Webmail: the ugly truth
Although it would appear to happen relatively rarely if my mailbag is anything to go by, I do have another anecdote that illustrates how you can have your webmail account hacked. This isn’t the obvious problem of someone accessing your mail archive and contacts list (and, if you’re stupid enough to send passwords and credit card details in plain text via email, your finances, too), but rather the less often considered problem of getting the account firmly back under your control afterwards.
My friend has no idea how his Gmail account came to be compromised – how someone could have gotten hold of his login password and changed it to something else, so locking him out of what had pretty much become his life online. This imposter also changed the security questions and the alternative email address option, both of which are neat tricks to help them keep hold of your account for longer: more of that in a moment.
Of course, most people in this situation have as little idea of how it happened as my friend does and, while it usually stems from some deeper compromise of their network security (we’re typically talking Trojans here), there are numerous cases where I’ve been asked to check by friends and family but discovered that no such malware installation was involved. This means either they’ve been deliberately targeted by hackers, which is hugely unlikely for an average Joe, or else they simply haven’t been as careful with their passwords as they thought. In the case of this particular anecdote, I managed to deduce via some beer-induced questioning that my friend had spent the previous week in Amsterdam and had naturally made rather frequent use of the internet access on offer in various hash bars to check his mail. Attempting to retrieve your email via webmail while stoned off your tits should be regarded as some way below “best practice” when it comes to mobile security…
Anyway, back to the point: if you do suffer this kind of compromise, you’ll have to jump through a number of security hoops (and quite rightly so) to prove that you are who you say you are, and that the mail account actually belongs to you and not the hairy hacker who’s currently using it. Which is where things can become very sticky indeed if, like this chap – and, truth be told, in common with most other people I’ve asked – you never bothered to make a mental note of the minutiae of your Gmail account-creation process data. You’ll discover soon enough, within a few hours of submitting the “I can’t access my account” form (www.pcpro.co.uk/links/165secure), that you should have done so.
Submitting the form kicks off a chain of support events that require you to answer some detailed questions about your account, like when it was created, how it was created, when and how you’ve been using it, and more. Although you won’t be required to know every last detail, Google support will obviously need you to know enough to convince them you are indeed John Smith and not Theo van der Hackerhoff. By all accounts, the Google Help Center lives up to it name and is very helpful – my friend reported the account hijacking as soon as he discovered it, within 24 hours of it happening, and with a little help from myself in collecting the required information the account was back under his control inside another 48 hours. It would probably have been quicker still had he known what questions he was going to be asked, rather than assuming that just giving his name, address and date of birth would be enough. If you think about it, when you signed up for your Gmail account (or any other webmail service for that matter) did they ask you for address, date of birth or national security number? Of course they didn’t, so why would that information be of any use to identify you as the rightful owner of the account?