> I'm curious [...] why Google doesn’t temporarily disable accounts so impacted until a human reviews activity.
Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.
Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).
So I've heard, that it's difficult to get a human involved if you have a problem with Google's free products. The article says "Eventually, with the help of Google’s customer support and some ex-colleagues who still work at Google, Bob was able to get his account back." For the average person who doesn't have ex-colleagues who still work at Google, or who's name isn't Linus Torvalds, it will be far more difficult.
I signed up for AdWords a long time ago and created a test campaign just to see what it looks like, but never completed the process, so I didn't have a payment method entered.
Fast forward till start of this year, I created an AdMob account to put ads in one iOS game I have, and apparently as soon as I entered my credit card info, the old AdWords campaign started running and was taking $200/day. I noticed after two days and immediately stopped it and contacted support. They quickly got back to me, a person called me and explained that the issue was an error from their side, and they refunded me the amount. It took three weeks for the refund to occur, and during that time the guy called me at least once per week to keep me in the loop. I was surprised with this after all I've heard about Google's support. But I guess that's just one data point in the pool.
AdWords is "different" because if your account has an issue, they aren't getting lots of your money. So their support is actually pretty good with AdWords. The rest of their services, the support is pretty bad (such as Google Apps), and their free services may as well have zero support.
My anecdote: I was brought in to help with an AdWords campaign for an ecommerce site. I did some keyword research, ran some small campaigns to get some CTR and conversion metrics, then kicked off a bigger campain, pruning keywords as needed to ensure CTR stayed up and we didn't get a low CTR slap on the account which results in CPC skyrocketing. It was chugging along at a pretty good ROI. At that point I turned it over to the person who is named as the contact on the account with instructions on how to keep it running. A couple days later they got a call from someone at Adwords offering to "help", and they recommended turning on display ads. A few days of that and the CTR had plummeted, CPC prices had skyrocketed, and ROI tanked and the account was ruined - couldn't get a decent CPC due to the CTR hole that had been dug.
Adwords is the only Google product to have dedicated support staff… and they're working on commission. Of course they're going to haunt you until the end of the world.
Yea, I've had a google voice number that I have used sporadically for my business for a few years and suddenly my account was just banned without any obvious reason. It was obvious to me that it was some bot gone wild on their end and was clearly a mistake. I tried contacting Google about it for months with no response. It was a number I actually needed for something important but was never able to recover it. I would have happily paid a monthly fee for the service if it meant I could at least get a response from a support email (ironically there's no number for google voice support). I even tried pleading with my adwords manager where I was spending a ton of money every month and she said she didn't known how to help.
This is why I won't rely on Google Voice for anything important - if they won't make it a paid service with some additional features, that means it's a cost center that could go away at any time.
Heck, I'd happily pay for Google Voice with the addition of fax capabilities (even if it was receive-only), particularly since my online faxing service was bought out by eFax (feh) and at the next renewal will jack up from $15/year to $85/year (bye!). I'd happily pay multiples of how much I was previously paying to be an actual /customer/ who gets that kind of services.
This right here is the quicksand you stand on with Google's free products. Starts out pretty innocuous. Hey, check out this cool new free phone product called Google Voice. You check it out, it's cool, don't really know how it might be useful but you play around with it and maybe use it for a side project or as a toy. Eventually, maybe years later, you find it may be very useful to your business. Great! You roll it out, slowly more and more things depend on it as you incorporate it more deeply into your services. Then suddenly, like a turkey on Thanksgiving Day, you're permanently cut off from your account without warning and without recourse. Now you're in a state worse off than had you never signed up for the service to begin with.
> So I've heard, that it's difficult to get a human involved if you have a problem with Google's free products.
Nobody claims it's difficult; it's impossible via official channels. You have to make a scene on Twitter, so obviously if you value your time and reputation you just switch providers instead of being "one of those people".
This is my #1 biggest gripe with Google as a company. if you have a serious problem that needs immediate attention... oh well! Too bad. You have to personally know someone that works at google, or post a really long article on HN to get whatever it is fixed.
You're a product, not the customer. How well do we treat most livestock?
I recently realized Windows 10 is going the same way and unfortunately it's much harder to not use your OS than Google or FB, and impacts your ability to use other purchased software.
> it's much harder to not use your OS than Google or FB
I think the exact opposite. Using Linux instead of windows 10 is easy. But not using any google service can be pretty difficult. Good news, there are some initiative to "ungoogle" the internet, such as Framasoft.
What particular google services do you rely on that can't be replaced? I'm using fastmail for mail & calendar services, duckduckgo for search, firefox instead of chrome, sync rather than google drive.
I've had terrible experiences with duckduckgo. I really want to switch, but I've never been able to justify the costs. Every now and then I give it a shot but the results from DuckDuckGo just aren't there. Sometimes they aren't even in the ballpark of what I'm looking for, while Google nails it - what I want specifically is in the top 3, and the whole rest of the first page is related.
I don't know if this is because Google and DuckDuckGo require different phrasing of terms to do well and I'm just highly adapted to Google, or if it's something I can't help.
Doesn't that just redirect you to Google's search results (encrypted.google.com), and thus makes the point of using DuckDuckGo in the first place unnecessary?
I have a domain and a paid-for email hosting service that I use for my personal email. When I tell people this I often get looks of incredulity: Pay money?! Why not just use google? I must be mad!
My response is that I do not want an advertising company to handle my most personal correspondence. In my mind it really is that simple.
>they've got a less-than-stellar reputation for support of paying customers
I've actually had surprisingly good support from the $150/month plan for their cloud products. They get back to me quickly and give good advice (with custom code samples when needed).
Have had multiple issues with Google Apps and GCloud over the years and very promptly received phone calls from support (that I didn't expect). I live in Fiji, and have a tiny small business account (~$30/m)
Like how I have more than enough information to get one of my old accounts back but their Automated Response Forms reject everything. Even the moderators on the gmail support forums rejected my claims as well and pretty much said "deal with it".
Yeah, I can't get into two of my Gmail accounts even though I have all the information it asks for. It simply doesn't work. I just want to delete them too (not even sure if that is possible), because I refuse to use Google for anything now days.
Same happens to me. I have the original creation email, my email is (was?) the backup email originally created. I know the date and time of creation of the account, and they still reject it.
If you don't have a recovery email address actively assigned, then you should be locked out.
That's what adding a recovery email is for: to deliberately weaken your account's security, in exchange for convenience.
If you disable recovery, then -- no surprise -- you won't be able to access your account if you lose access.
This post may seem unkind, but keep in mind that some people deliberately do not add recovery methods, in order to prevent secondary-takeover access; and that the above poster's request would fundamentally drastically weaken the security of those users.
> Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in.
Google would obviously start losing money though if people perceived Gmail as easy to hack.
Right; so instead they've built their security model around assumptions that other companies' (namely telcos) account processes are secure. That way Google can say "it's not our fault; we can't do anything about it!"
It's called externalizing your costs, and Google is exceptionally good at it.
No one is perfect, but IMO when it comes to security, Google goes to great lengths to make stuff in the web secure, probably the most from all the bigcorps out there.
They are very aggressive about fixing TLS/SSL-related issues (finding and fixing vulnerabilities, deprecating old ciphers, promoting new stuff like cert pinning and HSTS, lowering SERPs in Google for non-https websites; they've also put in place means to detect and report fraudulent HTTPS certs, and many more).
Many of the top security researchers work for Google, and many of them even not on things directly related for Google's daily businesses.
If I'd have to say about some bigcorp that they don't care about security, Google would be the last on this list.
Google customer support is totally another pair of shoes though.
> Right; so instead they've built their security model around assumptions that other companies' (namely telcos) account processes are secure. That way Google can say "it's not our fault; we can't do anything about it!"
No, they've built their model on the fact that for the vast majority of their users this will never be an issue. Maybe a celebrity, maybe an important target but the average user, never going to matter.
No, they've built their model on the fact that for the vast majority of their users this will never be an issue. Maybe a celebrity, maybe an important target but the average user, never going to be an issue.
Email is the gateway to almost everything else. It's used for account recovery as well as (wrongly) passwords and other sensitive information. Google Drive and docs would also be compromised.
It's actually a bigger issue that you would think.
I am not doubting that. I am just saying that the vast majority of people that use gmail will never have a case where someone wants what they have so much to go to the effort to social engineer their wireless company. Ntim but to mention that there is a bigger risk of getting your house broken into or a host of other things or identity theft. Plus this requires certain bad behavior and failure as well on the part of the phone company. [1] It's not clear how easy this would be for a normally determined hacker to pull it off.
This is why last weekend I moved to FastMail. I've filed two support tickets since, and both were responded to in an hour or two. For the trivial cost of half a Netflix subscription, the most vital thing I have on the Internet is supported by real people.
It's hard to justify Gmail these days other than the frustration of migrating off of it.
As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.
> As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.
Unfortunately we've got something pretty close: ASIO can designate any of its activities to be part of a Special Intelligence Operation at will, which makes any disclosure of the operation or its components into a crime (10 years jail if it 'endangers' the operation).
Interesting. Can other countries invoke it? Because I know the US can ask the Australian government for assistance, but I wonder if that assistance can qualify for being an SIO.
By all indications, use of this provision is extremely rare, nothing like the number of NSLs issued in the US. So it would be a big ask, but it could happen if the consequences of wide disclosure were 'extremely grave'.
For context, one of the motivating leaks was when there was a planned 5am counter terror raid, and someone in the state police leaked the who/what/where to a major newspaper, who had papers coming off the presses at 3am about people who hadn't been raided yet.
Yeah, I procrastinated on this for years. What I did was:
- Created an email address at my own domain and forwarded it to Gmail.
- For the last year or so, started using it as my email address and changing accounts to use it as it came up.
- Signed up with FastMail and set up my domain's MX records to point to it.
- Still checking Gmail for stragglers to change over to my new address.
- Eventually will set Gmail addresses to forward, but didn't want to rush that so I remember to just make stuff not go to Gmail.
The hardest thing is getting used to folders again vs. labels. But FastMail has everything like filters and aliases and two-factor auth to an extent that... honestly makes Gmail look kinda basic.
The advanced features of Gmail were the most compelling reason to switch to it, but FastMail takes them a lot further.
Eventually will set Gmail addresses to forward, but didn't want to rush that so I remember to just make stuff not go to Gmail.
When I did this (from @gmail to @mydoman on google apps), I set up a filter to star/label anything forwarded from the old address, so I'd see an update was needed at the sending service/person. Perhaps the same could be done with FastMail.
It definitely can, but I feel that if I make it easy to automatically handle email on my old address at my new address, I'll get lazy about actually changing it. So I'll wait a bit to do that until most of my email is properly changed over.
I'm in a similar boat. I've used Gmail since its first year in operation. I started transitioning off it earlier this year, keeping it running as I've slowly migrated the vast number of web accounts that use my Gmail address as an ID, to use the new email address. With the benefit of hindsight I see that I should have registered my own domain and used that for all web registrations. Oh well. The final step will be to migrate my archive. I hope to be done by Christmas at which point I will strip all details from my account and then delete it.
For some people, email is not a big part of their lives, and it's probably fine to have a free service. But I'd argue almost anyone for whom email is a daily necessity, you should be paying for a certain quality of service. I mean, your email is the core of your online identity, and if it vanishes, such as the dozens of stories we've heard of Google terminating people's account without warning, it can be devastating to put everything back together.
> For some people, email is not a big part of their lives
Email is a big part of everyone's lives, who made an online account somewhere. Not to mention if they paired real identity and/or money to those accounts.
Search seems adequate for my needs. And it works great with any IMAP email client.
Actually the strangest thing I find amazing, is FastMail's endless scrolling being basically magical. I can scroll through over 2500 messages in a folder of mine, top to bottom, instantly. It's not paginating, it's not locking up at the bottom of the first 100 to stop and load more. It :just works: in their UI.
Not if we can't get past the he-said-she-said politics. People are voting for personalities over issues more than ever, and I don't see that trend reversing.
Dwayne Elizondo Mountain Dew Herbert Camacho 2020.
I get responses to my Google Apps support questions pretty quickly and I'm just using this for my personal family accounts, so I'm not paying them tons of money. I don't think it's really fair to say they should provide support for their free tier which hosts mail for a billion people and compare it to a service that hosts, what, maybe a million?
The problem is that the burden of responsibility Google carries for those accounts is huge. The amount of money, private information, treasured photos go over their systems... with no support?
You know, you can see articles where people report social engineering attacks on Amazon customer service and extract a great deal of information from them.
Having a human involved is not necessarily a solution, can be another attack vector.
It's a great counterpoint because with a large staff you can never solve the human element. It's also corollary to the hacking approaches we see regularly employed: Send an exploit payload via email to everyone in the company and somebody is bound to open it. In fact in the security space they've moved away from even saying you can protect the front door and are more focused on detection and correction once an intrusion occurs.
Yeah, maybe human review is not the most scalable solution; if data analysis shows that certain patterns of behaviour are highly predictive of an account takeover, there are almost certainly product solutions for them.
I guess the real question is what the data actually show
How about "we'll review your request for $20". For recovery of email accounts and such Google could absolutely make a profit from that I feel and enable people to recover their accounts; they can surely scale a support system on that sort of funding.
Sure I can see problems with that. My initial feeling is people will thing that such support is a scam, but that at least shifts the position of Google from "we can do such support" to "we don't want people bad mouthing us so we're going to refuse to do that support even if it were prima facie profitable".
Interestingly, one of the features announced for the new Google Pixel phone is some kind of free live support, though they didn't say which Google products are covered. It is an expensive phone but if the support includes help with other consumer cloud products it might be worth the price of admission.
If I permanently lost access to my facebook account I'd probably be mildly relieved that I'm finally done with it. My google account though, I'd be in panic mode.
Recently my wife, without any identification, went to Tmobile and was able to have my account automatically canceled and added to a new joint family account.
She went with my knowledge, but TMobile never called to confirm.
After which my phone no longer had service, and I had to install a new sim card prior.
While she did this with my knowledge, I no longer have access to make changes to the account, until she adds me to the list of authorized people, and I lost all my voice mail.
It's very disturbing that she could do this, without any sort of checks and authorization.
Also, FWIW, my wife and I do not share a last name, and she did not provide anything other than my phone number to TMobile. She was a new Tmobile customer, and I was an existing customer, albeit on a very cheap pre-paid plan.
Similar thing i experienced with Rogers Wireless in Canada recently.
wife and I had separate accounts. i logged in with her account to the rogers account site and added my phone number to her account with a few basic details that are on every statement sent in the mail....
I had a joint account with my wife as a owner.
then my work had a corp plan with rogers, so wanted to switch to that, but since I am the employee, i had to be the account owner.
this isnt actually so simple.
they had to create a net new account with me as owner.
and re-assign the phone numbers to the new account.
when i called in to their account support line, they asked for my 4 digit PIN.
I said i have no idea what it is, the guy in the store just punched some numbers in when he setup the account and never told me.
they were okay with that and proceeded to ask me some details that are on my mailed statements....
Then they said they needed the account holders permission.
--i was at work, my wife was out of town, i didnt feel like bothering her.
i said "hold on one minute, just let me get her".
i put the phone on mute for 30 seconds.
unmuted and changed my voice slightly "Hello? Yes i am fine with my husband taking ownership and transfering the numbers"
"she" then passed the phone back to me and the rep proceeded with the transfer.
I used to work in telco (in another country) and it's a difficult line to tread. 95% of customers have no idea what their 4 digit PIN was so you have to identify them other ways, and not being able to access their account is the kind of thing that pisses even legitimate customers off (which is why it's so easy to take advantage of).
Our company's policy was "if they don't know the PIN you have to connect them to the call centre and have them verify for you" but customers are rarely impressed to be handed a phone to the overseas call centre.
My mum had something similar happen with Verizon albeit as an act of fraud against her account. Her phone was working one day then mysteriously stopped working the next. She didn't think much of it, but as a matter of happenstance had picked up her bill a couple of days later to find that someone had managed to attach a new phone to her account (under a new contract no less!). According to the fraud rep, the switch took place in a Target nearby and was likely done without any identification other than the phone number. Eerily similar.
Yeah, a couple of years back, I went to a t-mobile store (I think it was on Broadway and Park Pl) to get a new SIM card; I'd lost it in Europe when I was on holiday. They gave me a new SIM card and let me pay cash without even checking my ID…
Out of curiosity, if this is done with the consent of the person whose account you're hacking (as in this example), is it illegal (considering that the corporation is also a party here)? More generally, in what circumstances can you lie on the phone about your identity without committing a crime?
I recently had to regain account access to an employee's company provided phone on T-mobile after misplacing the password and PIN. If you know the phone number and can guess one of the numbers they recently called, you're in.
Was there a documented and confirmed link through your banking details, like did she have the credit card that you paid for the sim with, or was she named on a joint bank account associated with your phone account?
I don't doubt that a telecom would do such a thing as you describe but have some hope that you're just not seeing the back end confirmation?
Is anyone aware of repots on the comparative level of security of the various cell providers? I'd be interested to know how providers in various tiers of scale like US Cellular compare to TMobile and Sprint compare to Verizon and AT&T.
Google's Project Fi has great customer support. You can get someone via IM almost instantly and they also offer phone/email support. As a Fi customer, that would be my first stop if I was locked out.
Good luck if you aren't a paying customer though...
>You can get someone via IM almost instantly and they also offer phone/email support. As a Fi customer, that would be my first stop if I was locked out.
if you were locked out of your phone (plan) & email, would you be able to contact them?
Okay, how do I pay for Google's search? 'cause Google keeps locking entire offices out of it because of "bot-like too high search volume". We're switching to Bing for months at a time.
I don't think it's possible to make a Google account without a phone number anymore. It's really unfortunate, especially because I deliberately don't set up fallback contacts for my "alternate" gmail accounts, and Google keeps locking them as suspicious when I log in from a second location, and I need to "verify" with a phone number any time that happens (at which point I abandon the account).
I understand that they want to fight spam, but I'd be willing to spend 5 minutes doing captcha type activities in exchange for not requiring a phone number, and that should pretty severely rate limit account creation.
I've several children, and can no longer make Google accounts for their Chromebooks. All the phone numbers I have and control can no longer be used to register further accounts.
What happens to users that buy a new Android cell phone who's number has been burned by Google?
You should be aware that Google has minimum age requirements. I was not aware of this and my son disclosed his age to Google as part of setting up another Google service, which then locked out his account.
Google's subject to U.S. law, they can't knowingly maintain a child's personal data without parental consent (which is a manual process). There are also further restrictions on the types of marketing they can do to children. It is fine if the product, like gmail, doesn't target children and they don't collect age info, but once they do know age they've got to either get consent (costly) or shut down the account.
That's okay with me and I wasn't criticizing Google, just stating what happened. My recollection was that I was able to get the account re-activated by providing a CC #, but once I was aware it was in violation of the ToS, I switched to a different provider.
The email account is not the issue; I run my own email server with all the fun that brings.
It's that the Chrome Books really need separate Google accounts otherwise, settings + notifications to end up replicated to all of them.
And yes, I have a greater than average number of children. I feel as if the only way forward is to purchase a google for business account, and add them all there :-/
I think the main issue is that google doesn't accept certain senders anymore. As a generic thread about running a mailserver/mail service pops up here often.
That means users are shoveled into about one of 4 "acceptable" providers which have control of the entire market. They demand, full name and usually gender, mobile, alternative email and more.
So you get pushed into their information pipeline to stop "spam".
I've been meaning to write a follow up after I met some MailChip devs at a conference. They told me at MailChip they have to slowly spin up new servers, sending e-mail through them slowly so Google registers their new SMTP IPs.
The other thing they told me: MailChip owns a /A, and can therefore separately out their servers from even being remotely related to any spammy subnets (common problem on 'cloud' hosting).
I'm wondering if I heard/remember that correctly. I mean, a class A is huge and would be crazy expensive. I've been looking through websites on ASNs and am trying to figure out how to verify that info.
I don't know anything about how MailChimp operates, but a quick search turns up this blog post about how to set up SPF records [1].
From there, you can get a list of which IPs MailChimp authorizes as a sender; following the SPF include directive, you can see they specify two IPv4 ranges, both of which are in class C space, so it seems unlikely that MailChimp has their own class A for SMTP senders.
It accepts my personal mail server just fine. You need to support encryption, spf, and dkim but mail will flow no problem to gmail users in my experience.
Not mine, FWIW. Ten out of ten score on mail-tester.com, a clean IP that I acquired 15 years ago ... and further, gmail watches people daily remove my one-to-one correspondence from their spam folders.
And yet, most (but not all) new gmail recipients will not see my emails until they remove them from their spam folder.
Google does not want people to self-provide email and there is no incentive for them to do so.
It certainly could be an issue, but honestly even if it were possible to set up my own mail server, that's even worse for pseudonymity than a google account because ICANN records are public and I'd be the only one using my domains. It would make it much easier for some random person to uniquely identify me, which is a worse threat than Google identifying me by my phone number. This is one of those situations where anonymity loves company.
Also, the problem is not limited to e-mail. There are some non-email services from Google. I'd be perfectly happy to sign up for a Google account where you can't send e-mails, or where you can only send e-mails to people who have sent you e-mails.
> ICANN records are public and I'd be the only one using my domains
Several domain registration services and hosting providers offer to mask your whois information by making themselves the point of contact. Some include this as part of your package; Tiger Technologies does this as a free opt-in. Namecheap offers it as a paid add-on via WhoisGuard.
I have a google account without a phone number, but it's always been that way so they probably aren't going to ban me... I hope at least until I finish migrating
I dunno, but you weren't banned for not having a phone number attached to your account, because I and many others have accounts without phone numbers and are not banned.
I think you've made your opinion clear. Why continue to try pushing it as fact? There are a thousand factors at play in spam/fraud/whatever detection, how can you possibly say with a straight face that you're certain the phone number is not a leading reason?
It may be that this persons knows something more that we do not (does not seem to be the case) or has very different experience.
I do not mind this. It is indeed possible that the cause of the ban originated from some other source as from entered personal details and sequence of actions.
It actually motivates me to create another experiment.
While this statement will be really buried, it reminds me that we still should be thankful that we can somewhat conceal our identity as a private enterprise can be much more unforgiving that the state.
From just now, I went to gmail.com and created a new account without entering a phone number or email address.
I then went to Youtube and uploaded a video.
I signed out, then in again. Google asked for a number and recovery email, but let me press "Done" without providing one.
I'll sign in later from a different IP, and see what happens.
Edit: I've come across [1], which says a phone number is required to upload videos longer than 15 minutes to YouTube, or in some cases to upload anything.
No, it's a hasty generalization[1] where personal experience is assumed to match other cases.
Of course Google could have simply stated the reason for the suspension clearly, if they weren't so reliably opaque in support and service management issues,
I'm concerned about your ability to control the necessary variables. For example, any one of your anti-tracking measures (you're big into Internet privacy, yes?) may be triggering the suspension.
My only concern in that point of time was giving out the phone number, as it will give Google an unique identifier without the ISP and state cooperation. As such I did not use any additional measures.
I am grateful of your comments as it will motivate me to give it another try.
Btw. in fact I do not use regularly any anti tracking measurements. I am only protecting the local businesses against their own stupidity.
I really would like to keep visiting my favorite supermarket regardless of their decision to include their video ads into the Youtube videos I happen to watch time to time. Some careless fools already lost me as an client, I would not like to let this happen again.
I did it recently, and burned myself, because I forgot my password and had no way of recovering the account. As far as I know, my account isn't banned, though.
It probably depends on your IP address, country and maybe something else. Some time ago I was unable to register on youtube without providing a phone number, and earlier I have registered a Google Account from Android emulator that was instantly blocked. Maybe it is because of spam, or maybe because lot of people are using the same IP address.
I never put in my number into my Google account. Ironically, the only US number I have is via Google voice/hangouts. So they have it. It's just not associated. I'm not even sure if it would be allowed, as there'd be no way to use it as a 2-factor auth without actually being logged in.
I created one on Monday, without a phone number. I did provide a (@outlook.com) recovery email. I did not try to create a Google Voice number for it though and I think that does require a phone number.
> This pattern seems like something security software should be able to detect: a password reset with incomplete information, followed immediately by a change in recovery email, name, and two-factor-auth settings, coupled with a “my account has been compromised” help request is highly suspicious.
This series of events could easily occur in legitimate cases. Say you lose or destroy your cellphone. Since you only ever logged in via your phone you don't know the password. Your recovery email was attached to a service you don't use because you normally use gmail. I'm not saying this scenario is a good idea just that it's probably quite common.
As a software developer I often hear from well meaning users that are appalled that software didn't do-the-right-thing in some complex scenario that appears to have an obvious solution because the desired outcome in obvious. In reality, handling the corner cases is complex. Adding these obvious solutions to the code easily leads to even worse situations.
At the very least, any change to the email address should send out an email to the old address stating "If you didn't make this change, click on this link to have your account frozen until you do a password reset."
It's silly to depend on an email for authentication, then allow the hacker to just delete the email address before they change the password. Giving the old address the right of first refusal defeats that kind of attack and should be dead simple to implement since the framework was already laid down for the "verify your email" step during setup.
> This series of events could easily occur in legitimate cases.
I don't think so. Why, in your scenario, would they file a help request saying the account had been compromised? They might file a request with some other content, but not that.
Your general point is valid, but I think the OP has probably figured out a set of features from which one could pretty reliably tell that something was amiss. And all he's suggesting is that such cases get bounced up to a human.
..received a help request, along with all the other events (changed password, changed recovery email, changed phone number). Not just the help request.
I guess 2FA using an authenticator app is the way to go for now. Do you guys agree with the removal of backup phone numbers recommended here? Seems reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup codes generated though.
The problem with the backup codes is that I have so many now. Pretty much a list of codes for every account I have 2FA enabled on (about a dozen). If I actually printed them out and kept them in my wallet, my wallet would be overflowing by now.
Authy has been a great improvement over Google Authenticator for me. I primarily used it when I migrated phones for the upteenth time, but were I to lose my phone, I could also restore the database on my tablet in the meantime and use that instead. The prospect of doing so does leave me a little concerned, however, because my phone has full-disk encryption enabled while my tablet does not.
I recently turned on 2FA on a bunch of accounts (nine total) and ran into the same problem. My solution was to save the initialization QR codes and print them on a piece of paper (actually three copies, stored in separate locations). This involved a bunch of screenshotting and messing around in gimp and was in general a big pain. But if my phone dies, restoring my 2FA setup will be much simpler than using backup codes: I just have to scan codes; the account providers aren't involved at all.
(I do also keep a few backup codes for the most important accounts in my wallet.)
I know Authy can back up 2FA state to their own cloud, but it's unclear how secure this is: they let you restore codes onto a new phone with the same number, and apparently even to a brand new phone (https://www.authy.com/phones/change/). So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.
(What I'd really like is a TOTP app that let me back up its state into a single giant QR code or a small file that I could print out in hex and scan+ocr later.)
>So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.
You're required to set a password on your Authy database before you can start adding tokens to it. So when I transferred my Authy database to a new phone (had to send in the old one for a replacement), I had to confirm the password before it would sync to the new device. Authy also bugs you about once a month to confirm your password phrase to make sure you don't forget it.
Additionally, you can set a PIN that Authy will prompt you for any time you try to open the app. I have that set, as well, so that even if someone should get past my lockscreen, they can't reach my 2FA tokens without another PIN.
> You're required to set a password on your Authy database before you can start adding tokens to it.
That's not true. Passwords in Authy are for backup, which is optional. Backup synchronizes offline TOTP secrets between paired devices. Only the offline TOTP secret is encrypted; the token name is not.
"Authy Account" secrets, the ones created by the Authy API, used by Coinbase, Cloudflare, et cetera, are always stored remotely, and can be restored without-password to anyone with possession of your phone number and email account.
I did a similar thing except I converted the QR codes to unicode-art and saved them in a GPG encrypted file. It's probably not as safe as hardcopies in a safe, but it's more convenient (and it was fun reading QR codes out of a terminal window).
Authy makes me a little nervous (since it's closed source and I can't be sure exactly what they are doing), but at least they claim to encrypt the keys on the phone before they put them on their servers. They state on their site repeatedly that if you forget your encryption password the keys are gone and they can't do anything about it.
SD cards don't last forever. I've had 3 different cards seemingly randomly corrupt in different devices on me. I don't trust them to hold anything important for long.
I keep them in LastPass, along with the passwords themselves. That does make LastPass a single point of failure for me, but I know myself and know that I'm not gonna remember where I put all of my one time recovery codes.
Yeah, I'm also scared of LastPass being a SPOF. While LastPass does do a good job, no one is perfect, and the cost of having my account compromised is really high
I'm now leaning towards encrypting backup codes with a passphrase and putting the encrypted blobs in LastPass. I haven't actually done this but as long as I don't forget the second passphrase, that might work…
I wish it were possible to print a sheet of QR codes for all your 2FA accounts in Authy. The in-app backup seems to work well, but an easy offline backup would make me a lot more comfortable.
Once I had my SIM card stuck in my phone. So when I wanted to use a different phone, I bought a new SIM card kit online and brought it to a T-mobile store. I told the clerk my SIM card is stuck in this phone so I want to transfer my number to the new SIM card. He asked for my phone number then scanned the new SIM card and transferred the number. I didn't have to provide any identity or proof that I actually own the number. It's scary how easy stealing someone's phone number can be.
Kind of related, but any Googlers here? Can you please make Google send notifications whenever someone tries to log in to an account and is required to do anything other than typing in their username/password? I REALLY should know when someone is trying to respond to a 2FA prompt or answer my security questions or use SMS or email to reset my password... it's ridiculous that these don't all result in emails right now.
I get notifications about that from Facebook sometimes. It is a bit unnerving to hear that someone is attempting to repeatedly log in with my email address, but it certainly prompts me to make sure my accounts are locked down well.
Do you have an email address that may be similar to others?
My work recently implemented a login process for customers and it was surprising how many user errors we had related to names/emails that were similar (so bob@gmail.com vs nob@gmail.com etc - these were not the actual addresses but you get the idea).
There's your problem. If autocomplete didn't exist I'd go nuts having to type my email address, and clearly those people don't have autocomplete or they wouldn't be making mistakes. Just use usernames.
Then nobody remembers their user name, I don't remember any of mine. If I didn't have LastPass I'd be password resetting on every financial account I have.
> We do send an email when you log in from a new device.
Which is a non-optional pain in the butt if you don't store cookies. Every login is a new device. Twitter does the same, I got so tired of cleaning up my inbox that I rarely log in anymore without a good reason. (I already didn't log into Google without good reason so that didn't change.)
> We do send an email when you log in from a new device.
AFTER login? or before? I need to know when someone is trying to attack me, not when they've already succeeded. Otherwise what's the point? At least if I know beforehand that someone knows my password but failed OTP check then I can change my password, right? Why does Google not tell me when this happens? It's like common sense...
On the Internet? You'll get alerts that people are trying to hack you every single day. There are whole botnets that go around just trying to authenticate to everything everywhere using usernames sniffed from other hacks and every password under the sun.
I doubt they attack every single account every single day. At that point google should just ban the IPs doing that. Or at least turn of notifications for those IPs.
Anyway excessive notifications are a solved problem. You can limit the notifications to one every month, and you can allow the user to disable them. But I would certainly like to know if someone tried to login to my account, and I think it would make regular users more security conscious.
+1 same.
Rssponses like the one you just replied to completely drive me nuts. If you don't think it'll be useful for me then let me disable it. Don't use it as an excuse.
In the last week my host has blocked 173 different IPs for attempting to guess passwords on SSH. And I don't even have psasword authentication enabled on SSH.
And this is on a nothing host. Almost completely anonymous and yet under constant attack.
Did you even read my comment? The most important scenario I just referred to was AFTER the password is typed correctly. Not before. I'm pretty damn sure botnets aren't going around entering my password correctly.
Which is very nice as a family member who is the recovery contact for many other family members. Wish this shit could be turned off, I've never heard it help anyone (though I'm sure we can find a stranger on the internet who can testify how useful it was for them).
Another issue with sending Google verification reset codes over SMS is that a lot of "Google Phones" allow for viewing text messages/headers while the phone is "locked." Therefore if you leave your phone (even for just a few seconds), someone could quickly gain access to the reset vectors. In looking at the DNC leaks for example, if an attacker had the phone number of a high-profile target, locates them in person, and then execute a reset "event", they're now in very serious jeopardy, assuming attacker gets physical access to the target's phone for just a few seconds. (Edit: Attacker might have the ability to also view their phone through a high-resolution camera(s) as the target pulls up the text message. Thus allowing attacker access to codes without physical access to device.)
If you are ever required to give a phone number but don't want to then you can use an official fictional one. This means no-one else will have access to it (or be annoyed by it). Same with email addresses.
Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.
Using a phone as a login credential is risky from a reliability point of view. At least with passwords and security questions you can (in theory) have 100% dependable access to them anywhere in the world if you memorize them, back them up, or put them on an encrypted USB flash drive or in an encrypted cloud location.
You can't do that with a phone. You can't duplicate your SIM card. If your phone is lost, broken, stolen, or your service is cut off or unavailable for whatever reason, you're screwed. At least with passwords, security questions, or hardware tokens (of which you can have several), you maintain reliable access no matter what if you've made backups.
You can't duplicate your SIM, but your phone carrier can. In some countries, this involves them checking your government-issued ID in person, which is handy for Google as a way to outsource the ID-checking requirements.
The issue is that they don't discriminate between carriers that perform good identity checking and those that don't.
(Reliability is actually well-addressed by Google - they offer this as a supplement to the other forms of verification they provide.)
I think with centralization comes control, arbitary rules, surveillance, potential for abuse of power and loss of end user control.
The fact that it keeps on becoming more and more difficult for individuals to run mailservers cannot be a coincidence.
The solution is decentralization at least for things like reddit, mail, search, social and other similar services. Multiple discrete 'old style' forums, search services, email providers and individual servers with dispersed control cannot be easily silenced, surveilled or subject to arbitary rules.
I think the usual response is people don't care but I think that's because they don't know and may not have stopped to consider the consequences. And perhaps more important before they didn't have to care. Now increasing creepiness from centralized providers means sooner or later users will wisen up.
If parents for instance become concerned about privacy issues they will go out of their way to protect their children and this can lead to new more privacy aware services, rules, and distributed applications. It also makes centralized unicorns based out of SV less of a desirable thing.
I can imagine you saying the same thing about the case in OPs article.
The attack was targeted. The attacker knew your name, phone number and email address. The attacker went through some real effort to hack you (SEing reps, buying SIMs, burner iPhone, taking some risk).
How much further do you think they were willing to go? Not enough for a $200 plane ticket?
You have a problem the moment someone capable has targeted you. For the attacker, is just a matter of choosing the easiest attack vector. Today it was Verizon reps. Tomorrow it may get a bit more difficult.
Huh. I wonder if the author had seen this video https://m.youtube.com/watch?v=Q00OZ_Xk24w which describes a similar story and recommends a solution based on the same factors (2FA on a number no one knows under a fake name).
But anyway I don't understand why he thinks it's some kind of shocker that this makes it less secure. It's another access method. Recovery options are obviously attack vectors.
One thing that I don't see mentioned: The attacker doesn't need to know the victim's email address or even name, if they have a compromised phone number.
If you go to mail.google.com and say "Find My Account," you can enter a phone number directly, and then proceed with SMS-based recovery, if it's enabled.
This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account.
Adding a phone number that people KNOW about can make it LESS secure. A workaround is to get a phone number that is only used for identity verification and not given out to anyone.
This can actually be problematic. I've found many 2FA services use text services with shortcodes which sometimes do and sometimes don't work with services like Google Voice. Back when I used Voice, my actual cell number was only used for identity verification.
This works as long as they don't insist on verifying you through that secondary phone number (this is the case for now for Google I think - if something suspicious is going on, they ask you if you want an sms with a verification code, or an email to a secondary address; but maybe not all services with 2FA make this optional).
It's not fun to have 2 phones always with you. But maybe the 2-SIM devices will become more mainstream soon, which can solve this problem.
The reason why they use phone in the first place is that you will always have it with you. The reason why you have your phone with you is because you use it to make phone call. Unless you are suggesting to buy phone that supports dual SIM cards, I think this idea is not very practical. Why not have physical TFA device instead (they are usually much cheaper and lighter than a phone)?
That's a good point. Though I think it would be challenging to have a phone number that no one knows which you also carry around with you.
It's possible if you use something like Google Voice for most of your regular calls, but you still need to make sure that the telco can't tie your name to your number…
In Turkey, if you apply for a new SIM card (let's say you have micro and you want nano) then you cannot access your bank account (for example Garanti Bank, probably other big banks too). Doesn't matter whether you try to access the bank via your PC or phone or via your home telephone, a massage appears saying that your SIM card has been changes and thus you need to re-validate yourself. So, this means that the banks and mobile operators share data.
Plus, if you apply for a new SIM card and you have a changed information in your ID, such as your father's has changed his name or you have corrected your birth place, then your ID is send to the government and only when the government gives a permission then they can give you a new SIM.
If you are not the owner of the SIM card no one talks to you.
If you want a new phone number then you must register with your ID.
For example when you apply for Turkish citizenship your father's name is let's say Philipos, and you have a father with that name until he also becomes a Turkish citizen with a new name let's say Filip. Now you have to update your ID.
I've heared that some police or military people change their name because they killed many terrorists.
But the most comman provlem is with birth dates. Some of my friends had such birth dates in their IDs; 0.0.1984 or 5.12.1885 (should be 1985). Why? Actually they have birth certificate in Bulgaria, even with hours. But when they become citizen of Turkey an idiot public service officer wrote wrongly to a paper, now you need to prove that you were born in that date with diplomatically certified and translated birth certificate that you have optained from your home country wich is possible but long and boring process. Instead they auto corect to middle of the year; 1.7.1984.
Especially some eastern places before 90s didn't wrote their birth dates because you know, is a "boring paper work" for them.
Or a parent says that their douther's name is Gizem but the public servant writes İzem.
This is why this country is called a developing country. They can't write something propery.
Yes, I don't like it too. Some of these are to prevent terrorism which is a big issue in Turkey and some are because there is no proper philosophy (only daily changing idiotic religious thouts). And as if this is not enough, they cannot process it properly. They leaked Turkey citizen database (yeah, address, full name, citizenship ID), they leaked Turkish mobile phone numbers, they leaked president's private (yeah!) phone conversations.
Two years ago, I added a friend on to my phone plan so that he could call his sick mother. I made it clear to Telus (my carrier) that he should not be able to modify the account or discuss account details with them, and they assured me that he wouldn't without both my PIN and express permission to add him to the account administrators list. Three months later he walked into a Telus store and got a new iPhone with a 2 year contract on my plan. When he stopped paying what he owed, guess who got stuck with the early termination fee?
Can Americans explain me how can you just do things like that by calling customer support? Wouldn't it make more sense to go and show your ID if you want to make changes like that?
Where would you go to show ID? In many places in America, the closest telco customer service office may be a 2 hour drive away. Everyone saves time/money by being able to do it over the phone; but unfortunately the customer service reps are usually poorly trained.
Training shouldn't really be a factor here. The software systems shouldn't let social engineering hacks work. Why is the customer service rep allowed to override whatever prompt ask for a PIN number? If this override is really needed it should be a higher ranking support member or manager who can do this.
Does anyone know anything about the security with regard to using other providers (e.g. twilio or google voice) as a recovery number?
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?
The specific flaw exposed in this story is not exploitable with providers like Twilio and Google Voice, because they don't assign phone numbers to devices with SIM cards.
Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.
Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.
The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.
All of these require you to provide them. Phone number is given as XXX-XXX-XX12. Email is userna*@domain.com.
Failing all of those options, Google asks you to provide an associated email to help with recovery. It then provides a freeform text field for you to explain the situation and expect a response in 3-5 business days. If you have a secondary less-secured email address this could be a viable vector.
tl;dr two factor seems to add an additional layer of security / accounts that an attacker would have to compromise if appropriately configured. Recovery options weaken your security and you should be cautious when configuring.
When I set up my 2 way authentication, I noticed my account has a phone number added, which I don't recognize at all. The phone number has a Florida area code. I have never been to Florida. I emailed google about this, asking how the number was added? I didn't get any reply.
Honestly, did you expect a reply from Google? Have you ever had one?
Even people I was friendly with on forums or social networks that were employees for Google (or Microsoft for that matter, or both in one occasion) stopped responding when I mentioned anything from "heads up (since there is no contact listed for product x): there's a bug here, you might wanna forward that" to "do you know why this is that way?" It's a really weird experience. I've stopped trying to contact tech giants that are too big to care about an individual.
I think that for a lot of people, the added access is worth the security risk: they're more likely to forget their own password than to be hacked.
One of my moms friends had gone through the Gmail password reset process a few times, but she but she called me one day kind of frantic because she could no longer reset her password (or remember the old one).
It seems that previously Google had allowed either a phone call or an SMS to the phone number on her account, but had recently taken away the call option. Her phone was a landline that couldn't receive SMS messages.
She didn't have (or couldn't access) a backup account and couldn't remember the answers to any of her security questions, or at least not enough of them.
I always thought Google was trying to tie your gmail account back to a cell phone number so they could help end anonymity on the Internet. Or else give the information to the NSA or something. I'm trusting Google less and less these days.
At the very least, Google should not have come out in favor of a particular Presidential candidate. Corporations have become incredibly powerful entities, able to affect the lives of all their employees and many others. If they can't wield this power ethically, they need to be shut down or we risk suffering under fascism.
It's widely acknowledged by the paranoid. The reason why so many services started requiring a phone number at signup is that it's an extremely effective anti-spam technique. Of course, the paranoid people aren't necessarily wrong either.
I imagine adding a phone number to your Google account is more about Google having a particular phone number explicitly linked to an account for their information graph rather than for security reasons.
Two factor auth using SMS us increasingly becoming a risky option. For not I have it on my personal accounts, but I'm considering changing over to Google Authenticator.
This is how Russians hacked social media accounts and public emails of British MPs last year.
It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).
Then, they used Russian cell phone networks to announce a “Roaming transfer” of their phone numbers from BT to them and then used an “SMS login” and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs.
Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or maybe Googlers simply made that up to cover their asses.
Amazingly, many cell operators don’t check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.
Google fills my droid with bloatware. Even worse: all of Google apps will not work without Google Play Services which is a super abusive app: among other things, it logs ALL MY ACTIVITY 24-7. So, if Google already runs apps with such privileges, why not adding a small app that mimics Whatsapp SMS verification. After verifying that a given SIM is installed on the phone where my Google account has been authenticated, it can establish a secure tunnel to send me 2FA codes. If a hacker would clone my SIM and even have my Google password they can prevent login until I grant permission from the first install/verification. Should I lose/change my phone, Google would not allow a second verification unless a pin is entered (which I created on the first SIM verification). Another aproach that avoids the pin number would be a delay before authenticating the second install. If I get 24hrs and a notifcation that I have logged-in on a second device, I certainly have enough time to fix any possible hack.
SIM swap fraud has been common in South Africa for years, and bank accounts were being cleaned out before the cell networks tightened their procedures. Yet I've started to see reports of similar scams in the developed world.
I'm surprised that anyone is surprised by this. Perhaps the time has come for a more global approach to security.
Would using a dedicated phone number (sim) that is not shared with any other service protect you from this? Basically nobody besides Google and you would know of this number. In India dual sim phones are very common and I've been thinking of getting a second sim (phone number) for this purpose.
Well of course it makes your account less secure. It's another attack vector. As shown in the post, Google doesn't say add a phone number "to make your account more secure", it says "so you don't get locked out". Intuitively, making it more difficult to get locked out of your own account would likely make it easier for someone else "not to be locked out" of your account.
Google does another stupid thing (or at least it used to do two years ago, but I think it's still doing it): when you pick Google Auth for 2FA, and for some reason you can't use it, you can still login to your account with an SMS code...
Like WTF Google? Any attacker could just as easily do that, too, anytime they want. As long as this remains true, Google Authenticator (or any other Google security measure that could easily by bypassed this way with SMS) has literally zero advantages over SMS, while retaining the disadvantages of being less convenient to use, etc.
SS7, phone numbers and telco stuff are built on trust, with a 1970s/1980s business model when the only people messing with the system was the ILEC.
It's trivially easy to fake scanned documents proving that you're authorized to port a phone number from one service to another. In this case there was probably no SS7 messing about at all, just somebod falsifying the info or socially engineering his cellular carrier to transfer the number to a new phone. Mitnick's "Art of Deception" book is an authoritative resource on this problem.
"there's not even a phone number to call or an e-mail address unless it's a paid product"
Well duh. What kind of support should Google offer to almost a billion users that pay nothing for the service?
"(and even then, they've got a less-than-stellar reputation for support of paying customers)."
Not from my experience. Have had to call them a handful of times on behalf of clients. A human always picked up quickly, and resolved my issue or answered my question. Also followed up.
What are the security implications of using my google voice number as a backup phone number to my google account (the same account)? I've been doing this for a few years, and its been very convenient. Basically, any time I need to log in with a new browser or device, using the number for two factor SMS gives me codes on all other logged in gmail windows, and on my phone.
I do this too, but it's circular. So there is a pretty significant risk of getting locked out entirely if your authentication tokens for your Google account expire on all devices at the same time.
Yes, that's unlikely. But if it happens, we're screwed.
A better option would probably be to set up two Google accounts with two Google Voice numbers and use them to cross-validate each other. I think I'll go do that now.
AFAICT, and this is supported by the Google screenshot shown promoting the feature, Google doesn't say the phone makes the account more secure, it says that it makes the account more usable, since it provides a way to recover from lockouts. This is one of many cases where usability and security aren't aligned.
i always failed to see why adding a phone number would be somehow more secure. However, i also knew this kind of attack was somewhat common for German online banking accounts using SMS TAN because service providers were easily convinced to send a new (second) sim card to a new address they would never heard of before.
Ha! My telco in UK(giffgaff) does not have any phone customer support, so the only way anyone could ask for an account transfer would be through a webform....after logging in to my account. Doing which would also send a notification to my email address. Feels slightly safer now.
I wonder if having having a really shitty prepaid carrier for this purpose or a commercial account is a viable strategy?
A lousy MVNO is impossible to contact in any situation. Usually with business accounts the carrier refuses to talk to anyone except the designated account manager.
TLDR: Telcos really are the weakest link, and you should not rely on your mobile phone number for 2FA.
Background: I have worked in IT Security at an Australian bank, and had close ties to the Internet Fraud department to help them understand fraudster's tactics.
Many banks use SMS for 2FA. Australia has a law regarding how long it should take customers to switching telco providers (called 'Porting' because your retain your phone number), and the timeframe in which this must be completed (90% within 3 hours, 99% within 2 business days). If the Telco doesn't complete in this time period, you can raise a complaint to the Telecommunications Industry Ombudsman.
Example: If you are currently with Telco A, to port your number to another company, you call Telco B and provide your details. They take care of the porting process, and you can have your service running on a new phone and SIM within 3 hours.
"All you need to have with you is your mobile number, the name of your old mobile provider, your account type (pre- or post-paid) and your account number. We'll handle the porting process from there. It can take from three hours to three days, but we try to do it as fast as we can."
Source: https://www.cnet.com/au/news/switching-telcos-easier-than-yo..., 2012
To make matters worse, the fraudsters would then change the details at the new Telco B (i.e. my address is now 123 Rainbow Road, and my mother's maiden name is Smith, not Jones). When the victim called Telco B, when Telco A told them a porting request had been completed, they'd say "Sorry, we have no idea who you are and the details you're providing don't match our records". It can take days to sort the whole thing out, by which time, your Internet Banking has been compromised and funds transferred out.
This was a major problem for Australian banks, because they cover the losses for customers if you lose funds as a result of Internet Banking, as long as you weren't negligent (e.g. you left your Internet Banking logged in on a public computer in a library, or something).
If you are relying on your telephone number as a security mechanism, I would change to something else. Something you have, ideally (Google Authenticator, a physical hard token, etc.).
The phone companies have horribly bad security practice. I once had a phone number taken over by someone. When asked, the phone company just said, oh, someone called in and wanted to take over the billing of the account, so we let him. WTF.
This is serious problem. In some banks having access to a phone allows the attacker to login into a web client and transfer money from the account. And many web services rely on SMS as a method to restore the password.
Basically husband had a heart attack and when wife went to call for help her phone had been shut off by ID thieves. Husband died. Kids are suing Verizon for not preventing ID thieves. This story doesn't seem to make sense though because I thought a phone without service could still call 911.
Yet one would suspect that Google, being both your telecom provider AND your email provider, would be less vulnerable to social engineering targeting one of their two services by means of the other.
You shouldn’t have. Google trusted the phone too much, using it instead of the user-supplied secrets to determine who was allowed to access the account. Whether or not the account used multi-factor authentication seems quite perfectly irrelevant?
No, they just change in their system the IMEI or ESN that phone number is registered to so all incoming calls and texts start going to the phone the attacker owns. It's just social engineering where you pretend to be the customer and tell them you need to transfer your number to a new phone.
I've also noticed that there's something very surprising about how Google has implemented their 2FA. When I log into Gmail from a new computer, it does not text me an authentication code and then lock me out of the account until I enter the code. Instead it lets me into my account immediately with only a password, and then sends my phone a notification that someone has logged in from a new computer. Ignoring this notification has no consequence for the logged-in computer. Convenient indeed, but this is really not how I expect 2FA to work, and does nothing to prevent an attacker from reading the contents of your emails or sending fraudulent emails with nothing but a password.
That's not how Google 2FA works; you seem to have misconfigured something. When you actually have 2FA on (like I do), you must enter your one-time code after entering the correct password.
If I've misconfigured something, then it's news to me as to how. I've received 2FA texts from Google before, so I know that it used to work as expected, and I haven't been in my account settings for over a year. If something on my account has changed, then it's been out from under my feet without my understanding as to how.
Uhh, are you sure? I've never seen it behave this way and that doesn't make sense. Can anyone else corroborate this?
Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.
I'm on mobile right now, and I don't see a way to check 2FA status from within the Gmail app. I can confirm that I've had it set up correctly before, as I've received an authentication code from Google as recently as September 28.
Aha, thanks, that does indeed say that 2FA is disabled. But I'm seriously baffled as to how it became disabled, as I absolutely enabled it previously and have been receiving 2FA verification codes via text since at least May 2015. Is there some way of accidentally disabling 2FA for Google accounts? I haven't gotten a new phone for years, and I've made no other changes to my Google account for as long.
Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.
Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).