How to SECURE against e-mail HACKiNG (Google Mail)

This is a truly appalling story from inside the Apple universe. A hacker managed to get into the iCloud, wipe the iPhone, iPad of the account holder, even cancel their GMail account and…

Tech reporter Mat Honan's iCloud account was compromised on Friday, wreaking havoc on both his personal machines as well as Gizmodo's Twitter feed, and it was discovered on Sunday that Apple tech support was partly to blame for the breach.

iCloud Hack
The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years," though in the process of reconfiguring accounts it was confirmed that the issue wasn't a password, but the "social engineering" of an Apple tech support employee.

Amazon and Apple clearly need to institute security policy changes to better protect their users.
Mat Honan wired writer victim of iCloud Hacking
And Honan made mistakes of his own, most notably not backing up his Mac regularly. But the hackers’ initial entry point into Honan’s digital life was through, of all things, the “forgot password” functionality offered by Gmail. When they first plunked Honan’s email address into that form, Gmail displayed a redacted version of Honan’s MobileMe account: m•••• (which left only few imagination to hacker).

So friends, what this all is simple social engineering & some loop hole in account reset policies. But this can be happen with me/you/anybody even after policies changes, so we need to secure ourself before putting finger on the email clients.

GmailGoogle Mail

Honan has plenty of “if only's” on his mind, but one biggie—to quote Honan’s story for Wired, is this: If he “had used two-factor authentication for Gmail, everything would have stopped here.”

Understand 2-Step Verification

First, let’s clarify what 2-step verification actually means. In Google’s case, it works this way: If you enable 2-step verification, when you next log in to your Gmail account, you’ll first proceed as you always do—by providing your username and password. But before you get to your inbox, Google will next demand a separate code.

Google 2-step verification

Of course, you won’t know what the code is offhand. Thus, for the second factor of authenticating that you really are who you’re claiming to be, Google will send a text message to your phone containing the six-digit code to use. (As we’ll discuss later, there are numerous other options for getting a six-digit code.)

Google 2-Step verification code

Only after you’ve provided that code you gain access to your inbox.

On the whole, the process sounds simple. And for simply logging in to your webmail account, it is. But added complexities can crop up, since some apps don’t yet support two-factor authentication—like, say, Mail on the Mac or iOS (but you create a separate access code for each app). That makes configuring Google’s two-factor authentication a bit more complicated.

Set up Google’s 2-Step Verification

Step 1. Go to and log in.

2-Step Verification, log in
Click on your name or photo at the upper right corner of the main Google homepage, and choose Account.

Choose Accounts, 2-Step Verification

Step 2. Then choose Security from the navigation options at left.

Select Security Tab, 2-Step Verification

Step 3. Now you can see the option you’re looking for: Click the Edit button along side 2-Step Verification.

2-Step Verification Code
At this point, Google will most likely ask you to login again. That’s for additional security. Enter your password, and click Sign In.

Step 4. Now, Google start a 4 step setup wizard for 2-Step Verification.

Google 2-Step Verification
It will ask you to provide the phone number of the device you’d like to use. It’s understandable if you’re hesitant to give out your phone number, but note that Google promises it “will only use this number for account security.” You can provide a landline or a cell phone number, and you can choose whether Google should send codes to that number as text messages or via a voice call.

After you click to proceed, you should receive the text message (or phone call) within a few seconds. Type that code into the webpage and click to continue.

At this stage, you’re nearly done with the initial setup. Google will want to confirm whether it should “trust this computer.” That setting is a bit misnamed; essentially, if you leave it enabled, logging in to Google on that Mac/PC with that browser won’t add the second step for the next 30 days—unless you delete your browser’s cookies.

Now google ask you for confirm "Turn on 2-Step Verification", Confirm & you done it.

Noting Beans: You really shouldn’t use your Google Voice number, since you could get stuck in a Catch-22 situation where you can’t access your Google Voice account to get the code you need to log in to your Google Voice account.

Getting 2-Step Verification code for Apps

Now, just when you feel like you’re finished, Google throws up a gotcha: Some apps can’t support verification codes. If you use a third-party email app to check your Gmail account via POP or IMAP, for example, that app won’t be configured to prompt you for the second step code.

Thus, for email apps—and Google Reader-using apps, and Calendar or iCal, and so on—you’ll need to configure special, one-off passwords instead. You can generate as many of these so-called application-specific passwords as you’d like.

Step 1. Use same step as above till you reach the Security tab.

Step 2. In Security tab click on Edit button against "Authorizing applications and sites". As usual google ask for password for your authentication.

Google 2-step verification wizard

Step 3. You see a complete listing of Apps & Sites you already given access to use your account. Below this you find " Step 1 of 2: Generate new application-specific password".

Google 2-step verification wizard

You provide a label (for your own records), like, iPhone Mail, and then Google presents you with a 16-character password. You can never retrieve that password again, but it doesn’t matter. Don’t bother jotting it down. Copy and paste it (or painstakingly retype it) wherever it needs to go, and then click the Done button.

Google 2-step verification wizard

If you use more than one Mac, consider going specific with your application-specific password names, like Adium (MBPro) and Adium (MBAir). Because Google lets you revoke any application-specific password at any time, you can log in and revoke access to the apps on your MacBook Air should that get stolen, without giving yourself extra work on your MacBook Pro.

Don’t worry that you might be forgetting about an app or there password. You’ll remember that you need to generate unique application-specific passwords for those as soon as those apps start prompting you to re-enter your password.

Ensure Always Access Your Account

Once you’ve configured all the necessary application-specific passwords, there are a few additional important steps to take.

Step 1. Go back to your Google profile, click again on Security, and then click to Edit your Two-step Verification settings. (Surprise! You’ll get prompted to confirm your password again.)

Step 2. Near the top of the screen, look for the Backup Phones setting and click on Add a Phone Number. There, you can set other phones—your home phone, another cell—as backup numbers. That way, if you lose your phone for any reason, you’re not locked out of your Google accounts; you can receive your codes on the backup phones instead. (Presumably, once you did log in, you’d immediately go to your settings and change your two-step verification number.)

Step 3. Once you’ve set up some backup numbers, find the Printable Backup Codes option and click Show Backup Codes.

google 2-Step verification code list
Doing so generates a list of ten eight-digit verification codes that you can use in situations where you don’t have access to your phone, or where your phone has no service (Like, going abroad).

Google 2-step verification wallet codes

Each of these codes can be used only once. Google suggests printing out the list and keeping it in your wallet. You might—might!—consider saving the list in Dropbox or somewhere else in the cloud, so that you can always get to it even if you’re without your phone or access to your Google account. Obviously, if someone then figures out your Google password and also breaks into your separate cloud account, they could then break all the way into your Google account, too. You can generate a list of ten new backup verification codes whenever you’d like, but doing so invalidates all of your old ones.

Google Authenticator
Google Authenticator, Free Google Authenticator
Instead of relying on text messages or phone calls, you can instead install the free Google Authenticator App. With the app installed, you can generate verification codes even when you have no active network connection. That is, the app can generate codes even when there’s no Wi-Fi or cellular signal available for your phone.

First-time setup of the app is a bit confusing. Ignore the login form, and instead tap the Scan Barcode button at the bottom of the screen. (If it’s not there, tap the Plus (+) button first.)

Google Authenticator 1

Over in your Google Two-Step settings, find the Mobile Application section, and click on iPhone. (There are also apps—and thus links—for Android and Blackberry phones.) Point your phone at the QR code that Google presents on screen, and the app will configure itself for your Google account.

Google Authenticator 2

Now, when you need a verification code, launch the app, and it will present you with a new one to use.

Two-step verification is annoying, a bit tedious to set up, and makes more work out of the seemingly simple act of logging in. Here is the google tech guy tell you the whole process with ease (it has some outdated interface, so my guide is more updated against that).

Of course, locking your doors or buckling your seatbelt takes a little extra energy, too. We make tradeoffs to ensure our safety, and digital safety is increasingly becoming just as important as physical security. If you rely on Google’s services, two-step authentication is probably worth the hassle.

This is all about Google Mail, tomorrow we talked about securing Hotmail & Yahoo! Mail.
Let us know how these tips worked out for you, and if you have any questions, ask them in the comments below!

My next post continue to this can be found here "How to secure Hotmail & Yahoo!.