by Reb Akiva @ Mystical Paths
Part 3 of on online security after having my Google accounts stolen by a hacker…and I’m a computer expert!
Now it’s time to get serious. Parts 1 and 2 will protect you from your neighborhood hacker, the teen next store and my 13 year old son (who keeps telling me he “almost” got into his friend’s Facebook or Gmail account). But I was hacked with a secure connection, good password, virus and spyware protection. That level of attack requires a more serious level of protection. Unfortunately that means this article will be more technical than the past ones (though I’ll do my best to keep it understandable to the average person – no guarantees though).
Right before writing this article I was contacted by someone else in my neighborhood who was hacked the same way by the same hacker!
So here we go…
When you log in to Google or Facebook, Google or Facebook injects a marker into your browser noting that you’re authorized. (This is called a browser cookie.) Each one of these markers or cookies has an expiration date and time. Many web sites set an expiration time of 5 or 10 minutes. Meaning, if you don’t do something on the site every 5 or 10 minutes, your authorization expires and you have to log in again.
Having to log in again and again is a pain, so Google and Facebook set your authorization time to days or weeks. This is why you can disconnect from the Internet while leaving Facebook or Gmail up in your browser and have it still work after you reconnect. Great for your convenience but bad for security (which is why your bank or stock trading account never does this).
If I can steal that cookie from your browser I can access your Google or Facebook and change your passwords to take control. Part 1 of these articles described a main way to do this is by “listening in” to your computer’s conversation with Google or Facebook and described how to turn on a secure (encrypted – SSL) connection to prevent this (and turn on security for your home network to prevent a local listener). That’s the attack method of your neighborhood hacker. The professional hacker has other ways to grab the same marker/cookie.
If you’re in Gmail in one browser tab and open another browser tab for another Google product (like Reader or Plus or Documents), you don’t have to log in again. This is because any tab that identifies itself as Google is allowed to check the marker/cookie to see if you’re logged in.
So a hacker can steal your logged-in marker/cookie IF you go to a web site that has a hidden program (a ‘script’) that; pretends to be Google OR breaks through the browser security to steal information from another tab. These things aren’t supposed to be possible…except sometimes they are. This is called a Cross Site Attack (cross site scripting attack, cross site reference attack, and more, also called XSS).
There’s a second method a professional hacker can use that doesn’t defeat security, it tricks you into doing it for him. Web sites are allowed to pop-up windows and open new tabs in your browser. This is normal behavior if you click a link on many sites. A hack attack site may open a tab or pop up a window that looks like Google or Facebook without you doing anything or just passing over part of the page, asking for your login information. Since you’ve got Google or Facebook open in another tab, you figure it simply timed-out and needs you to re-login. So you enter your info, the pop-up or tab disappears and everything seems normal…except you just gave away your login information to the hacker. This is called ClickJacking.
Here’s three ways to prevent this type of attack:
1. Do NOT open additional tabs and go to ANY OTHER web site while logged into Google or Facebook. Only go to Google or Facebook sites (NOT Facebook apps).
2. Use the Firefox browser with the NoScripts add-on. This add-on specifically protects against Cross Site and ClickJacking attacks.
3. Use one browser (like Chrome) for Google and Facebook, and another browser of a different type (like Firefox) for all other web browsing.
You can combine 2 and 3 for additional security. Plus, crank up your Google and Facebook by adding these settings… First for Google…
Turn OFF multiple-sign-on. Prevents someone logging in to your account from somewhere else (in theory) while you are logged in.
Check what other applications are allowed to access your account. This is another door to your account. It’s normally used if you go to a site that allows you to “Sign On with Google”. DON’T DO IT (convenient but insecure).
As you can see from below, I allow the site called Plaxo to use my Google login information. No others (and I’ll be removing that one).
Now for Facebook…
Login Notifications – sends you an email if someone logs in to your account from another computer. Lets you know your being hacked! Activate it!
Login Approvals – that’s the 2-level authorization that sends a code to your phone if it gets a login from a computer that hasn’t logged into your account before. Activate it!
Recognized Devices – these are the computers that Facebook recognizes as allowed to access your account. Add your home computer, office computer and anywhere else you log in from frequently.
Active Sessions – this says where you are logged in from right now. As I said above, a login authorization can last weeks or a month, so you may see places you were in the recent past. IF YOU SEE SOMEWHERE that you weren’t or that’s not you, close the session.
FINAL SUGGESTIONS -
Your online information and accounts ARE NOT SECURE. Even with all of this, there is the possibility that you WILL BE HACKED at some point. Here’s easy measures you should take for that eventuality:
Export your contacts -
Then Export Contacts on the More drop-down.
Backing up your email archive is harder. Here’s a site that has instructions on how to do it…which is basically start up another email account and use the IMAP feature to get your emails.
If you use Google Docs or Blogger, set up a backup account that you don’t normally use and give it administrative access (for Blogger) and Share/Edit rights (for Google Docs).
For the real technie, a good options to guarantee control of your accounts is to buy a domain, use domain-lock transfer protection, set up either forwarding emails or get low price hosting and make your email accounts, and then use Gmail (assuming it’s your favorite email client) to POP3 pull the emails from there. Since your domain is locked and hosting operates by personal info, even if it’s briefly hacked a phone call will get it back.
GETTING BACK YOUR GOOGLE / GMAIL ACCOUNT…
Getting back your stolen Google account is HARD. Google has a recovery form that requires you to be logged into another Google account and then provide a LONG LIST of detailed information about your Google account. This information includes…
What Google products you use (Gmail, Youtube, Blogger, etc). WHEN you started to use each one (month, year). In Gmail, what your Labels are, who are the top 5 email-addresses you email, did you create your account by invite, who invited you, when did you create your account (day, month, year). What was the recovery email address, what were the recovery phone numbers (if using 2-step verification).
IF you get all of those correct, you will get a quick automated response. IF NOT, you’re up for human review which may take anywhere from 1 day to 1 MONTH. There is no help desk, no help email, no help phone number. There is not even any way to PAY to get a human involved.
If you can’t get enough information correct, you’re only choice is to keep trying until you get more correct or to beg the help-volunteers on the Google help forums (help.google.com). The assistance of about 50 readers posting on my help request in the help forum was what got Google’s attention to help me.
Be prepared. Secure everything you can. Backup everything you can. Prepare backup access. And gather all the info necessary in case you’re hacked.
Don’t make my mistake. It can and does happen, even to those (like me) who think they know better.