How to check who's been reading your Gmail
Posted on 25 Jan 2013 at 09:53
Davey Winder reveals how to check for Gmail snoopers and to protect your account
With 350 million users, Microsoft’s Hotmail remains one of the big three players in webmail, along with Yahoo and Gmail. Unlike the last two, though, Microsoft doesn’t make it easy to see whether and when your email accounts have been accessed by unauthorised third parties, nor does it give any indication of who that third-party might be.
Now given that webmail is, understandably, under constant hacker scrutiny, you might be forgiven for thinking that this is an oversight. I certainly find it difficult to believe that Microsoft hasn’t seen fit to add this most basic of snoop-alerting mechanisms to the service.
To make your Gmail account even more secure, I heartily recommend that you implement the two-step authentication system
This baffling inability to see the bigger security and privacy picture is one of the main reasons that I’m nothing but a casual observer of Hotmail, rather than a regular user. Regular readers of PC Pro online may recall that our esteemed editor, Barry Collins, himself learned about Hotmail security woes when he made a brief switch from Gmail. Not that either Yahoo or Google is without fault, and both have had their share of media insecurity headlines lately, but both do at least give their users a quick-and-dirty method of checking account access patterns.
With Gmail, just click on a link at the bottom right of the inbox screen – the link itself tells you when the account was last accessed as a quick visual check, and clicking it pops up a window with far more detailed information about times of access, the device used and the IP address that access was from. According to Sophos technology consultant Graham Cluley, his law-enforcement contacts confirm that Hotmail does actually log this access data and can extract it and make it available to investigators if a warrant so demands. In which case, you have to wonder why it can’t make the same information available to end users.
This type of activity report should be viewed regularly by anyone who takes their security seriously – maybe I’m a little too paranoid, but I check it at the start and end of every day. It’s an easy way to get a heads-up, not only about obvious risks such as jealous partners, stalking strangers or curious hackers, but also about any rogue third-party apps that you may have granted permission to access your email stream.
There’s also a neat feature whereby Google will show you whether your account is being accessed from another location at the same time as you’re reading it; this is listed in the "concurrent session information" table. Most often it just means you’ve left another browser window open somewhere, but there’s no harm clicking the "sign out all other sessions" button just to be on the safe side.
You don’t even have to rely on checking the report yourself, since you can ask Google to monitor for unusual activity and alert you automatically, but it doesn’t hurt to take a proactive approach for good measure. The Gmail last account activity report shows, for example, access by web browser, POP client, mobile devices and third-party applications: if any of these doesn’t make sense – say, your account has been accessed by a mobile device but you use only a web browser, or maybe the time stamp suggests it was accessed while you slept, or even a different IP address from the others in the list was used – chances are that your account security has been compromised. In which case I’d recommend you change your password as a matter of course – along with those for any other service where the password is reused – and change it to something more complex.
Another thing that Gmail has going for it compared with Hotmail is that it allows password strings of more than 100 characters, as opposed to Hotmail’s maximum of 16. This may not seem like a big deal, but as someone who uses character password strings of more than 20 as a matter of course, it’s yet another reason I steer clear of the Microsoft webmail service.
In addition to changing your password, if you think someone has been accessing your account without permission, I’d also suggest that you check one more thing. It’s just possible, if your snooper is technically adept and being a little bit sneaky, that they’ll have second-guessed your intention to change passwords and taken measures to enable them to continue reading your email. They may have gone into your account settings – where the majority of users fear to tread for some reason – and set up an automatic forwarding filter that forwards a copy of everything you receive to another address.
This isn’t as simple for a snooper to achieve as it sounds, because it requires them to enter a confirmation code into your account settings page – but given that this code is sent to the address that the mail would be forwarded to, which belongs to the snooper, this isn’t beyond the realm of possibility. A person who has access to your account could enter the code and activate forwarding without your knowledge. Accessing your settings and hitting the forwarding tab will reveal the presence of any such filter and allow you to disable it.
To make your Gmail account even more secure, I heartily recommend that you implement the two-step authentication system that Google has now rolled out to all users. You can read more details on the benefits of two-step authentication here, and I’ve also written a step-by-step tutorial on how to set it up in Gmail here.
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
- Headings vs headers: how to use both in Word
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- Move over Delia: IBM Watson is cooking tonight
- Eric Schmidt on the double-edged smartphone: friend and foe
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication