Your credit card company calls you when unusual transactions get posted to your account, and now Google does the same in Gmail. A new security feature alerts you when it detects "suspicious activity" in your Gmail account based on the IP addresses accessing it.
For example, if you've usually got a few Gmail sessions open from IP addresses in the U.S.—one from your mobile device, one from your computer at home, and one from your computer at work—and someone in Poland logs in, you'll see this alert:
A few Gmail users have already gotten this warning when logging into their computer remotely, or after traveling. In the alert, if you click on Show details and preferences link you can remotely sign out Gmail sessions you didn't initiate—and then promptly change your password—or you can just click on Ignore to dismiss the message.
Since summer of 2008, Gmail has offered an Account Activity monitoring tool which shows what IP addresses are accessing what Gmail services (POP, browser, mobile, etc.) and lets you end any session remotely. (At the very bottom of your Gmail page, click on the details link to see a list of all the active Gmail sessions that are open.) Now Google's algorithm detects unexpected variations in that IP data to detect unusual activity. To keep you from worrying that they're tracking your every move, they say the location information is for a general area:
While we don't have the capability to determine the specific location from which an account is accessed, a login appearing to come from one country and occurring a few hours after a login from another country may trigger an alert.
While the suspicious account activity alert is helpful, it only kicks in AFTER a potential intruder has accessed your account. Rather than wait for the scary red alert, lock down your Web mail now. Whether or not you use Gmail, here's how:
- Choose a strong password. Your webmail password should be hard for others to guess, involve numbers, letters, AND symbols, and should be different from the passwords you use for any other service. Change it up every few months, especially after you log on at a public computer or on an open network, and don't use you or your spouse's birthday or your kid's name. That'll be the first password an account cracker will try.
- Always use https. Most webmail services offer an https connection, but not all of them default to it like Gmail. Add that s after the http to encrypt your webmail session, especially on an open network like at the airport or coffee shop.
- Double-check your alternate email address. Most email services let you associate a secondary email address with your account so you can recover your password if need be. Make sure that secondary email address is set and that it's a valid, active account. A Twitter employee's Gmail account got hacked because the secondary email account had been closed, so the intruder registered it, triggered a password recovery email, and got in. To make sure you don't get locked out of your Google account, you can associate your phone number with the account to verify your identity via SMS or voice call. Here's how to set your recovery email address and/or phone number on your Google account.
Suspicious activity alerts is the latest in a string of security-related Gmail features Google's added over the last couple of years. In addition to remote logoff and session monitoring, they recently made https the default connection setting.
Of course, the focus on security is self-serving: Google must prove the cloud is a secure place to store your information to convince enterprise users to ditch Microsoft Office for Google Apps, and all it takes is a few stories of account break-ins like Twitter's to make those customers gun shy.
But when you think about it, Google knowing when someone's logged into your account from an "unusual" location might make you feel more uncomfortable than safe. At least it's a small way users know everything Google knows about our comings and goings.