@Cats-4_Owners-2 &
@FreddyFreeloader ~
My comment about Gmail being safe was actually only semi-serious, it was in part also a social engineering ploy to have kram reveal which email provider he was with (just a bit of fun and banter of course
). Although I will admit that the security features of Gmail are more advanced than other providers such as Yahoo and indeed Hotmail.
The main vulnerabilities with a Gmail accounts lie not just in having a weak password, but in the choices for security question presented and in the password recovery options which offer recovery by mobile phone. These weaknesses are common across email providers such as Hotmail, Yahoo, Gmail etc.
Firstly, security questions can be guessed quite easily, either with social engineering, for example somebody posing as an old school friend shows up on Facebook and starts chatting to you about memories and "Just got my first ever car! About time as well. It's a lovely deep blue color because I think your first car should always be in your favourite color"... to which you innocently reply "Maybe, my first car was 'scarlet red' but my favourite color is green lol", forgetting in that moment, that the security question you created some five years ago and never saw since was actually "What color was my first car?"...
The safest way to combat this is to give a false answer that isn't easily guessable. If it's asking for a colour, give an answer such as "How the heck should I know, it was thirty years ago!"
And on a side note, in case you're wondering how this guy got your Facebook account, don't forget that Facebook, in it's money driven ways, tries to connect you up as much as possible, and by default, links your personal email address to your Facebook account. So a search for "
hellokitty_lol019@gmail.com" will bring up your Facebook account unless you've disabled this in your Privacy Settings
Then there is two factor authentication, and the belief that your email account is safe because nobody can log into it without entering a unique code which is sent to your phone first by SMS. Believe it or not, with a trickery it's possible for an attacker to have your calls redirected to a different phone number. These unique codes, for accessibility reasons can also be sent in the form of a phone call and so it therefore becomes possible for an attacker to obtain the code and defeat the two factor authentication or password recovery process to gain access to your account.
There are other more novel attacks which rely mostly on social engineering, one attack I used personally on a hotmail account involved customer support, and the ability for customer support agents to do a complete account reset (reset password, security questions etc) based almost entirely on matching personal information and naming IP addresses of previous logins. So if I know your IP address, which I can easily obtain, I can gain access to your email address with some social engineering.
If you are using Hotmail, then I would recommend adding a recovery email asap. This is a separate email address, ideally with a different email provider, using different information (preferably false) and a different password (this is very important). In the event that you cannot access your account, or it's been hacked, you have around 30 days from the date of the hack to recover your account, as this is the amount of time required before an attacker can delete or change your recovery email address
The account recovery process for Gmail is more sophisticated than the other common providers, I won't go into specific details but needless to say whilst it can be tricked, it requires an attacker to possess much more information and this additional work isn't usually worth the effort unless somebody is really determined to get access.
Some general email safe tips:
Never check "Always keep me signed in" or "Remember me" on your email account.
Never enter your email password into any applications, or on any websites which claim to link to your email account. If you absolutely must use your email address to sign in to a website, create a new email with fake details and a unique, random password for this purpose.
Always ensure that your email account has a unique and different password to all of your other accounts. Don't use your email password for anything else.
I hope that provides a brief overview for you both on at least some aspects of email security
