Thursday, June 09, 2011

My Email Canary

Despite the fact that I use really long passwords and two-factor authentication wherever it's available I still worry that someone might break into my online accounts. And, my greatest worry is my Google Mail account.

In fact, everyone should be worrying about their online email accounts because they are the Achilles' Heel of your online identity. So much information passes through your personal email that it's a gold-mine for a hacker. Just imagine what could be done with the information on your online email account. Think of all the password reminders and password reset messages: access to your email means that an attacker could likely access many other accounts you own.

So, for my email I built in a canary: a tempting looking email that's sitting in my inbox that's entirely fake and designed to tempt an attacker into clicking on it. Here's a shot of my inbox:

That starred email from "Barclays Private Banking" is entirely fake. If you click it you'll see the following:

And in clicking on it you've activated the canary. The company logo at the bottom is being loaded externally from a private server that I own. On that server a script logs the complete information about the machine that loaded the picture and sends a text message to my phone:

What I wonder is if there's a commercial monitoring service that could be made out of this idea. For example, a service could insert canary images into online services and monitor when the canary is activated looking for odd behaviour. Clearly, it would require the cooperation of the vendors of online services to make it work, but perhaps that can be worked out with some sort of revenue share.



Kaos said...

Nice idea. I might try something similar, since I'm also pretty concerned about the safety of my webmail-account.

buhrmi said...

I think you should create a service around this :>

Sign up -> Get an email sent to your inbox -> You star it -> done

Tom said...

This is a great system, but the problem with commercializing it is that hackers would become aware of the practice and learn to identify and ignore canary emails. Or simpler still, just not open attachments.

valerio said...

Good idea, but it somehow assumes that sooner or later your account will be hacked!

Michael said...

Really clever idea!

*cue critical side*

First thing that comes to mind - how annoying is it going to be to see that email there day in and day out?

Tobias Boehm said...

That's a beautiful idea.

John Graham-Cumming said...

@Michael: it's like anything that you see every day; you don't see it after a while.

@buhrmi: so how much would you pay per year for that?

@Tom: if it was commercial I'd work with Google to make it not an email by a 1x1 image inserted somewhere in the GMail interface of a registered user.

Piers said...

This is pretty much how systems such as Mailchimp work out if your email has been opened, but putting a small image in it.

Eric Landry said...

Google could add a feature that sends you an SMS (or better yet, push notification to their mobile phone apps) when you login from a new device. It could use cookies or browser fingerprint to determine if this is a regular browser. They already have the Latest Account Activity thing. They'd just need to enhance the alert mecanism.

thirdleg said...


(BTW, you spelled 'Activation' wrong in the text to your phone.)

thirdleg said...

Cool idea!

Thought I would mention that "Activation" is spelled wrong in the text sent to your phone. =-)

b2solutions said...

Clever, really clever. Nice job.

Patrick Farrell said...

@valerio: Failure to prepare is preparing to fail.

b2solutions said...

Clever man, really clever. Like a reverse phishing technique aimed at people who shouldn't be in your account. You need some geek in you to get it setup, and the wherewithal to not set off your own booby traps.

If you can figure out how to wrap some warm fuzzy around this you may have a viable product. I'll keep an eye on the news hoping to see you got hired/bought by google.

Andy said...

You could create a Gmail gadget.

I guess that wouldn't work if they were smart enough to start Gmail in "basic HTML" mode. Do you think they're smart enough for that?

Anonymous said...

Why not just host all your email on your own server? It makes the canary setup much simpler.

martijn said...

I think it is a really nice idea. A few things though:

1. how easy would it for the bad guys to circumvent this by browsing with images turned off? So I guess you could solve that by having something built inside Gmail, though people could still import their Gmail into some local MUA and read emails without viewing images.

2. how many false positives is this going to give? I'd expect people would regularly click on this email by accident (I certainly would, e.g. by misclicking or by going to previous one email too far) but in that case you'd expect most people would know why they got the text message. But what if you imported your Gmail messages into some other service that did unexpected things such as pre-fetching images?

My gut feeling is that this would generate a relatively large FP/TP ratio.

Anonymous said...

Facebook security has an option:

Login Notifications
When an unrecognized computer or device tries to access my account:

Send me an email
Send me a text message

I think it would be trivial for Google to add this feature to GMail.

CH said...

Great place to start.

Many of the criticisms are accurate but they shouldn't stop you from giving it a whack.

What would it grow into over time?

ewalk153 said...

My friend once used this type of approach with an image in an email which triggered an alert to catch a criminal who was exposing himself to women in the area. It worked remarkable well and we caught the guy.

Anonymous said...

You can get around this by first activating IMAP or POP3. Then you're really fucked because the hacker will just dump out all emails and then load the plain text version or strip out all links from the emails.

I would do IMAP activation + create a folder for passwords, do a search for "password" or "reset" and dump all emails into that folder than download all messages from the IMAP folder.

How would you work around that? :|

cpuguru07 said...

Gmail already has 2-step verification, where they send you a text with a code that you have to type in when you try to log in, making this completely pointless (even if it were guaranteed to work every time, which it isn't).

rickster said...

That's a great idea. It's sorta like the 'lose your laptop and it clicks a picture' apps.

Steve said...

Gmail has 2-factor authentication right now. I strongly recommend everybody turn it on.

To get to it, click on your email addr in the top right of gmail, then go to Account Settings. Then turn on "2-factor login" I believe they call it.

Pretty much anything can be the 2nd factor: iPhone app, android app, SMS, a phone call, one-time passwords.

Eric Frenkiel said...

Great article - I built a project called InboxAlarm ( a couple years ago that does exactly this. It will send out a SMS message the instant the image is loaded. I removed the paywall and will remain free moving forward.

Eric Frenkiel said...

Great article! I built a project called InboxAlarm that does exactly this a couple years ago. It's a free service that sends out an SMS message as soon as the image is triggered.

Phil said...

"activiation", huh. My god, that text message looks like the dozens of misspelt spam emails which I block every day.

That txt is clearly a clumsy phishing attempt :-P

Gavan Woolery said...

Great idea, but isn't the hacker term for this a "honeypot"?

Micah said...

Very nice idea. I am going to set this up myself. You might be interested in an mobile and desktop password app I created.

ach444 said...

I wrote something similar, I'll send it to you in an email.

I have a server I consider pretty secure. This script logs into Gmail every 5 minutes from that server and looks at the "Recent Activity" for IP Addresses it's never seen before.

I get a few false positives when I login from a new computer, but it's nice to know it's still tracking.

Tek said...

Just a thought - have you considered making a 'Google Gadget' with an innocuous button you have to click after logging in to suppress a notification?

'Add Gadget by URL' is in Google Labs and would allow you to do just that... *shrug*

VVK said...

Let us assume I am an attacker who has managed to gain access to your mailbox:

1) I am not going to bother using the web interface to plunder through your mailbox. I will setup IMAP/POP3 and suck down your entire mailbox and then use some scripts/search filters to dig in for interesting data.

2) Your solution is relying on the fact that I will notice your canary and fall for it.

3) I can simply modify your mail settings to forward all future emails to an account controlled by me. This canary won't do anythign about that.

4) if I am trying to break into your mailbox, chances are I am not trying it thought a web interface, rather a IMAP or POP3 call in some script. Which means, I am not going to notice your starred message.

Those are just some scenarios I could think of quickly. I think if your account is compromised despite using a strong password and two-factor auth, you might have bigger problems.

It is a cute idea, but I am not sure if it will be very effective.


Francis Turner said...

The problem I see is that I (and I guess many others) have disabled image display in our emails. Hence the image won't load when the email is clicked.

Possibly better to have a 'notes' email or something that is easy to find whihc contains a link to the '' file on some server. That also works if the thief uses IMAP/POP to d/l the inbox

K. Wang said...

The problem is that you would have to send that everyday or it would disappear from the top of your queue.

Von said...

Since GMAIL already lists all the IP's that accessed your account - what's the point of your canary?

Anonymous said...

I'm pretty sure it's not your real canary :D.

Nice stuff.

Jason Amster said...

Rarely do I comment, but this is just not plausible. A) you have to click to show images in gmail and B) scrapers/bots don't pull external links. Sorry but this myth is busted!!!

Michiel said...

One other thing: suppose it all works as planned and you get the text message, what would you do? Quickly log into every service you have an account with and change your email address?

For this to have any chance to work at all, you would have to have this script update all you accounts on the fly, to make sure the access to your account renders useless. To make it deal with errors by accidentally setting it off yourself, you need a way to reset it. But that would, in turn, need its own protection (dedicated certificate?).

Zach Cutlip said...

If it goes off, you log into your gmail and "Sign out all sessions" and change your password.

Firas said...

I love the idea John.
But when a hacker opens that email, this means that he already gained access to my email!
I got an idea to work this thing out. Block the hacker from continuing his journey in my mailbox. For example, Gmail will immediately logout that user/hacker, deactivate the email address, and send an SMS to the owner with an activation code, s/t like a second authentication which will be a must in order to reactivate the email. In this case, the true owner will be able to reset his password and all other security aspects.

Thanks for sharing the idea.

kang said...

two things in fact:
1 - a bank with a tar.gz file? that would be a big fat "this is fake" alert to me. The wrong URL when you pass your mouse over as well.

2 - most people fear "password compromise". I don't know why, everyone think that's how they're going to be compromised.
The truth is that unless your password is dumb it's not SO common. There's most CSRF and XSS attacks yes, but still.

"real men" systems are compromised using software flaws and accessed at the *system level*.
People query your email through the database, they don't care about the web front-end and they don't need to click links. They see links and have to copy paste them anyway. And a link not going to your bank with a tar.gz, well, these people are very far from stupid and this level no one would copy paste that one link.

So in the end it's a protection against small attacks; leaving your pass in clear around, this kind of stuff - what we used to call script kiddies before that term got over used for any attack that was detected at some point.

I think it's important to know the "kind" of protection something like this provide when you set it up.

Making an old USB printer support Apple AirPrint using a Raspberry Pi

There are longer tutorials on how to connect a USB printer to a Raspberry Pi and make it accessible via AirPrint but here's the minimal ...