewhere that is accessible, ensuring access to new incoming email is not interrupted while you recover access to Gmail.

The second is to have Gmail forward every mail received to another email box. Of course this can be switched off if your account is compromised, but if you are simply locked out for 24 hours, you'll be able to carry on receiving mail.

Advertisement - Article continues below


It's worth pointing out that Gmail, like many Web 2.0 sites, is still in beta, and therefore is still 'use at your own risk'. Google makes no promises on data integrity at all, and reserve the right to delete your account with no notice or reason. While it may be one of the better online email services, to rely on it for business reasons is not wise.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


email delivery

How to recover deleted emails in Gmail

20 Jun 2019
cloud computing

Google adds partners to real-time translation tools

8 Jan 2020

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
search engine optimization (SEO)

Google is getting worse as it does more

21 Dec 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020