The Next Corner

Enabled by Technology, Powered by Stupidity - Hack it, Break it, Fix it!

Home > security

Excuse me, What is your private information doing in my Inbox?

by 39 Comments

The Real Truth About GMail Security.

Gmail-security-breach

How Safe Is Your Email?

Short excerpt: Below are three examples why you should not use GMail for your personal or business sensitive emails. Apart from Google checking the content to place relevant ads, there might be more people reading your confidential emails. What are the real costs if the information most valuable to you fall into the wrong hands?

Do you remember the story a bank sued Google to get the account information from a Gmail user the bank sent sensitive client information to.

A Wyoming bank sent an e-mail containing sensitive customer data to the wrong Gmail account, and now wants Google to reveal the identity of the account holder who received the data….

…The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.

At the end, the two companies settled the case out of court, Google shut down the account, and the bank was happy. Lesson learned: Be careful using Gmail for your personal or business sensitive email! You don’t want to have your Gmail login and password information compromised by anybody with malicious intend.

I would state it even more aggressively: Do not use Gmail for ANY personal or business email! Reason being, your personal email is not secure. Apart from the fact Google is reading all of your email to determine the right ads to show, your email could end up in somebody else’s inbox without your knowledge. With the city of LA implementing Google Mail for it’s 30.000 employees, there is enough reason to be concerned about email security.

Over the years I have seen a number of instances where I received mail that was not meant for me. However, the last couple of weeks I’ve seen an influx of email delivered in my inbox, while meant for other people.

All emails I receive are replies to emails send by somebody who has chosen a Gmail email address that is similar to mine. I have had my Gmail account since the launch of the service by Google. I’ve been blessed (-or cursed) with a short, common first name email address. The emails that I receive are all variants of mine, using numbers proposed by the system when you sign up. If yourname@gmail.com is already taken, the system might come up with yourname1745@gmail.com, based on your address or your birth year.

Background

According to the Gmail help documents, there are a number of cases why email can get delivered in your inbox, while it should not have been. These include:

    1. Your address is similar but has more or fewer dots (.) or different capitalization. Sometimes you may receive a message sent to an address that looks like yours but has a different number or arrangement of periods. While we know it might be unnerving if you think someone else’s mail is being routed to your account, don’t worry: both of these addresses are yours.
    2. Your address isn’t listed at all. If you don’t see your email address in the To: or Cc: fields of the header, the sender has probably mailed you a ‘blind carbon copy,’ or Bcc:. The Bcc: field isn’t displayed in the header of received messages. This means that you won’t see your email address at the top of any message you receive as a blind carbon copy.
    3. You’re receiving spam that’s not addressed to you. The message you received was probably the result of a common practice among spammers called ‘dictionary spamming.’ Dictionary spammers often use a software application to randomly guess email addresses based on words in the dictionary.

Although most cases in the Help Forum can be explained using the above use cases, I can only attest there are a number of use cases which are not as described in above snippet of the help section from Gmail.

A search for Gmail+”getting+someone+else’s” returns more than 150.000 results. however, the majority of the talk is about the dot issue as described above here.

Receiving Someone Else’s Email

There are two sorts of email intended for somebody else that can be bad

  1. Sensitive email not meant for your eyes.
  2. Email that can impact your life negatively

I have a number of examples of both of these two. If I didn’t share these cases with the people involved, both the rightful recipient of the mail as my wife, I could have ended in some weird and not so pleasant situations.

Some of the snippets of the emails below are changed to protect the innocent or to hide sensitive information. I don’t think posting these snippets is wrong, as I’m trying to make a point here on why you should not use Gmail for any personal, let alone business sensitive email.

The Bankruptcy

Bankruptcy

The first case of wrongly delivered email is quite a sensitive one. I have tried not to get involved and not to open sensitive documents, but then again, I can’t help it that I open an email which is addressed to me!

7 days ago it all started when I received a couple of emails a day. The first one is immediately pointing at sensitive information which should not fall in the wrong hands:

Can I get the code to the door on the warehouse? I am trying to hook up with the appraiser. He called this morning. I will let you know what I get scheduled.

Two or three emails later, the emails are getting even more sensitive. Here are some excerpts from it:

I wanted to update you on some more things since that was sent.
I sent a check to [name removed] for a past due attorney fees for $ 14,000
You and I discussed this and since I am still using [name removed] through this period of business closeout etc. I thought it was appropriate since the bill continues to get larger….

…I had to put $12,000 of my personal money into [company name] so that we could pay employees and payroll taxes and $2,700 of it went to pay [name removed] the company CPA for the 2008 tax return. I am working with him right now on a lot of things to get returns done for 2009 below are his charges for last year that are all paid in full. I want to pay for the 2009 returns so that I can get started on them because I will be busy later with other things. [name removed] and I feel that the returns will not costs this much because there is not as much accounting to do. I feel that about 70 % would be close to actual costs.
[company name] *$4,000* My son the other owner has no money nor does the company to put towards this as he will be filing bankruptcy also.

Heart breaking emails of people who are in financial trouble, on the edge of bankruptcy and trying to save what is left to save. This could have meant, closing the corporate email address account, and switching over to a free email provider. But with free, comes the risk of security.

I did not only receive the email exchanges between him and the lawyers, but much more. Among these:

  • Login and password information of a brand new web store just launched.
  • Personal correspondence between father and daughter, for which they used email
  • Hotel reservation confirmation, containing personal information, address and credit card information
  • Receipts for online shopping, with shipping address
  • Online banking alert of change of email address

I already have received so many emails with sensitive information on this guy, that I could take on his identity probably pretty easy. As you can see, I might be receiving the online bank statements in my inbox soon, as this person just has changed his email account on his online bank.

image

More examples of confidential information: As mentioned above here, the login and password information for their brand new sports outlet webshop were sent to me through email. I could have taken control of the whole website and made some changes.

This, off course is not what I’m about to do. I rather send the person an email and warn him about the situation. After that, I will delete all the confidential information from my inbox.

The Cheating Husband

What if you were happily married, all is fine right? Then one day, emails start popping up in your inbox from a site called Ashley Madison. You pay no attention to these, as they probably are spam. Then one day, your wife is logging into your email inbox to check something for you while you are away. As the name Ashley Madison sounds like a women’s name, she cannot hold her curiosity and opens the email. From that moment on, your life will not be the same anymore…

Ashley Madison is not a normal person, but rather a dating site for married or attached people who want to hook up. That’s right, those people that want to start an affair or have a casual encounter with somebody else than their significant other.

Now try to explain why you are signed up for this dating site for married people, and why you receive email from attached older women, and why you have direct access to a guest account on the Ashley Madison dating site? What is your explanation on this?

I’m receiving all the correspondence of a certain individual who has signed up for Ashley Madison. It is supposed to be a 59 year old gentleman from Pennsylvania. I will not reveal any more personal data not to reveal his real identity.

Through the emails and updates I’m getting, I have direct access to his profile and mailbox on the dating site. I could have some fun, but again, I won’t.

Mafia Baseball bets

I’m reluctant to post about my third example of wrong email delivery. This third one is also the longest going on. I’m reluctant because I’m a big fan of mafia movies, and the emails I’m receiving have the smell of New York mafia family all over it. I simply don’t enjoy waking up with the head of a dead horse in my bed.

The email address for which I’m receiving the mail, does not even closely resemble mine. This is the strangest thing. I used to think somebody was playing a trick on me, especially as the mail were very mafia like. However, I dropped that idea the more email from other people I began to receive. I just need to remember, this is not Mafia Wars where I can buy my health back…

image

All emails for this Dennis G are about Baseball, and in particular about the New York Yankees. These guys have all gambling conversations over email, not knowing some small time punk in California is lending an ear to their betting strategies. Here is an excerpt:

I had 4 of the 6 teams going into sunday nite.  $5 to win $220.  i need the giants to win, and the yanks to win by more than 1 1/2 runs. you must know the results,  cost me $220.00

sammy sosa just hit 12, most over 400 ft, 1 was 495 ft.,488,508,509, and he had the top 10 distance homers of the night,compared to anyone else. griffey was in the finals with him and hit  2, sosa hit 9 more. a guy won a $250,000. home because of sosa. this is on mlb network. free with my cable. pretty cool. i wonder if STEROIDS had anything to do with all this!!!!!!!!!!!!!!
it sure effected alot of aspects of sports.where do you take the titles away ,or not recognize them. maybe the guy should give back his home he won because sosa won the contest.  and they complained about bonds.

How do you tell a Don you’ve been reading his personal email for months, without being put on a death list from one of the big New York Mafia Families?

Conclusion

Can you trust the security of Gmail? Would you risk identify theft just to safe a couple of dollars on a year subscription for private secure email? What is the truth about Gmail Security?

Just recently, the city of Los Angeles announced the adoption of the Google email system for 30,000 city employees.

The Los Angeles City Council voted unanimously today to outsource its e-mail system to Google Inc….. Because Los Angeles will be among the earliest adopters of the Google system, council members expressed concern that the city might be signing on before Google’s cloud system was fully proven.

Now that Government agencies and organizations are adopting Google mail applications, it should be more than fair to question the security of your personal information. Although the Google’s Cloud email offering is not the same as Gmail, I believe earlier problems with Google’s Cloud and Gmail security issues as described above or the Google Docs security breaches should be enough talking points for privacy watchdogs to start asking questions.

I would love to hear your thoughts or experience with security of Gmail. Please use the comments to let me know…