Sophos Cloud Optix
For most people, webmail is their main personal account – used for everything from keeping in touch with friends and relatives to dealing with banks, government, shopping sites and other online services.
The ‘Big 3’ are Google’s Gmail, Yahoo! Mail and Microsoft’s Outlook.com (formerly Hotmail), and even two years ago it was estimated that they were sharing over a billion users.
Webmail is a prime target for cybercrooks so it’s vital we all keep our accounts as safe and secure as possible. Here are some of the most important steps to keep unwanted people out of your account.
1. Secure your password
The password is the basic standard of authentication, and by now we should all understand the importance of picking a good one, making it hard to guess and hard to crack, and not reusing it anywhere else.
Password managers can help with this, but your primary webmail account may well be one of those you keep in your own memory instead. It’s OK to write your password down, just make sure you keep the written copy safe. Whatever you do, avoid the old favourite of the post-it note on the side of your screen.
Don’t share it with social media sites – the likes of LinkedIn love to offer you “simple” ways of uploading your contact lists and other data to their systems, often for their own benefit as much as your own, and will try to persuade you to give them your password to get in. Just say no to such kind offers.
Learn to spot and avoid phishing attempts, and when entering your password via a browser make sure you’re at the right site with https enabled. Password managers can help with this, as they will refuse to fill in your password if you’re not on the right site.
Finally, make sure your password recovery/reset options are safe. You need your secondary email address or phone number to be as secure as possible, so ideally use a work email account (as long as you trust the security awareness of the IT admins at your place of work) and a personal mobile phone number which only you have access to.
Another common reset option is a “security question“. Make sure the answer you choose is not something that can be easily found out – your mother’s maiden name and your first school are not secrets, even the name of your first pet or your favourite type of pie may be easy to find out by digging through your social postings. Ideally, make your answer a nonsense passphrase which could never be guessed. Store it in a secure form such as a note in a password manager if you can’t easily remember it.
2. Toughen up your login with 2-factor authentication
Any decent provider should offer options for two-factor authentication (2FA). They sometimes call it “2-step verification”, or in the case of Yahoo! Mail, “second sign-in verification”.
Adding a second factor to the authentication process adds a much bigger hurdle for hackers to overcome. If they somehow get hold of your password they’re still no better off if you have 2FA enabled and they don’t have access to your secondary codes.
You can have your mail provider send a one-time code as a text or voice message every time you try to log in to your account. If you don’t have a mobile phone to which verification numbers can be sent via SMS, in some systems you can use a landline to receive codes as automated voice messages.
Some providers also offer the option to use a code-generating device or app to provide codes. Google’s Authenticator app is supported by both Gmail and Outlook.com – the app is available for most mobile platforms and also supports other services including Dropbox, Evernote, Facebook, Tumblr, WordPress and several password managers.
One main advantage of the authenticator app or a standalone code-generating dongle is that you can get codes even when you don’t have access to a phone network, or want to avoid phone charges. Google’s app has had some wobbles in the past, but is generally reliable and simple to operate.
To avoid the hassle of always needing a code, you can usually tell your webmail provider to trust a given computer once the initial code has been entered, so future logins on that machine will only require your usual password.
For devices and platforms that can’t handle a secondary code, like mail apps on mobile devices or mail client programs like Outlook or Thunderbird, one-off passcodes can be generated and used in place of your normal password. You should be able to generate a list of one-off codes which can be used if you lose your phone or get disconnected. Print them off and store in a safe place. Or, you can paste them into a file and encrypt it strongly.
3. Secure the devices you use to access webmail
You need to make sure your “trusted” devices are worth that trust. Keep your computers and mobiles well protected against malware intrusion, with quality security software that is properly configured and kept up to date.
Keep your operating system and all other software fully patched and up to date too, as you never know what routes may become available for bad guys to penetrate your defences.
Also make sure you have a screenlock and that it’s active whenever you leave your computer for more than a few moments or whenever your phone goes to sleep. Use the strongest passwords you can handle for both your computer login and your mobile screen lock, and keep those codes safe too.
Avoid using public machines to access your mail wherever possible. If you have to log in from a cybercafe or hotel, be very cautious, ensure 2FA is enabled first, and consider a password change once you’re back on safe ground.
If you’re using a trusted machine but an unknown connection, such as public wifi in an airport or coffee shop, consider using a VPN system to connect to the net through a secure tunnel – a range of online services are available, or you can even run your own VPN and connect safely via your own home from wherever you find yourself.
4. Check your settings and alerts
Check through all the settings every few months, and have a good look at the security and privacy sections. Look out for any changes that might have been made by malicious intruders or by the service provider in the course of an update or policy tweak.
It’s worth noting that for some services like Google or Outlook settings may be split between the email-centered options and wider account options, so you may need to look in both places.
If you’re worried someone may have intruded into your account, a good place to start is recent sign-on activity. Keep an eye on the details of recent logins, and make sure there are none from unexpected places.
Also check the auto-forwarding of emails to another account. If someone’s accessed your settings they may well have set this up, so check it for addresses you don’t know.
In some services such as Gmail, you can also grant full access to your account, including contacts as well as mails, to “delegate” accounts, websites or apps. This can be even more powerful than forwarding, and shouldn’t contain anything you don’t both want and need in there.
Get to know the full range of options offered by your provider, and consider how they could be abused. Watch for any unexpected changes.
5. Secure your content
One last thing to consider, especially relevant in the wake of the recent spate of celebrity photo thefts: Email accounts hang on to all sorts of information, buried in countless streams of conversation.
With large amounts of free storage, they also make a handy repository for things we don’t want to lose or forget.
Think about what goes into your emails. If you have anything especially sensitive that you wouldn’t want leaking to the world at large, maybe sending it via email (even just to yourself) is not the safest thing to do.
If you really have to send or store highly sensitive stuff, encrypt it well.
Images of email security, phone and phone courtesy of Shutterstock.
GMail does not support 2FA when you select Nigeria as your country. Reported that to support but they don’t seem to care.
This seems to have been the case for at least two years, but I can find no explanation of why it might be, other than a rather vague comment on a blog post, apparently left by a Google spokesperson, claiming it would be re-enabled shortly (again, that was in 2012).
There are potential workarounds – for example, there are phone apps which will give you a free US number you can receive SMS on via the internet, which could be used for setup before switching to the Authenticator app if you don’t want to keep using the SMS app.
Nigeria? I just got an email from your expatriated Prince the other day! I’ll ask him about this issue when I email him back with my mother’s maiden name and high school mascot.
Let’s get real for a second here. Even if you do all of the above, the providers themselves can’;t be trusted, and they can break into your account and read your mail anytime they want. Google and Microsoft have terrible histories with respect to respecting their users and those users’ privacy.
Because a web mail account is hosted on public-facing servers, perhaps you shouldn’t be using web mail at all for anything important. If you use a traditional email client, the mail is sitting on *your* computer, not google’s. Since google will read your email to tailor ads as well as to rat you out to the NSA, you can’t trust them any farther than you can throw them and I suspect the same is true of the others as well. If you use a regular old email client, the only privacy intrusion you have to worry about is the NSA tracing your mail across the network. Once it’s received by you, someone has to break into *your* computer to get it. You can keep it backed up on a detachable hard drive in case of equipment failure and at least this way, your info isn’t sitting out on a server on the net waiting to get hacked. Just a thought…
This really comes down to the trade-off between privacy and convenience – webmail is much easier to use in a more flexible way. Plus of course, unless you go to the trouble and expense of running your own mail server (not recommended unless you really know what you’re doing), your mail is still going through the servers of your provider, who will have all the access people like Google or MS have, and may well keep backups which will be just as accessible to law enforcement etc.
That said, the EFF does recommend that journalists and others at risk of surveillance from repressive regimes avoid using webmail, or at least set it up to download mails to a client using POP, deleting mail from the server as it’s downloaded – see https://ssd.eff.org/3rdparties/protect/email-webmail
If you really need privacy, however you access your mail you should consider encrypting everything using PKI such as GPG, but that requires your contacts to use the same approach, which seriously impacts convenience.
Just because you ‘pull and delete’ your mail using POP to a client does not guarantee your mail is still not on a server as backup somewhere. Best assumption is *all* email is forever and ever, there is no ultimate security.
Apple email does not accept 2 step verification with Gmail…
“…or you can even run your own VPN and connect safely via your own home from wherever you find yourself”
How can I do that? Not really a “techie” when it comes to things like this.