Forgot your password?
typodupeerror
Google Security

How Much Is Your Gmail Account Worth To Crooks? 80

Posted by Soulskill
from the single-point-of-failure dept.
tsu doh nimh writes "If you use Gmail and have ever wondered how much your account might be worth to cyber thieves, have a look at Cloudsweeper, a new OAuth service launching this week that tries to price the value of your Gmail address based on the number of retail accounts you have tied to it and the current resale value of those accounts in the underground. From KrebsOnSecurity: 'The brainchild of researchers at the University of Illinois at Chicago, Cloudsweeperâ(TM)s account theft audit tool scans your inbox and presents a breakdown of how many accounts connected to that address an attacker could seize if he gained access to your Gmail. Cloudsweeper then tries to put an aggregate price tag on your inbox, a figure thatâ(TM)s computed by totaling the resale value of other account credentials that crooks can steal if they hijack your email.'" A recent report from Kaspersky (PDF) also highlighted the trend toward phishing attepts targeting Facebook, Google, and Yahoo accounts alongside bank accounts.
This discussion has been archived. No new comments can be posted.

How Much Is Your Gmail Account Worth To Crooks?

Comments Filter:
  • Wait just a second (Score:5, Insightful)

    by Russ1642 (1087959) on Wednesday June 26, 2013 @05:06PM (#44117013)
    "You're at risk!!! Download this scanning tool now to determine your chances of getting pwned." Where have I seen this kind of language before?
    • by Dunbal (464142) *
      Yeah surprise surprise, scaremongering from a company that sells alleged "security".
      • by maliqua (1316471) on Wednesday June 26, 2013 @05:35PM (#44117297)

        the university of Illinois computer science department...?

        • by Anonymous Coward on Wednesday June 26, 2013 @06:17PM (#44117699)

          the university of Illinois computer science department...?

          Well known scammers:

          Dear Friend I am Professor Joseph Otumba of the university of Illinois computer science department and I wish to speak to you on the most urgent matter of your gmail account....

        • Jokes aside, UIC has a pretty good computer graphics department. Dr DeFanti [uic.edu] helped the design the computer graphics model for Star Wars. The Death Star graphics? Yeah, that was him. He also helped develop the CAVE, one of the first immersive virtual reality environments.

      • Use Pop3 and keep the server's inbox bare.

        Granted, it's not a 100% solution. But odds are, if thieves scan your inbox and find nothing there, they won't be back.

        Screw this IMAP stuff. It doesn't do anything I need and it leaves you vulnerable to this kind of attack.
    • by houghi (78078) on Wednesday June 26, 2013 @05:46PM (#44117411)

      And not just downloading. You need to give them temporary access. I will do that right after securing my Visa Card.
      On their site they call it "Temporary Limited Access" and that is exactly what I tell the ladies. Nothing can happen, although one is a slightly pregnant right now, but that is also just temporary.

    • Re: (Score:2, Interesting)

      by Technician (215283)

      I have an account set up just to troll scammers. I reply for all my Lottery Winnings, Inheritance, Money Transfer, etc. It's linked to all my fake banks accounts. I'm tempted to let them have temporary access to see what happens.. LOL. It has no connection to any RL account, but lots of links to security company accounts where they are holding several sets of Metal Trunk Boxes..

    • Pfff... Yeah, I know. Like I'd fall for that.

      Besides, if I really wanted to get a thorough analysis of my gmail account, I'd just post my username and password to Ask Slashdot. At least then, I know my personal information would be abused by professionals.

  • Great Idea!! (Score:5, Insightful)

    by canadiannomad (1745008) on Wednesday June 26, 2013 @05:06PM (#44117017) Homepage

    Now just let me hand over the keys to all my private mail to someone who will quickly be able to deduce how much it is worth.... /sarcasm>

  • Got locked out of that account and they basically want everything related to my identity to get it back (identity theft in order to return my identity) and now what, that's all my personal stuff that Google has access to, and I don't.

    • by SpeZek (970136)

      That's why you make use of Google's relatively good tools to download all of your data regularly and make backups.

      It's your data. You're the one responsible for it.

      • by RCL (891376)
        Does Google have a tool to backup Gmail data? Asking seriously, would like to use one. (I am aware that there are third-party tools and you can also download everything to your mail client yourself).
        • by hedwards (940851)

          They provide access to the data, what more do you expect them to do? Now, if there were no 3rd party tools available, then I would be worried.

  • Sorry its 5pm on the east coast and time to go home so I didn't RTFA - anyone care to just give me the bottom line?
  • ...will they be storing to mine?
  • by Anonymous Coward on Wednesday June 26, 2013 @05:08PM (#44117055)

    People who bought "$5,000 offshore banking money transfer" also bought:

    1. Krugerrands
    2. The Complete Book of Money-Laundering
    3. $1,000 Amazon Gift Cards
    4. $4,600 Donation to 2012 Obama for America Campaign
  • Zero (Score:2, Insightful)

    My Gmail account is not worth anything. Mainly because I never tied it to anything else, and I forgot the password years ago. Whoops. I don't like the Gmail interface, let alone the tied to Google aspect.

    But if you could get a hold of my main email account... Actually, I still have no (or very few) other accounts tied to it. That's 'cause I give every service and website a different email address (slashdot.org.2013.06.26@example.org). So far I haven't discovered anyone specifically having sold or lost my em

    • by Shados (741919)

      Do you manage all your accounts individually, or are they forwards? If the later, someone would only need the master account to reset passwords all over the place. Of course, a lot of more critical sites won't let you reset passwords that easily, but many do, and unless you're living in a vacuum, you probably have accounts on those too.

      • Yeah, they all forward to my main account. But my main account is on a different domain, and so is not immediately obvious (one reason to having throw away accounts, and not solved by all the fanbois going, "but you just go isuckgooglescock+slashdot.org@gmail.com", which easily gets isuckgooglescock@gmail.com).

        And, in reality, I suspect there are a maximum of five (a quick count gives three, I may have missed one or two) 'accounts' that have been given a disposable address that would matter (i.e. I might lo

        • What about when you need to send a message, do you create a real email account for the organization then, or use a real account? I tend to use a real existing account when working with real people.
          • SMTP is amazing, you can send an email from any email address. So, if my main email address is magic@maverick.com, and I'm having commercial mail sent to the domain manic.com, I just use the feature of my email client to make the send from address slashdot.org@manic.com (or whatever). And the way it's set up, all the fancy anti-spam measures (DomainKeys or whatever) still work!

            Real people (who aren't working for an org) get my main email address (magic@maverick.com). On forms I write stuff like blahblah@man

    • I do the same thing, but more like company@mypersonaldomain.com. I don't think that most companies sell or give away my email addresses, but they give lists to their MARKETING PARTNERS, which certainly do pass them on, or get hacked. I found this out by checking the to lines in spam and seeing united (airlines) and a CMS vendor. I also saw something from a company mailed to the email address associated with one of its competitors; from talking to people I found that a marketing person left the second and ap
      • Another issue is that setting up a catchall/default increases spam. I get spam at addresses on my domain that I certainly never used; spammers seem to guess/make them up.
        • And another benefit - when you find an email address being used for spam, you can disable it, or worse.
  • by CanHasDIY (1672858) on Wednesday June 26, 2013 @05:10PM (#44117075) Homepage Journal

    Hi! We just noticed the word, "SUCKER," printed on your forehead in big bold text, and thought you would be interested in our exciting new offer...

    • That's on Soulskill's forehead right about now. Seriously, doing something like this is terrible security advice.

  • by rvw (755107)

    So I'm moving away from Google and Gmail. Can I sell my own account? And what kind of money can I get for it? Will it buy me a new Macbook at least? Then I might consider it! ;-)

  • by Anonymous Coward

    10 million "theoretical dollars". Not to mention once the "cyber thieves" are able to "seize" all of my accounts, they could likely use my accounts as a spring board to bigger things. Perhaps even seize control of the nations power grid or the launch codes for our nuclear arsenal. Thank god I didn't click on that email about the package from FedEx I never ordered.

  • $28.50
  • Darn. I was hoping my gmail account would make me the next .com billionaire.

  • by Russ1642 (1087959) on Wednesday June 26, 2013 @05:21PM (#44117177)
    About tree fiddy
  • by Deflagro (187160)

    I ain't afraid but apparently it's not worth much anyway. If someone tried to steal my identity they'd end up worse off at this point :P

  • by ackthpt (218170) on Wednesday June 26, 2013 @05:24PM (#44117211) Homepage Journal

    I have two gmail accounts and both of them are used for registering for websites which may have dubious practices, such as ... um ... /.

    All anyone would gain from them is the ability to steal my password on review or nattering accounts, Comrade!

    For limited time special offer to receive big quantity Order of Putin medals from Glorious People's Republic of Russia! Just you send 100 dollars USA or 3,000 Roubles to:

    PO Box 786990

    Chelyabinsk 211

    Chelyabinsk Ob, Russia

  • Given that I'm sure if you tried enough, you could convince some moron working the phone at any of various financial establishments I have alerts sent from to let you draw money out of my accounts there, even though they shouldn't.

    Other than that, I doubt it'd be worth very much, unless the crook *really* liked Kingdom of Loathing.

  • by Marrow (195242) on Wednesday June 26, 2013 @05:55PM (#44117483)

    Why does amazon ( a serious competitor for Google Play) take it upon themselves to send an email showing the complete details of your transaction. Which Google can then scan and learn about Amazons customers and attempt to drive them to Google Play. It seems like all the web vendors want to give all their customer information to Google. Im sure Google appreciates the efforts on their behalf.
    There should be very little detail in these transaction confirmations. And they should be optional. Or maybe SMS should be an option. But to give your competitor the names of your competition and what they like to purchase is just plain crazy to me.

    • Maybe because their search history engine sucks, and I need to be able to research and search through my amazon transactions using google, or outlook. If they disabled it I would go back to newegg for a lot of my amazon transactions because I like having a textual email reciept for all of my vendor transactions.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Nobody's forcing you to use gmail. Get a domain and an email only account with any web host and for about $15/month you can have mailboxes that are very private, and especially ad-free.

    • +1

      3 years ago, I registered for a prestigious international conference.
      I didn't notice it at first, but their password field was broken, and pwdhash didn't convert my master password before sending it.
      5 minutes later, I receive a confirmation email from the organisers.
      The password was in clear text in the second line....

    • by sirwired (27582) on Thursday June 27, 2013 @09:10AM (#44121157)

      So, what exactly is Amazon supposed to do? Most people LIKE getting their transaction details sent to them; it's called a "receipt", and it serves as proof you bought whatever it is you think you bought, should this ever be up for dispute. Most people expect to receive a receipt for every electronic transaction, even if it isn't strictly necessary.

      And the same thing could be said about any commercial e-mail service... nothing stops Mom-n-Pop ISP from mining your e-mail for data (or selling mining access to somebody who can.)

      In any case, Amazon doesn't seem to be too bothered by the prospect...

      If you don't trust GMail e-mail scanning, get your address elsewhere.

      • by Marrow (195242)

        And yet, that receipt could be in the form of a protected URL to the information. Follow this link if you would like to see/print your receipt. It does not need to include the full text of the transaction.

        • I want a "real" copy in my own e-mail account, and I expect most other people do too. I don't want to have to go through all the hassle to obtain and save my own copy. What happens if your Amazon account is suspended? You'd never see those receipts again if you hadn't already saved a copy.

  • by shadowrat (1069614) on Wednesday June 26, 2013 @05:57PM (#44117501)
    Right now nobody knows how much my account is worth. If i allow this "tool" to scan my account, they create a metric of value where none existed before. I don't know what they do with that information. They probably sell it.
  • I just asked a crook what my GMail account is worth, he appraised it at at least 5 million US dollars. He charged 40$ for the estimation. It's good to know, now I have a reason to take extra steps to secure my account.
  • Don't use the same password for any two accounts. Second most important: don't use the same email address for any two accounts.
  • Result: my account is worth a staggering $ 0.60 to potential thieves ;-)
  • by Anubis IV (1279820) on Wednesday June 26, 2013 @06:29PM (#44117789)

    http://www.ismytwitterpasswordsecure.com/ [ismytwitte...secure.com]

    I know it was made to check Twitter passwords, but it turns out that it works surprisingly well here too. In fact, it's smart enough to tell you how secure your passwords and accounts are, even if you enter fake credentials. I kid you not, it is that smart. Try it out.

  • by Anonymous Coward

    If you're not using this for Gmail you're an idiot, especially if this stuff is tied to your bank.

  • They're already in there, anyway.
  • most banks, broker's websites, and battle.net. These accounts worth $hitload more than paypal and amazon.

1 + 1 = 3, for large values of 1.

Working...