Protecting your data in the cloud

Friday, October 15, 2010 9:38 AM



Like many people, you probably store a lot of important information in your Google Account. I personally check my Gmail account every day (sometimes several times a day) and rely on having access to my mail and contacts wherever I go. Aside from Gmail, my Google Account is tied to lots of other services that help me manage my life and interests: photos, documents, blogs, calendars, and more. That is to say, my Google Account is very valuable to me.

Unfortunately, a Google Account is also valuable in the eyes of spammers and other people looking to do harm. It’s not so much about your specific account, but rather the fact that your friends and family see your Google Account as trustworthy. A perfect example is the “Mugged in London” phishing scam that aims to trick your contacts into wiring money — ostensibly to help you out. If your account is compromised and used to send these messages, your well-meaning friends may find themselves out a chunk of change. If you have sensitive information in your account, it may also be at risk of improper access.

As part of National Cyber Security Awareness month, we want to let you know what you can do to better protect your Google Account.

Stay one step ahead of the bad guys

Account hijackers prey on the bad habits of the average Internet user. Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.

The most common ways hijackers can get access to your Google password are:
  • Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.
  • Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.
  • Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.
  • Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“Laura1968”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “pizza” for “What is your favorite food?”
As you can see, hijackers have many tactics for stealing your password, and it’s important to be aware of all of them.

Take control of your account security across the web

Online accounts that share passwords are like a line of dominoes: When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites. We’re also working on technology that adds another layer of protection beyond your password to make your Google Account significantly more secure.

Choosing a unique password is not enough to secure your Google Account against every possible threat. That’s why we’ve created an easy-to-use checklist to help you secure your computer, browser, Gmail, and Google Account. We encourage you to go through the entire checklist, but want to highlight these tips:
  • Never re-use passwords for your important accounts like online banking, email, social networking, and commerce.
  • Change your password periodically, and be sure to do so for important accounts whenever you suspect one of them may have been at risk. Don’t just change your password by a few letters or numbers (“Aquarius5” to “Aquarius6”); change the combination of letters and numbers to something unique each time.
  • Never respond to messages, non-Google websites, or phone calls asking for your Google username or password; a legitimate organization will not ask you for this type of information. Report these messages to us so we can take action. If you responded and can no longer access your account, visit our account recovery page.
We hope you’ll take action to ensure your security across the web, not just on Google. Run regular virus scans, don’t re-use your passwords, and keep your software and account recovery information up to date. These simple yet powerful steps can make a difference when it really counts.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

29 comments:

Craig said...

Using different passwords can be pretty unmanageable when you have over 30 or so accounts. One thing that helps me is using a system. For example taking the 2nd and 3rd to last letters in the domain, picking some letter in the alphabet relative to them and mixing them with your password. So my facebook password would take "o" and "o" change them to "p" and "n" and mix them with my static password "euhif" making "eupnhif". The problem with this is that you shouldn't try more than one variation on a site in case that site is compromised, they may figure out your system. I heard a story of Mark Zuckerberg doing something like this, haha. Instead, just click, forgot password and make it consistent with your system. Then when you change passwords, you can just change the static password.

NSK, Inc. said...

What a lot of Google users don't realize is how much personal data is actually stored in their Google accounts.

Not only are emails stored in the cloud but so are:

Chats within Gmail
Credit Card Info from Checkout
Google Map Searches
Phone calls made using Voice
Web History

To limit your exposure of personal data from your Google account should it become compromised -
The first thing to do is to go to the Google Homepage and (while signed in) click on Settings then Account Settings.

You will see a link underneath your Personal Setting for the Dashboard that says “View Data” on this account.

You can then adjust your settings (and pause your Web History so that Google won't record your Internet Activity).

My account was compromised a couple of weeks ago, but luckily I had reviewed the data stored in my account and had made adjustments to reduce the leak of data from my account.

Michael Lupacchino
Marketing Associate
NSK Inc
http://www.nskinc.com

DarkUFO said...

I cannot recommend Lastpass enough.

It's simply a great way to work with your passwords on both desktops, laptops and mobile devices.

CukupKlikSaja said...

How to store it ?

Time Enthusiast said...

How about using two factor authentication for critical google functions such as account setttings, google checkout and google voice.

There are many ways to accomplish this without needing a hardware token.

Dan said...

It would be nice to be able to restrict access to my accounts based on country of connection origin. I don't ever need to sign in to my account from 99% of the countries in the world, so why not let me restrict that? Seems like that would help increase security and be quite easy for end-users to understand.

Meg Spencer said...

I read about a great way to come up with multiple passwords and actually remember them a while back. Take a poem or song that you know well and break it up into short chunks. Put a number at the beginning of each bit, and use - or * for the spaces between the words (so a gmail password would be 1Mary-had-a, facebook would be 2Little-lamb-its, yahoo would be 3Fleece-was-white and so on). Then all you have to remember is the number for each site.

htw said...

I agree with Dan's idea of restricting which countries can login to our account, since for most people 99% of the countries aren't visited. However, the account owner should be able to unrestrict as and when s/he sees fit.

For example, when I'm going abroad, I would still like to be able to access my accounts.

B said...

@meg I'm not an expert, but your suggestion seems like it would be vulnerable to a slightly modified dictionary attack. A variety of letters/numbers/characters/capitalization is definitely good, but having words in your passwords is a bad idea.

It would be great if Google was able to offer another layer of security for their site. I'm slightly surprised that they haven't moved to create some new standardized way of authentication. They could throw their weight around to get a smartcard enabled login for secured sites. In the not-so-distant future I see a standardized system with everyone with a smartcard with their certs.

tommye said...

Sorry Meg, thats a bad idea. Some of the easiest passwords to crack are those that contain words you can find in a dictionary, or "dictionary words". In this case, most of the password is made up of dictionary words, making it insecure.

Wolwali said...

Interesting:

"Never respond to ... non-Google websites .. asking for your Google username or password"
and
"a legitimate organization will not ask you for this type of information"

I guess you people are aware that Facebook asks you for your Gmail user&password, if you were invited there at your Gmail address...

Are Google saying something that is incorrect? Is Facebook a legitimate organization? Or are there "undocumented" exceptions to the claim brought up in this blog?

David said...

It would be great if we could password protect google docs.

john said...

As free as texting is too many, and as many as have cell phones, I'd like a 2nd layer of authentication for sensitive sites, like banks, to text me a unique string to enter on their site that expires in, say, 5 minutes. So unless my account phone # was compromised (and it shouldn't be stored online in the same database anyway) then I can have 2 factor authentication that also stays secure even if keylogged one time.

Scorcher said...

I do use all different passwords, but they have a theme. I also make them sentences that only I could easily remember. For example, one of my passwords could be "idontlikemakinguppasswords". Based on that one, I might make another password "passwordsarentfuntomakeup", and so on and so forth. I find its really hard to guess, and its easy to remember. Of course, you could go the extra mile and add some numbers, to create somewhat of a 1337 speak password. Another example: "th15p455w0rdh45numb3rs1n1t", which translates to "This password has numbers in it"

dongxu said...

The thing about the "Mugged in London" phishing scam is that it used the contacts in your email account, so what I do is just not add any contacts in and if they auto add just delete them.
Also use some logic, wouldn't your friend call you? Money problems? They'd probably ask a relative, always willing to help.
They're holidaying alone? They'd have to use an internet cafe which costs money and so does calling, but wouldn't calling cost less than paying to just send an email?

So this all just requires some common sense.

catie said...

Guys, I can't stress enough the risk we are all at. (Myself speaking on behalf of all Gmail and iGoogle users.) Anything you download onto your computer, (ESPECIALLY those chat websites that you must download such as SecondLife, IMVU,etc. Though they may or may not be fun/addictive/an enjoyable experience, they are very unsafe. When I was 8 years of age, (I am now around the age of 15 16 17 18 and 19 I won't say my real age.)I had found IMVU very bred one day, downloaded it, started playing on it, and was addicted. It was so much fun; like living the life you always wish you could; you could make a mistake, leave the room, and no one would know who it was! No way to track you down; no way to call you or contact you unless they were to somehow meet you in the same room, at the same time. It was an awesome world of chat, and it was all cheap. (online, I mean. It didn't cost in real-life unless you wanted to upgrade for a bigger house, but that's it.) I was literally addicted.Until one day, my dad found out about it, and turned off my computer until around 4 months later. When I could finally turn it on again, something happened... a red and green flashing light/sign popped up on my computer; I HAD A VIRUS. WHERE SOMEONE COULD FIND OUT ALL OF MY PASSWORDS, email addresses/usernames, everything. From then on, after we got it fixed, I never went on a chat website except for clubpenguin again. (lol) :) the point is, you have no idea what risk you're at; if you want to download something, make SURE that you absolutely know every link/branch/effect/risk/problem/EVERYTHING ABOUT IT!! just trying to let you know what can happen. Bye!

Naresh Kumar Saini said...

Having one's password stolen for any account is a bad situation, more so in case of a service like Google. The damage can be much or very much or very very much. Still, many people easily fall prey to phishing attacks. But still I feel more people forget their passwords on their own (it may be used less frequently or a bit too complex (=strong/secure) to remember) than people becoming victims of hackers (excluding phishing attacks, perhaps).

Φ said...

The login interface or the age old methods should change considering the times we live in. Instead of the usual alphanumeric combinations or few sites that even allow special char we need to move towards a more picturesque code. Such as tiles of Images, colors, miniature blocks of preferred websites and email address of the recipient last mailed during the last login or activity performed during the last login.

These are the behavioral aspects of the user that could be made in to a key plus habitual aspects such as finger print recognition (this is not new anyway) of those fingers used to type certain text/name (more on this below).

I am not a pro with typing, I use a standard set of three fingers from my right hand and two from my left. I am sure finger print experts know lot better about the kind of impression (index finger presses harder than my pinky) each finger makes and the fingerprint on each.

The sensors could be on the keyboard or on the mouse rather as a physical input unit.

So if someone else accessing my account will not closely match or type the way I do!

Coming up with such a piece of hardware is not costly come on we have ipad, iphone and iwhatnot and considering our identity and the kind of things we have stored in there is worth investing in such a sophisticated piece of authentication method.

Madars said...

Thanks for the checklist! This is why I like Google -- you always take the security of your users very seriously.

Just one comment on executing the checklist. For me the following problem occurs:

Recent activity log for my account says "However, there may be sessions that have not been signed out.", when I click "Sign out all other sessions" and reopen recent activity log the message is the same.

This troubles me, because it makes difficult to distinguish if there actually *are* some sessions that may have remained.

What can I do?

This started when I enabled synchronization with my Nokia S60 device, but turning of the sync doesn't help. I've tried changing my password/recovery options, but to no avail.

LnxWalt said...

Wolwali, you should read the terms of service. Many providers expressly forbid the sharing of your login credentials with anyone (including Facebook).

Even if Google doesn't, it isn't wise. How long does the other site store your login information? What happens if the other site is compromised?

Ron said...

Someone hacked my account and these were the IPs he was sorking form.... also after I got my account back he was still bouncing e-mail to a different address, ronald.miller311@yahoo.com.

Access Type [ ? ]
(Browser, mobile, POP3, etc.) Location (IP address) [ ? ]
Date/Time
(Displayed in your time zone)

Browser Nigeria (41.155.83.107) 9:13 am (7 hours ago)
Browser Nigeria (41.155.59.147) 4:22 am (12 hours ago)
Browser Nigeria (41.155.91.167) Oct 18 (1 day ago)
Browser Nigeria (41.155.44.74) Oct 18 (1 day ago)
Browser Nigeria (41.155.90.6) Oct 17 (2 days ago)
Browser Nigeria (41.155.27.22) Oct 15 (4 days ago)
Browser Nigeria (41.155.27.22) Oct 15 (4 days ago)
Browser Nigeria (41.155.27.22) Oct 15 (4 days ago)



Ronald.miller311@yahoo.com

Unyo said...

Start warning people about tabnapping as well, Google.

Eric said...

Google should make their accounts accessible via OpenID or a multifactor authentication method like Yubikey. For me, using Yubikey + OpenID has made my life so much easier because I don't have to remember different passwords for every account and the one-time-passwords make logging in uber secure! Plus it is a very cheap solution and open source!

Robert said...

Is it safe to use Gmail via a public unsecured wifi connection, e.g. in a cafe?

I am assuming it is, given that the gmail login page url has https which means that the login and password will be encrypted by the user's web browser, even though this is being sent over an unsecure network.

A hacker could intercept the packets of data sent over the unsecure wifi network BUT within the packet, the login and password will be encrypted, not by the wifi service itself but by the user's web browser, before it is sent.

Comments?

George Edwards said...

I use a the first letter of a site, then move diagonally up on the keyboard to the number row. Then back to the adjacent letter I first pressed. I alternate between number row and letters for 5 keystrokes. Then I invoke the Shift Key and keystroke the same combination ending with the first letter I started with. This gives me caps, lower case, numbers and special characters. For example,
If the website is Google, the password would be g4h5jJ%H$G. I feel this is a strong 10 digit password that is easy to remember because it is just directional keystrokes.

I guess it is good that October is Cyber Security Month, otherwise I probably never would have heard about these important hints before.
As a victim of the Mugged in London scam, well not a victim in that I sent off money, a victim in that my Google Account was taken from me, I appreciate these hints.
I only wish that Google had made it clear what one must do to get their account back. Further, if you do get your account back, it comes back without any of your contacts or your saved messages.
When I used Thunderbird I knew if my hard drive failed, I would lose all my messages and contacts. That was one of the reasons I migrated from Thunderbird to Google. Google let me believe I could always access my contacts and messages.
I wish Google told me when I first joined, if my account was stolen, I would have to supply Month, Day and Year I joined Google's Reader, Gmail, Calendar, Voice etc. If I knew that, I could have saved that information in a simple text file on my computer. As it was, it took about 6 tries to get back the account. But if I knew then that I would not get back my messages and contacts, I never would have bothered trying to get back the account.
Now I read that it is a good idea to have Thunderbird download your messages and contacts to your hard drive in case your Google account is compromised.
I am very disappointed with Google not telling me all the facts up front. If I knew I could have set up a back-up. I would have tried to use DropBox or Carbonite or Mozy to hang on to that information for me.
I still use Google's products, but now at least I know I must figure out a way to back up the "Cloud"

Betsy said...

My gmail account was just used to send out the stranded in London scam. I have my account back but no saved e-mail or contacts. Is it possible to get these back? Does it do any good to tell google/gmail about this? If so, how do I do it?

S & S said...

I am not sure if google reads this but there should be as another comment has said mobile security as banks do. You can also set a location like "I am in the NY, NY" if an IP address outside the range tries to login they have to verify via sms. Or indeed if you are planning an overseas trip you could have a setting to "at large". So before you go abroad for your trips you could have this setting.
A variation on this is if you have account "lockdown" where you can lockdown your account for the evening and if you are not to access it for say 72 hours you would need sms verification to unlock it.

Finally to CHANGE a password there needs to be the option for SMS verification. At least if they get in, they can't keep you out.

Do said...

What if they hack into your account and change the backup email and phone number you set to be able to retrieve your account??

Sapient said...

Since the majority of computers log in to their accounts in local or familiar locations, you could add the option to stop connection based on IP address, geolocation, and even ISP.

Some limitations would apply, like using a public bridge or proxy server, but for the majority of users, this wouldn't be a problem.

You could also limit entrance based on the computer's identification or a computer's specific (or regularly changed) hash key for a double layer of security or for multiple "familiar" computers, if the accounts are only accessed within family networks.

Other layers of protection could be a integrated fingerprint reader, facial recognition (with a camera), and integrated id card readers (for businesses)which would only add to the security of the system. Any of which would cost from as little as $30 (fingerprint) to $100 (camera) in hardware.

And a "forgot your password" option could easily be a text message or call (especially since the call could be recorded for later evidence if proved to be a hacking attempt).

-John