Apps More Secure Than Gmail ?

foggy

Valued Member
Hi,

As long as I've been flapping my gums recently asking questions, I thought I'd go ahead and ask another one or two. Pardon my long-windedness, but I thought since these questions are related, I'd ask them together. :)

1. Would it be correct to say that a Google Apps user is (perhaps) less likely than a Gmail user to find his/her account hacked because the domain used is something other than @gmail ? (I'm thinking that if hackers target users at the 'big 3' providers, they are trying to access accounts that have login credentials at those providers' domains, and that, therefore, someone with their own domain wouldn't necessarily be on the hacker's radar. Hackers would be looking for joe@gmail not joe@joesdomain hosted at GA.)

Or, to ask it from a different direction, is there any reason to believe that a domain hosted at FastMail, PolarisMail, Tuffmail, Runbox, etc. is any less likely to be hacked than someone hosting his/her domain at GA ? IOW, does the technology behind the service make Yahoo, Gmail, & Hotmail more 'hackable,' or does the domain popularity make it so ?

2. Re: Google Apps specifically: Let's say someone has a domain hosted with GA and only has 1 user account. So, the sole user is also the administrator. There would be two ways to set this up in an effort to maintain security and minimize or avoid hacking:
(a) Have two separate accounts -- one for administration which is never used for actual email correspondence, and one user account that is active for email activity. Or,

(b) Have one account (the admin account) with a very difficult, passcode-quality username, which would only be used for login purposes, and then use nicknames (also called 'aliases' -- available only in GA, not in Gmail) for actual email correspondence.

In both cases the username of the admin account is (presumably) unknown, because it is never used except for logins.

The first option has the advantage that anyone hacking the user account would not have access to the admin account, and the admin can (easily ?) regain control over the user account if hacked. (But what's to stop someone from somehow hacking the admin account directly ?)

OTOH, the second option has the advantage that the email address(es) used for emailing are only nicknames and not actual accounts, so, unlike the first option, there is no user account to be hacked into, even though the address may be known.

So I'm interested in any opinion on these matters.

My apologies again for a long-ish post. :eek:

Thanks !
 
Last edited:

EQ Admin

EQ Forum Admin
Staff member
Hi foggy,

I believe the three most important factors within a users control in protecting their email accounts are :
  1. The security of the platform that hosts their email
  2. The users ability to to secure their own computer and not get hacked/phished
  3. The quality and integrity of the network between the user and the platform that hosts their email
I do not believe the actual domain name that a user has on a platform matters that much if at all as far as increasing or decreasing their overall account security. Considering the three points above joe@large-generic-domain.com and joe@tiny-custom-domain.com hosted on the same servers still leaves most of the responsibility for protecting the account information up to the user. From personal experience hosting both larger generic ISP domain names and small unknown business custom domain names all of the users seem equally as likely to get their account hacked due to some form of phishing attack. It's not as if hacked accounts tend to be within one type of domain or the other.

I agree that the more you can do to separate admin and user roles in any accounts is a good thing. I use regular Gmail and not Google Apps. Are you aware that there are at least 2 ways a regular Gmail user can obfuscate their email address allowing them to give out different email addresses than their primary login address? The first is to use a + sign after their username. For example instead of giving out username@gmail.com you can give out username+test@gmail.com. The use of the plus sign is more handy when used as part of your Gmail filter/label configuration. The second option is to use dots within the username portion of your email address. If you have username@gmail.com Gmail also lets you receive email as user.name@gmail.com, us.er.name@gmail.com, and us.er.na.me@gmail.com etc. Most email providers would treat these as different email addresses but Gmail ignores the dots and delivers the incoming email as if the dots did not exist in the email address.

Keep the questions coming! They are great topics for discussion. :)
 
Last edited:

foggy

Valued Member
Hi,

Thanks for the informative reply !

Keep the questions coming! They are great topics for discussion.
Careful ! You may be opening a can of worms here ! ;)

And since you said that, may I start by responding to your comments below ?

I believe the three most important factors within a users control in protecting their email accounts are :

  1. The security of the platform that hosts their email
  2. The users ability to to secure their own computer and not get hacked/phished
  3. The quality and integrity of the network between the user and the platform that hosts their email
I do not believe the actual domain name that a user has on a platform matters that much if at all as far as increasing or decreasing their overall account security. Considering the three points above joe@large-generic-domain.com and joe@tiny-custom-domain.com hosted on the same servers still leaves most of the responsibility for protecting the account information up to the user. From personal experience hosting both larger generic ISP domain names and small unknown business custom domain names all of the users seem equally as likely to get their account hacked due to some form of phishing attack. It's not as if hacked accounts tend to be within one type of domain or the other.

Thanks for the information !

Then if platform security is a strong link in the chain of account safety, would it be fair to say that smaller services, ones that focus on email, would tend generally to have better security than the big 3 which have not only email to maintain, but also search, news, forums, shopping, weather, maps, etc. (a case of good (Google) and better (Fastmail, EuMX, Hushmail, etc.) ? IOW, how do we know which company has the best platform security (esp. if the big 3 are hacked so often).

Re: phishing: FWIW, I do recall reading some articles on email security, privacy, etc. and I would find in the comments section people sometimes complaining of having their (Yahoo, Gmail or Hotmail) accounts hacked. The web is loaded with these complaints ! Occasionally, the person commenting would be someone with lots of computer knowledge, who had a strong password, who was not duped by phishing attacks, etc.

It's that kind of situation -- a situation in which the account was as close to invulnerable as could be yet it was still hacked -- that concerns me. And it's worse when I see all the links to 'how to hack Yahoo/Gmail/Hotmail' videos at YouTube and elsewhere. Apparently, some hackers claim to have software (comparable to that Firesheep extention we talked about in another thread) that just "gets in" and steals a password. No phishing necessary. :eek:

And it's usually the 'big 3' that are the targets. How many times do we hear complaints of someone's EuMX or Fastmail or Hushmail account being hacked ?

I say all this as a complete ignoramus on the subject, but also to indicate that I've seen/read things which suggest that phishing is not necessarily always to be blamed for accounts being hacked, though it may account for it in a lot of cases. It's the other cases that interest me, where a strong and intelligent defense wasn't enough.

I agree that the more you can do to separate admin and user roles in any accounts is a good thing. I use regular Gmail and not Google Apps.
When I had a GA account hosting my domain I did have separate admin and user accounts until I thought (perhaps unwisely ?) that I should follow the second option -- 2 (b) in my original post -- since in that case 1) the admin username/account was still unknown & unused, and 2) the "used" email address was only a 'nickname' (alias) and not, in fact, a "user" account, and, therefore, could not be hacked into. I also wanted to simplify things by not having more than one account, and I figured, if a hacker could hack the admin account if it was the only account, he could also do so if it were a separate account. It's not as if a hacker needs to access the user account before being able to hack the admin account, right ? An admin account is either secure or not regardless of whether there are any user accounts, no ? Or is that incorrect ?

Are you aware that there are at least 2 ways a regular Gmail user can obfuscate their email address allowing them to give out different email addresses than their primary login address? The first is to use a + sign after their username. For example instead of giving out username@gmail.com you can give out username+test@gmail.com. The use of the plus sign is more handy when used as part of your Gmail filter/label configuration. The second option is to use dots within the username portion of your email address. If you have username@gmail.com Gmail also lets you receive email as user.name@gmail.com, us.er.name@gmail.com, and us.er.na.me@gmail.com etc. Most email providers would treat these as different email addresses but Gmail ignores the dots and delivers the incoming email as if the dots did not exist in the email address.
Yes, I do recall reading about this. And, since Gmail doesn't allow aliases as GApps does, it's probably the only way to go. Still, since "Gmail ignores the dots," it really doesn't have the same kind of protection, because the username is still right there, visible.

From my slightly paranoid perspective :D, though, I would prefer the Apps feature of allowing nicknames/aliases so that the username can be completely unknown/unused and the used email address could be a completely different username (all this being as long as I had a domain to be hosted, of course).

On a side note, I have read some people saying that they also like Apps better because of its not having a password recovery option (Gmail does). I don't know if that difference has changed, but some hackers apparently are able to get in to someone's account easily (?) by the password recovery feature (secret question/answer or alternate email address). Apps eliminates that option for the hacker. So, more responsibility is placed on admin control over users as a consequence -- and he/she better keep that password safe !

Whew ! Sorry for rambling on. :eek: Thanks again for your input !
 

EQ Admin

EQ Forum Admin
Staff member
I don't think the size of a company can be used to measure how likely they are to provide a secure email service. It's possible to have a large company that has been hit by the bad economy and has become under staffed, lost their talented & experienced employees, and is taking shortcuts to keep the mail services running as cheaply as possible, etc. At the same time other large companies could be doing quite well and providing secure services. Same answer for upstarts and small companies. The small companies could have a lot of talent and be providing a great service, or they could be learning as they go. This leaves us with the past performance and reputation of a company as a reasonable measure for the future. Has the company historically provided a secure service and been quick to fix problems as they were discovered? It's not perfect, but I think it's reasonable to consider it a good clue.

The fewer moving parts the better. It should be easier to maintain a secure email service if the service sticks to the required/core services they want to offer. For example email accounts don't need to provide the user with a local weather report. Stick to what's required to operate the service and most of the burden for keeping users secure will remain on those users and how good of a job the service does about educating those users about common threats.

Who are your Big 3? There is non-stop noise about hacked Yahoo and Hotmail accounts. I read far fewer complaints about hacked Gmail accounts. Maybe Gmail itself is more secure? Maybe Gmail's users are more technical with more secure computers? Maybe Gmail's users have been better educated about phishing and other threats? You'll notice I'm leaning again on most of the security being on the users habits and education.

Most of my focus is n the United States. Maybe we see more complaints about U.S. based email because we are in the United States. It's possible news and discussion forums in other geographical locations have more of the non-U.S. hosted services complaints. Here is an example Google search for Hushmail issues - Google

Yes, I agree you can't blame just phishing for hacked accounts. Your questions prompted me to put together a quick summary article this morning - http://www.emailquestions.com/email-articles/2569-top-5-tips-prevent-your-email-getting-hacked.html . Everyone needs understand there is no magic solution for security. Constant training/learning for systems & network administrators and continuous education for regular email users is a great start!

As a company I would not limit or eliminate the ability for users to self service account recovery unless I had an absolutely fantastic customer and technical support department that could be quickly and easily reached with a phone call. Email is too important for too many people. Losing access to your account for days/weeks/permanently could be a disaster.

Making it harder to change a password could be helpful. Alert users with a text message if someone tried to change their password and fails because they fail a series of questions & answers. Scottrade has an excellent system that hits you with a series of questions & answers and it only takes one wrong answer to cause you account to be immediately locked out. they also answer the phone quickly and have great support.

You can submit your Gmail feature suggestions here - Suggest a feature for Gmail - Gmail Help
 

foggy

Valued Member
Thanks for your continued input, Ray. (Is that how you prefer to be addressed here on the forums ? If not, my apologies.) Great information. I'll just respond briefly (briefly for me, that is :p):

1. To my understanding, the "big 3" are Gmail, Hotmail and Yahoo, though I realize some might want to put AOL in there somewhere.

2. Not being a 'techie,' I can only say that it appears that there is an obvious connection between the "non-stop noise about hacked Yahoo and Hotmail accounts" and the fact that they seem to be the two holdouts as far as implementing full-session SSL is concerned. (That, and the fact that they are companies with undoubtedly a lot of older people and/or less internet-aware people who want a 'simple' email service but who aren't careful about security. Too bad they don't read your articles !!)

A search for "gmail account hacked" showed a lot of results, not unexpectedly. Some of them were hackers offering 'how to's.' So there are a lot of accounts compromised. But you may be right about Yahoo and Hotmail being hacked much more mercilessly. It's too bad there aren't statistics out there (that I can find) that show who's hardest hit.

3. Nice article on the "5 Tips" ! :)

As a sub-set of number 5, the strong password, is the (new ?) feature some services have of "one-time" passwords. Great for those 'public computer' sessions people might have when at the library or something when you don't want prying eyes to see your master password. My preferred service, FastMail, has some very nice alternative login functionality (though I've never needed/used it). And Hotmail is supposed to be coming out with that, as well.... whenever.

Thanks again for all the great feedback ! :D

Scott
 

EQ Admin

EQ Forum Admin
Staff member
Hi Scott,

Yes, I go by Ray. You might see me sign -Raymond sometimes but that's just a full name in signatures habit.

I would not expect any email provider to publicly state what percentage of their email accounts are believed to have been compromised over some period of time. I could be wrong. I'll check with some contacts and see if anyone knows of that kind of data that is available OK to be reposted publicly.

With your interest in email and messaging security I think you might be interested in reviewing MAAWG's published documents - MAAWG Published Documents | Messaging Anti-Abuse Working Group

I can see where the FastmailFM alternative login options #2 and #3 could provide peace of mind for the security conscious. I am against writnig down and printing passwords so I believe I'm not a fan of their alternative login option #1 for that reason.
 
Top