A look at Gmail in 2010 and what Google could be doing to improve the security of Gmail to protect users accounts.

Something that really shocks me — is the ease at which Google Gmail accounts are being targeted by scammers and hackers. It’s a concerning trend and something really needs to be done about it from Google’s — and all free email providers — ends in order to better protect email account holders. Most email attacks originate from hackers infiltrating one users email account and utilizing the data within that account to consequently infiltrate other accounts. For all Google’s might — it flaws me they don’t implement, what would be seemingly easy to add security measures for Gmail accounts so that consumers are generally made ‘smarter’. This is part of the inherent problem — consumers, by their nature, are patternistic and use the same password for multiple accounts — which make them easy targets for hackers.

So what are some ways to solve this problem?

The primary issue with Gmail accounts — & in fact all free email accounts — is directly correlated to the sign up process. Companies like Google, Yahoo and Microsoft are torn between getting a user quickly through the sign up process and using their products — against ensuring that accounts are made secure. Most are seemingly opting for the former and ultimately disregarding the latter. Email signup needs to be rethought and refocused by incorporating a mult-stage signup process rather than a single stage one.

For example, the process I have added below would be extremely beneficial to all Gmail users and would allow Google to easily require users to update their security information to ensure that accounts are not hacked.

More importantly, the information that Google requires to be compulsory needs to change with the modern age. When a email account is hacked, the scammers are quick to change all information within the account to stop you gaining access back to the account — this is part of the fundamental flaw of the sign up process and indeed the entire security process. Let’s look at some measures in which this could so easily change.

1. Require Mobile Phone Number — Everyone has a mobile phone in this day and age — and if you don’t have one, then chances are you aren’t on email anyway. The simplest methodology would be for Google to force you to add your mobile phone number as an added layer of security and automatically SMS you password changes. Most email users rarely change their passwords unless they are forced — so the degree to which SMS’s would be flying in from Google would be low. The mobile security feature could then be activated for password resets, core account modifications and so forth.

2. Match Country to Mobile Prefix — This is another big one that Google currently doesn’t do. Google has a huge record, and consequently a pattern, of the most common places you access your email via IP. I would go so far to say that they know even the physical location through reverse geocoding. In light of this information, why doesn’t Google force a Country Mapping to mobile numbers ? That is, you can’t change your mobile phone country unless you specifically enter a unique SMS code — which, of course, is SMS’d to your current phone and then ultimately a confirmation sent to the new phone. Why is this important? Because as soon as a hacker gets into an account, they change the mobile number. Most hackers aren’t in your own country — so this makes it impossible for them to attempt to change your mobile number to another outside of your country.

3. Backup Address Termination or Confirmation — The whole “Security Question” is so flawed in email systems that if I had my way — I would just terminate it. The world of social media and privacy disclosure now means that everyone posts everything online. And if they don’t — they post it on Facebook and befriend everyone who requests an invite. So what you say ? Well, 90% of the time, the answer to your security question lies in the data that you have posted around the Internet or on facebook. The “Security Question” just shouldn’t exist — there is really no need for it in our modern world — so lets just terminate it.

Of course, if Google aren’t willing to do that — then they should require confirmation of the secondary or “back up” email account. Do they do this at the moment? No, and it’s clearly a fatal error as the first thing hackers do is change the backup email so if the account owner attempts to reset the password — the reset confirmation is getting shot back to newly changed email. This should be linked back to your Mobile — so if changes occur you receive an SMS notification with confirmation code OR require confirmation from the old email address and the newly changed one.

4. Confirmation for Contact Deletion — This is another common trick for scammers — hack your account, copy your contact list then delete them all. Google could again implement SMS notification or secondary email confirmation which requires if >X contacts are deleted in any one session — or in any one amount — you are required to confirm such an action. Most people rarely purge huge number of contacts in any one session and if they did do their “spring cleaning” — then a simple confirmation confirms that they are trying to change their contacts list in large numbers.

5. Data Security Plugin — This one is my personal favorite idea — Google need to implement a lab plugin which allows your to customize account lockouts relevant to data changes or combinations. How would this work? Simple. You could setup Rules — or Google could do this automatically for you — similar to those filtering rules you have for your Email inbox as new mail arrives. i.e. if {forward email added AND 10 emails are sent in 10 minutes AND password attempt change} = lockAccount, send SMS with Unlock Combination. This would be such a cool plugin which would seriously beef up account security because it would be difficult for scammers to ascertain what account customizations would trigger a lockout. In some respects, this could be called the “Last-Line-of-Defense” plugin — since any number of combinations could be setup to really stop scammers or hackers who have infiltrated your account.

The reality is — while some of the above suggestions may be going too far [although the Data Security Plugin would be insanely cool] — the mobile and secondary email confirmations is really just something Google should enforce in a multi-step process. Sure, users want to sign up and start using their account — but just give them 30 days to complete Step 2 before it’s forced onto them. 99% of users will complete it within the first week anyway if they really want to use their email account as its for their own protection anyway.

Such simple additions would make email hacking incredibly more difficult for scammers and create an ultimately safer environment for consumers. Google do a pretty good job as it is and Gmail is an awesome product — but this would make it, well, “awesomer”.