Join 3,415 readers in helping fund MetaFilter (Hide)


Is someone else using my GMail?
January 6, 2007 6:35 AM   Subscribe

Is there any way to check if someone else has been accessing your GMail account?

Generally, the fact that you can login to GMail from two different computers (or browsers) at the same time is useful, but it also makes it seemingly impossible to know if your password has been compromised and someone else is reading your mail.

A similar question was asked before, but the responses do not help me. I am particularly concerned about having my password acquired through the use of a keylogger on a public machine.

I do not regularly login to Google Talk, so keeping watch to see if someone else does with my account is not a good option. Ideally, I would like a list of IP addresses from which the account has been accessed, going back as long as possible.
posted by sindark to Computers & Internet (36 answers total) 1 user marked this as a favorite
 
If you already happen to have an HTML email with an image in it, and you can gain access to the server logs where that image resides... that's probably the only way to view the (partial) past history of your account. I doubt Google's going to give it up. A similar approach might work with an HTML anchor in an email. The server logs on the linked-to machine should tell you which clicks came from your email account.

Other than that, the image trick and the logging Jabber client are probably your best bets, IMO.

I assume there's a reason you haven't just changed the password?
posted by Leon at 6:51 AM on January 6, 2007


Leon,

I use public computers all the time (in libraries, in cafes, while traveling, etc) and I change my password fairly regularly. That said, it is impossible to change my password every time I access GMail from somewhere potentially insecure.

It would therefore be exceedingly useful to have some means whereby I could check whether anyone else is using the account.
posted by sindark at 6:55 AM on January 6, 2007


LifeHacker had a brief article in how to thwart keyloggers in public places. It does not address the past, or finding if some one has accessed your email previously.

Also, I read somewhere (do not have the cite) that you should type your password randomly somewhere in a word or text document that you keep on a flash drive or usb type drive. You open that doc and copy the password and then paste it into the password slot of the app ionto which you are accessing. THis also stops a logger from getting your password. I have not tried it. YMMV.
posted by JohnnyGunn at 7:13 AM on January 6, 2007


The method mentioned in that LifeHacker article will only be effective against the most rudimentary and primitive kind of keylogger, the hardware type that is physically inserted in-line with the keyboard connector (since it cannot know how you're moving the mouse.) Keyloggers that run as rootkits/software will keep track of where the current focus is, and some are even more sophisticated (such as querying the form contents directly rather than intercepting keystrokes.) So take that advice with a huge grain of salt, it is by no means foolproof if the machine has been compromised.

As to the question at hand, I would say possible solutions would be to run your own webmail (and thus you would have access to the full server logs) and/or make sure your gmail password is not used for anything else.
posted by Rhomboid at 7:28 AM on January 6, 2007


Rhomboid,

My GMail password is already unique and very strong. There are just an unusual number of important things stored in there, thus increasing my level of concern.

While encryption is an option, I would rather have some active way of checking whether the account is being accessed by anyone else. Lots of banks already let you do this for your web banking account. If it isn't possible at present with GMail, perhaps they could set it up.
posted by sindark at 8:00 AM on January 6, 2007


contact google and suggest it, i doubt you're the only one who feels this way.
posted by dflemingdotorg at 8:08 AM on January 6, 2007


dflemingdotorg,

I have been digging through their support section for an hour and can only find a link to a discussion forum. I posted it there, but I doubt anyone at Google is watching too closely.
posted by sindark at 8:14 AM on January 6, 2007


sindark, is it possible to download the important files you're storing in gmail to a password-protected drive? I realize the text of the emails might be important too, but perhaps you can minimize your liability by removing as many emails and attachments as possible. Use offline storage of important information instead of online.
posted by cahlers at 8:21 AM on January 6, 2007


cahlers,

You are right to suggest that there are alternatives that exist for protecting specific information.

That said, being able to track login information would have value to a great many GMail users: everyone from people who suspect that their partners are surreptitiously reading their mail to those working on confidential projects.

I suspect that Google already keeps track of this information. The only change would be making it available to those using the service. In the options somewhere, it could just say "You last logged in from..." and then "View previous login information."
posted by sindark at 8:26 AM on January 6, 2007


You are wrong. If you log into gmail from a second computer, the original one gets logged out. Seriously, try it.
posted by markesh at 8:30 AM on January 6, 2007


markesh,

It works for me. Right now, I am logged into GMail from both my G4 iBook (Firefox) and a Windows 2003 Server computer at the library (Internet Explorer).
posted by sindark at 8:33 AM on January 6, 2007


Why arent you encrypting your important items? Even basic Zip encryption (with a strong password) will stop 99.999999% of internet cafe attackers. XP can natively do this. I think putting the onus on google for unauthorized access is a little unfair. Thats like me complaining to Ford that my streets are in disrepair.

I doubt you'll find a good solution with this criteria. To be safe you're best using some form of encryption or moving sensitive stuff off that account. You should assume that anything you do on a public computer will be compromised.
posted by damn dirty ape at 8:38 AM on January 6, 2007


damn dirty ape,

Encryption does work for the 'small number of very confidential messages' scenario. It doesn't work for other scenarios: for instance, the possibility of someone reading your messages in the way described in the previous thread.

It is simply not practical to use encrypted communication with the vast majority of people in the world, who generally can't be bothered to deal with it.
posted by sindark at 9:21 AM on January 6, 2007


Rhomboid, Does the second method I mentioned work to thwart key loggers?
posted by JohnnyGunn at 10:11 AM on January 6, 2007


I suspect that Google already keeps track of this information. The only change would be making it available to those using the service.

Google apparently just doesn't consider it important for GMail. In contrast, they do show this when you login to Adsense. The same top right line as GMail, but it says "whatever@gmail.com - Last login: 23 hours ago - Log Out"
posted by smackfu at 10:31 AM on January 6, 2007


Speaking of encryption, flipping from http://gmail.google.com/ to https://gmail.google.com/ (note the extra S) will limit against one class of attacks. I know it's not going to help against keyloggers, but I mention it for completeness.

There's also the option to reboot the machine into a read-only OS, but that may get you unwanted attention..

I'm wondering if a specialist proxy might do the job. Something like

[untrusted machine] -----> [secure proxy] -----> [gmail]

Secure proxy stores your gmail password, and rewrites any requests you make by replacing "dummypassword" with "realpassword". It's the kind of hack someone, somewhere, may have put together.
posted by Leon at 10:39 AM on January 6, 2007 [1 favorite]


Some keyloggers, yes, but many are wise to this old trick and copy the contents of the clipboard and do screenshots every x seconds. Security through obscurity, etc, etc, but it sure beats nothing. Well, the real solution here is to buy a PDA with wifi/cell and access your email from there.
posted by damn dirty ape at 10:40 AM on January 6, 2007


Another alternative is to use ssh to a pine client hosted somewhere. Hell, gmail works in lynx according to this. SSH servers will tell your last login and IP. Just dont login as root or use su.
posted by damn dirty ape at 10:43 AM on January 6, 2007 [1 favorite]


I write policy and technical documents as part of my job, and something I just wrote into one policy is "email should not be regarded as a secure medium for the transmission of sensitive or confidential information." I think the practice of using email to store extremely private data is inherently flawed and you should find another way to do what you need to do. Also, just because you are using protective measures does not mean the networks you connect to or the people you correspond with do as well, so once it leaves your client it's just... out there.
posted by loiseau at 11:08 AM on January 6, 2007


Do you have access to a computer only you use? If so, you could forward the sensitive data you read at a public terminal to the private e-mail address and delete the mail from your public-access e-mail.

Mark some or all of your mail as unread. If a snooper isn't careful, they won't mark the mail as unread again. And if you randomly mark some, they might be too lazy to note which were read and unread.
posted by jmd82 at 11:09 AM on January 6, 2007


The secure proxy idea strikes me as quite a good one, though I have no idea how to actually implement it.
posted by sindark at 12:09 PM on January 6, 2007


There are some good suggestions here. However, none seem to answer your question. You want to know if there is a way to find out if someone is accessing your Gmail. Chances are, they would be accessing it and actually reading something of interest, right? Set up a simple test by turning off your HTML mail protection and sending your account an email with a picture, icon, even a spacer.gif file that you have hosted somewhere. Include an enticing subject line - and wait. You'll soon know the date and time someone opened your email (or not). There are also email tracking services that can do the same thing if you cannot host a file to be accessed when the email is opened.

Good luck!

---
posted by Gerard Sorme at 12:19 PM on January 6, 2007


You are wrong. If you log into gmail from a second computer, the original one gets logged out. Seriously, try it.

I did try it. I'm logged in at home, and at work 35 miles away (that computer now being accessed via logmein.com).

I'm logged on to gmail on both.
posted by vaportrail at 12:20 PM on January 6, 2007


Gerard Sorme,

I made a jpg file called ccinfo.jpg and put it into a message called 'credit card information.' The file is just a picture of an invented card number, expiry date, and security code. The message is marked as read, so nobody would avoid opening it for fear of changing the status.

Every once in a while, I will check my server logs to see if anyone has been looking at it. A less ad hoc solution would be preferable, but it's better than nothing.
posted by sindark at 12:35 PM on January 6, 2007


You could give sensitive emails in gmail a special tag and then write your own webmail interface that omits them. Use filters to auto-label ones that are almost always sensitive like mail from your web host, bank etc. This way, even if the password for your custom interface is compromised they can only see non-sensitive emails.

You can then write your own logging program to tell if your custom app pass has been compromised.
posted by sipher at 12:38 PM on January 6, 2007


sindark: "I suspect that Google already keeps track of this information. The only change would be making it available to those using the service. In the options somewhere, it could just say 'You last logged in from...' and then 'View previous login information.'"

"...Every once in a while, I will check my server logs to see if anyone has been looking at [fake credit info]. A less ad hoc solution would be preferable, but it's better than nothing."


I really don't believe that you have any other choice. Not only would it be utterly impractical for Google to offer to tell you the IP addresses your account has been logged in to-- that's way above and beyond the call of duty for a free web email service, even a fantastic one like Google Mail-- it's utterly insecure. See, if they start offering to hand out IP addresses like that to members and such, well, the chance for fraud increases exponentially, because, even if you are who you say you are, how do they know that? And how do they know you're not just trying to hack a public computer, or a server you had brief access to, or something like that? It's a huge hassle that I sincerely doubt Google would want to go to. You will not be able to get the IP addresses from which you've logged in to Google.

One alternate method is this: you could leave your messages unread for a while. GMail shows when messages have been read, so you'd at least be able to tell if someone besides you has read them.

But the real answer, which I guess nobody in this thread has given, is this: Google won't do what you want it to here. No email is absolutely impermeable, and especially no web email. I suspect, looking at the way you seem to be saying this (you say you have no reason to suspect you're being hacked, but you're just worried about sensitive info) that you're being paranoid; it's not likely, with a good password and no public-computer logins, that someone would go to the extreme hassle of getting into your GMail account, especially since they probably have no reason to know they'd want to. But if you really want your info to be safe, get it out of your email and onto a physical source like a burned disc, or at least get it out of webmail.
posted by koeselitz at 1:10 PM on January 6, 2007


Another alternative, if the encryption thing just seems too much, is camouflage. Send a very long email that says something like FW: Encyclopedia Entry for China. It looks like exactly what it is....except that you have inserted information in the middle of paragraph 23 in a format that is simple continued text.

Example:

(In this example, the camouflaged text - A Mastercard Credit Card - is in paragraph two after 21 previous paragraphs of Chinese history...which for space reasons are not shown.)
The first dynasty according to Chinese sources was the Xia Dynasty, but it was believed to be mythical until scientific excavations were made at early bronze-age sites at Erlitou in Henan Province.[citation needed] Since then, archaeologists have uncovered urban sites, bronze implements, and tombs that point to the possible existence of the Xia dynasty at the same locations cited in ancient Chinese historical texts, but without written records, it is impossible to verify that these remains are of the Xia.

The first reliable historical dynasty is the Shang (Yin), which settled along the Yellow River in eastern China from the 18th to the 12th century BCE. MC 2345 3654 8788 3212. 12/07. 243. The loosely feudal Shang were invaded from the west by the Zhou who ruled from the 12th to the 5th century BCE. The centralized authority of the Zhou was slowly eroded by warlords. In the Spring and Autumn period there were many strong, independent states continually warring with each other, who only occasionally formally deferred to the Zhou king.

The first unified Chinese state was established by the Qin Dynasty in 221 BCE, when the office of the Emperor was set up and the Chinese language was standardized. This state did not last long, as its legalist approach to control soon led to widespread rebellion.

--
posted by Gerard Sorme at 1:30 PM on January 6, 2007


koeselitz,

I have doubts about some of what you said:

And how do they know you're not just trying to hack a public computer, or a server you had brief access to, or something like that?

Learning the IP address of a machine from which you are able to log into GMail doesn't seem to pose much of a threat to that system. Moreover, anyone with a free blog and a free visitor tracking system like Sitemeter could do the same thing, just by visiting an innocent looking page.

It's a huge hassle that I sincerely doubt Google would want to go to.

Someone above said that they already do this for AdSense. The webmail for my school does this also (though my school's webmail is only a couple of MB and lacks other nice GMail features). I don't think it would be an enormously difficult feature to implement, if people wanted it.

No email is absolutely impermeable, and especially no web email.

This is certainly true, but the fact that GMail stores every message in a way that can be searched so easily makes it an especially attractive target, whether the attacker in question is a jilted ex, an identity thief, or the operator of a dishonest internet cafe.

To say that email will never be perfectly secure is not to argue that cost and time efficient means to make a system more secure are unjustified.
posted by sindark at 1:49 PM on January 6, 2007


This may not be the only way, and it may not be perfectly secure from all attacks, but:

I have a shell account that allows one-time password login. Before I start travelling, I forward all my mail to that, or set it up to fetch without asking me for the password (hard code it in the preferences). Then I print out a list of the next N passphrases and use those. That way the keylogger, if any, gets a password that won't work anymore.

It's important to print the list ahead of time on a secure computer, rather than generating your password on the keylogger-infected one, or you defeat the whole purpose.

I've used Panix for many years. Their webmail isn't exactly gmail, but it's tolerable for the duration of the trip. Usually I just log in the shell and use mutt on the command line.
posted by ctmf at 2:05 PM on January 6, 2007 [1 favorite]


After reading your new messages, simply click Mark AS Unread.

As koeselitz notes, "GMail shows when messages have been read, so you'd at least be able to tell if someone besides you has read them."
posted by artdrectr at 6:30 PM on January 6, 2007


There's no good (to my mind) technical reason why google or some other webmail service shouldn't allow you to check the ip address of all log-ins. LiveJournal blogs allow you to do this: not only of current log-ins (they can be multiple) but of past log-ins too, and not only ip but also browser used.
posted by londongeezer at 6:55 PM on January 6, 2007


Thinking about it, simpler than messing around with roll-your-own proxies is to run your own mail client, on your own server, which accesses gmail via POP3. Use your interface for insecure access (maybe with something cool like one-time passwords), and go directly to gmail when you're secure.

This is basically what damn dirty ape offered, but with a web interface instead of an SSH one.

I've always liked mailman
posted by Leon at 8:47 PM on January 6, 2007


Except I had no idea they were selling it for $250 now! There are a whole bunch of free webmail scripts out there. I'm sure you can find something.
posted by Leon at 8:50 PM on January 6, 2007


Very interesting fodder this question has raised, indeed.

Strangely the most trusted security seems to be physical. The VPN solution at a previous IT firm happened to be a keychain-type fob that indicated six digit random codes every 30 seconds or so which were to be entered along w/a password. Of all the systems I've been around, this seemed the safest.

All obfuscation methods can and will and probably are being 'exception handled.' They make point/click generators for games like Asheron's Call and Warcraft. I assume they can extract passwords no matter what you do.

email will be marked unread by hackers.

If you've a brand new computer why not encrypt the drive(s), etc. I've studied computer security from the white hat end and it takes some study to make a system fairly safe. I can't claim that I ever made a system completely secure but I did my darndest...

Finally getting to the point - some people make honeypot systems to attract hackers and learn from them.

/rant
posted by prodevel at 2:10 AM on January 7, 2007


Just in case anybody might see this page again:

What leon suggested, these people implemented. They provide a proxy that accepts one-time passwords that are un-hashed to the actual password for your email account.
posted by philomathoholic at 10:48 PM on June 1, 2007


To avoid checking mail from public machines, you could use a cell phone or other wireless device that will run the mobile version of Gmail. That's what I do.
posted by Artifice_Eternity at 11:23 PM on December 25, 2007


« Older I live in an apartment and whe...   |  How can I force new Windows ap... Newer »
This thread is closed to new comments.