Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.
Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).
I signed up for AdWords a long time ago and created a test campaign just to see what it looks like, but never completed the process, so I didn't have a payment method entered.
Fast forward till start of this year, I created an AdMob account to put ads in one iOS game I have, and apparently as soon as I entered my credit card info, the old AdWords campaign started running and was taking $200/day. I noticed after two days and immediately stopped it and contacted support. They quickly got back to me, a person called me and explained that the issue was an error from their side, and they refunded me the amount. It took three weeks for the refund to occur, and during that time the guy called me at least once per week to keep me in the loop. I was surprised with this after all I've heard about Google's support. But I guess that's just one data point in the pool.
Nobody claims it's difficult; it's impossible via official channels. You have to make a scene on Twitter, so obviously if you value your time and reputation you just switch providers instead of being "one of those people".
I recently realized Windows 10 is going the same way and unfortunately it's much harder to not use your OS than Google or FB, and impacts your ability to use other purchased software.
I've actually had surprisingly good support from the $150/month plan for their cloud products. They get back to me quickly and give good advice (with custom code samples when needed).
I just wish I could pay $5/month for my regular GMail account and be guaranteed the same level of support.
Have had multiple issues with Google Apps and GCloud over the years and very promptly received phone calls from support (that I didn't expect). I live in Fiji, and have a tiny small business account (~$30/m)
Google would obviously start losing money though if people perceived Gmail as easy to hack.
It's called externalizing your costs, and Google is exceptionally good at it.
It's hard to justify Gmail these days other than the frustration of migrating off of it.
As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.
Unfortunately we've got something pretty close: ASIO can designate any of its activities to be part of a Special Intelligence Operation at will, which makes any disclosure of the operation or its components into a crime (10 years jail if it 'endangers' the operation).
http://www.abc.net.au/news/2014-10-14/journalists-face-jail-...
Can absolutely confirm that.
However, there's place for both Gmail and FastMail. Just know what you pay and what you're entitled to get for that price.
Having a human involved is not necessarily a solution, can be another attack vector.
I guess the real question is what the data actually show
Sure I can see problems with that. My initial feeling is people will thing that such support is a scam, but that at least shifts the position of Google from "we can do such support" to "we don't want people bad mouthing us so we're going to refuse to do that support even if it were prima facie profitable".
She went with my knowledge, but TMobile never called to confirm.
After which my phone no longer had service, and I had to install a new sim card prior.
While she did this with my knowledge, I no longer have access to make changes to the account, until she adds me to the list of authorized people, and I lost all my voice mail.
It's very disturbing that she could do this, without any sort of checks and authorization.
Also, FWIW, my wife and I do not share a last name, and she did not provide anything other than my phone number to TMobile. She was a new Tmobile customer, and I was an existing customer, albeit on a very cheap pre-paid plan.
wife and I had separate accounts. i logged in with her account to the rogers account site and added my phone number to her account with a few basic details that are on every statement sent in the mail....
I had a joint account with my wife as a owner.
then my work had a corp plan with rogers, so wanted to switch to that, but since I am the employee, i had to be the account owner.
this isnt actually so simple.
they had to create a net new account with me as owner. and re-assign the phone numbers to the new account.
when i called in to their account support line, they asked for my 4 digit PIN. I said i have no idea what it is, the guy in the store just punched some numbers in when he setup the account and never told me.
they were okay with that and proceeded to ask me some details that are on my mailed statements....
Then they said they needed the account holders permission. --i was at work, my wife was out of town, i didnt feel like bothering her.
i said "hold on one minute, just let me get her". i put the phone on mute for 30 seconds. unmuted and changed my voice slightly "Hello? Yes i am fine with my husband taking ownership and transfering the numbers"
"she" then passed the phone back to me and the rep proceeded with the transfer.
Our company's policy was "if they don't know the PIN you have to connect them to the call centre and have them verify for you" but customers are rarely impressed to be handed a phone to the overseas call centre.
I know I got it wrong at least once.
http://www.businessinsider.com/hacker-social-engineer-2016-2
I don't doubt that a telecom would do such a thing as you describe but have some hope that you're just not seeing the back end confirmation?
I paid for my t-mobile through my personal account.
I would have hoped they would have at least called the number and get confirmation first, prior to switching things over.
I bet I know which one of these resources was more important.
Good luck if you aren't a paying customer though...
I understand that they want to fight spam, but I'd be willing to spend 5 minutes doing captcha type activities in exchange for not requiring a phone number, and that should pretty severely rate limit account creation.
What happens to users that buy a new Android cell phone who's number has been burned by Google?
https://support.google.com/accounts/answer/1350409?hl=en
I switched to Fastmail after that.
Seriously, the interface is so much better than todays gmail, its astonishing. There is no spam either, and no ads.
That means users are shoveled into about one of 4 "acceptable" providers which have control of the entire market. They demand, full name and usually gender, mobile, alternative email and more.
So you get pushed into their information pipeline to stop "spam".
http://penguindreams.org/blog/how-google-and-microsoft-made-...
I've been meaning to write a follow up after I met some MailChip devs at a conference. They told me at MailChip they have to slowly spin up new servers, sending e-mail through them slowly so Google registers their new SMTP IPs.
The other thing they told me: MailChip owns a /A, and can therefore separately out their servers from even being remotely related to any spammy subnets (common problem on 'cloud' hosting).
I'm wondering if I heard/remember that correctly. I mean, a class A is huge and would be crazy expensive. I've been looking through websites on ASNs and am trying to figure out how to verify that info.
Also, the problem is not limited to e-mail. There are some non-email services from Google. I'd be perfectly happy to sign up for a Google account where you can't send e-mails, or where you can only send e-mails to people who have sent you e-mails.
Having my phone number or any other hard identifier is none of Googles business.
This series of events could easily occur in legitimate cases. Say you lose or destroy your cellphone. Since you only ever logged in via your phone you don't know the password. Your recovery email was attached to a service you don't use because you normally use gmail. I'm not saying this scenario is a good idea just that it's probably quite common.
As a software developer I often hear from well meaning users that are appalled that software didn't do-the-right-thing in some complex scenario that appears to have an obvious solution because the desired outcome in obvious. In reality, handling the corner cases is complex. Adding these obvious solutions to the code easily leads to even worse situations.
It's silly to depend on an email for authentication, then allow the hacker to just delete the email address before they change the password. Giving the old address the right of first refusal defeats that kind of attack and should be dead simple to implement since the framework was already laid down for the "verify your email" step during setup.
I don't think so. Why, in your scenario, would they file a help request saying the account had been compromised? They might file a request with some other content, but not that.
Your general point is valid, but I think the OP has probably figured out a set of features from which one could pretty reliably tell that something was amiss. And all he's suggesting is that such cases get bounced up to a human.
Google and other service providers do have data to evaluate the benefit and cost of making decisions based on patterns, and they probably do.
That said, I have no idea how to do account recovery if you cannot trust the phone number.
- phonelines can be hijacked (this article)
- DNS can be hijacked in a similar manner
- SMS can be hijacked (for 2FA via text message)
I guess 2FA using an authenticator app is the way to go for now. Do you guys agree with the removal of backup phone numbers recommended here? Seems reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup codes generated though.
Authy has been a great improvement over Google Authenticator for me. I primarily used it when I migrated phones for the upteenth time, but were I to lose my phone, I could also restore the database on my tablet in the meantime and use that instead. The prospect of doing so does leave me a little concerned, however, because my phone has full-disk encryption enabled while my tablet does not.
(I do also keep a few backup codes for the most important accounts in my wallet.)
I know Authy can back up 2FA state to their own cloud, but it's unclear how secure this is: they let you restore codes onto a new phone with the same number, and apparently even to a brand new phone (https://www.authy.com/phones/change/). So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.
(What I'd really like is a TOTP app that let me back up its state into a single giant QR code or a small file that I could print out in hex and scan+ocr later.)
It seems unnecessary (and easy to lose) to carry them around in your wallet. I print them out, and leave them in an envelope at my parents' house.
Have a look at this other story from last month, "On Phone Numbers and Identity":
- https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...
- https://news.ycombinator.com/item?id=12597609
"It turns out the attacker was able to impersonate the employee on a call with Verizon"
We do send an email when you log in from a new device. What would you do if you got an email about failed attempts to login / reset password?
Which is a non-optional pain in the butt if you don't store cookies. Every login is a new device. Twitter does the same, I got so tired of cleaning up my inbox that I rarely log in anymore without a good reason. (I already didn't log into Google without good reason so that didn't change.)
AFTER login? or before? I need to know when someone is trying to attack me, not when they've already succeeded. Otherwise what's the point? At least if I know beforehand that someone knows my password but failed OTP check then I can change my password, right? Why does Google not tell me when this happens? It's like common sense...
Which is useless, because whoever got access can just delete it or change your password.
If you need access then you could use https://smsprivacy.org or https://dtmf.io. I've not tried these though. Or of course you could build something yourself with https://www.twilio.com or https://www.nexmo.com.
I wrote a bit about this here: https://unop.uk/phone-numbers-for-examples-and-user-identifi...
https://support.google.com/accounts/answer/183723
Why mobile phones are more secure
Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.
That he was able to contact someone at customer support for his Gmail account was the most amazing thing in this article!
> and some ex-colleagues who still work at Google,
:( That's why
You can't do that with a phone. You can't duplicate your SIM card. If your phone is lost, broken, stolen, or your service is cut off or unavailable for whatever reason, you're screwed. At least with passwords, security questions, or hardware tokens (of which you can have several), you maintain reliable access no matter what if you've made backups.
The issue is that they don't discriminate between carriers that perform good identity checking and those that don't.
(Reliability is actually well-addressed by Google - they offer this as a supplement to the other forms of verification they provide.)
The fact that it keeps on becoming more and more difficult for individuals to run mailservers cannot be a coincidence.
The solution is decentralization at least for things like reddit, mail, search, social and other similar services. Multiple discrete 'old style' forums, search services, email providers and individual servers with dispersed control cannot be easily silenced, surveilled or subject to arbitary rules.
I think the usual response is people don't care but I think that's because they don't know and may not have stopped to consider the consequences. And perhaps more important before they didn't have to care. Now increasing creepiness from centralized providers means sooner or later users will wisen up.
If parents for instance become concerned about privacy issues they will go out of their way to protect their children and this can lead to new more privacy aware services, rules, and distributed applications. It also makes centralized unicorns based out of SV less of a desirable thing.
Using GSM? Your recovery code is sent essentially plaintext over the air.
Think you're not using GSM? I'll just follow you around until you are (say, if you go out of town).
Since I'm already following you around, maybe I'll just jam your 3G/4G for a minute. Save us the waiting around.
Disabling 2G on your phone is a shitty solution. I want to be able to receive calls/SMS even if it's insecure.
TL;DR:
My account -> Sign-in and security -> Signing in to google -> Account recovery options -> Recovery phone -> Remove number
I can imagine you saying the same thing about the case in OPs article.
The attack was targeted. The attacker knew your name, phone number and email address. The attacker went through some real effort to hack you (SEing reps, buying SIMs, burner iPhone, taking some risk).
How much further do you think they were willing to go? Not enough for a $200 plane ticket?
You have a problem the moment someone capable has targeted you. For the attacker, is just a matter of choosing the easiest attack vector. Today it was Verizon reps. Tomorrow it may get a bit more difficult.
But anyway I don't understand why he thinks it's some kind of shocker that this makes it less secure. It's another access method. Recovery options are obviously attack vectors.
If you go to mail.google.com and say "Find My Account," you can enter a phone number directly, and then proceed with SMS-based recovery, if it's enabled.
This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account.
It's not fun to have 2 phones always with you. But maybe the 2-SIM devices will become more mainstream soon, which can solve this problem.
It's possible if you use something like Google Voice for most of your regular calls, but you still need to make sure that the telco can't tie your name to your number…
Plus, if you apply for a new SIM card and you have a changed information in your ID, such as your father's has changed his name or you have corrected your birth place, then your ID is send to the government and only when the government gives a permission then they can give you a new SIM.
If you are not the owner of the SIM card no one talks to you.
If you want a new phone number then you must register with your ID.
I've heared that some police or military people change their name because they killed many terrorists.
But the most comman provlem is with birth dates. Some of my friends had such birth dates in their IDs; 0.0.1984 or 5.12.1885 (should be 1985). Why? Actually they have birth certificate in Bulgaria, even with hours. But when they become citizen of Turkey an idiot public service officer wrote wrongly to a paper, now you need to prove that you were born in that date with diplomatically certified and translated birth certificate that you have optained from your home country wich is possible but long and boring process. Instead they auto corect to middle of the year; 1.7.1984.
Especially some eastern places before 90s didn't wrote their birth dates because you know, is a "boring paper work" for them.
Or a parent says that their douther's name is Gizem but the public servant writes İzem.
This is why this country is called a developing country. They can't write something propery.
Then again as a UK citizen they probably have access to my phone any way.
And worst, laws mostly stay for a life time.
They aren't as accurate as physically showing your ID, however. Not that I'd want my ID digitized though.
Not that it isn't already. Every state's DMV has it, and there must be some kind of database/API that allows law enforcement to access it.
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?
Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.
Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.
The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.
I have 2 factor enabled and did some testing.
Security options Account Recovery email (phone # disabled) 2 factor Recovery phone #, backup codes
All of these require you to provide them. Phone number is given as XXX-XXX-XX12. Email is userna*@domain.com.
Failing all of those options, Google asks you to provide an associated email to help with recovery. It then provides a freeform text field for you to explain the situation and expect a response in 3-5 business days. If you have a secondary less-secured email address this could be a viable vector.
tl;dr two factor seems to add an additional layer of security / accounts that an attacker would have to compromise if appropriately configured. Recovery options weaken your security and you should be cautious when configuring.
When I set up my 2 way authentication, I noticed my account has a phone number added, which I don't recognize at all. The phone number has a Florida area code. I have never been to Florida. I emailed google about this, asking how the number was added? I didn't get any reply.
Even people I was friendly with on forums or social networks that were employees for Google (or Microsoft for that matter, or both in one occasion) stopped responding when I mentioned anything from "heads up (since there is no contact listed for product x): there's a bug here, you might wanna forward that" to "do you know why this is that way?" It's a really weird experience. I've stopped trying to contact tech giants that are too big to care about an individual.
One of my moms friends had gone through the Gmail password reset process a few times, but she but she called me one day kind of frantic because she could no longer reset her password (or remember the old one).
It seems that previously Google had allowed either a phone call or an SMS to the phone number on her account, but had recently taken away the call option. Her phone was a landline that couldn't receive SMS messages.
She didn't have (or couldn't access) a backup account and couldn't remember the answers to any of her security questions, or at least not enough of them.
I think she just gave up and switched to Yahoo.
At the very least, Google should not have come out in favor of a particular Presidential candidate. Corporations have become incredibly powerful entities, able to affect the lives of all their employees and many others. If they can't wield this power ethically, they need to be shut down or we risk suffering under fascism.
It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).
Then, they used Russian cell phone networks to announce a “Roaming transfer” of their phone numbers from BT to them and then used an “SMS login” and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs.
Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or maybe Googlers simply made that up to cover their asses.
Amazingly, many cell operators don’t check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.
I'm surprised that anyone is surprised by this. Perhaps the time has come for a more global approach to security.
Like WTF Google? Any attacker could just as easily do that, too, anytime they want. As long as this remains true, Google Authenticator (or any other Google security measure that could easily by bypassed this way with SMS) has literally zero advantages over SMS, while retaining the disadvantages of being less convenient to use, etc.
It's trivially easy to fake scanned documents proving that you're authorized to port a phone number from one service to another. In this case there was probably no SS7 messing about at all, just somebod falsifying the info or socially engineering his cellular carrier to transfer the number to a new phone. Mitnick's "Art of Deception" book is an authoritative resource on this problem.
Well duh. What kind of support should Google offer to almost a billion users that pay nothing for the service?
"(and even then, they've got a less-than-stellar reputation for support of paying customers)."
Not from my experience. Have had to call them a handful of times on behalf of clients. A human always picked up quickly, and resolved my issue or answered my question. Also followed up.
Yes, that's unlikely. But if it happens, we're screwed.
A better option would probably be to set up two Google accounts with two Google Voice numbers and use them to cross-validate each other. I think I'll go do that now.
even if enabled, if it was set to send the code as sms it would go to ... the phone :-\
Anyone know if the procedure for transferring landlines is more painful for fraudsters?
A lousy MVNO is impossible to contact in any situation. Usually with business accounts the carrier refuses to talk to anyone except the designated account manager.
Background: I have worked in IT Security at an Australian bank, and had close ties to the Internet Fraud department to help them understand fraudster's tactics.
Many banks use SMS for 2FA. Australia has a law regarding how long it should take customers to switching telco providers (called 'Porting' because your retain your phone number), and the timeframe in which this must be completed (90% within 3 hours, 99% within 2 business days). If the Telco doesn't complete in this time period, you can raise a complaint to the Telecommunications Industry Ombudsman.
Example: If you are currently with Telco A, to port your number to another company, you call Telco B and provide your details. They take care of the porting process, and you can have your service running on a new phone and SIM within 3 hours.
"All you need to have with you is your mobile number, the name of your old mobile provider, your account type (pre- or post-paid) and your account number. We'll handle the porting process from there. It can take from three hours to three days, but we try to do it as fast as we can." Source: https://www.cnet.com/au/news/switching-telcos-easier-than-yo..., 2012
To make matters worse, the fraudsters would then change the details at the new Telco B (i.e. my address is now 123 Rainbow Road, and my mother's maiden name is Smith, not Jones). When the victim called Telco B, when Telco A told them a porting request had been completed, they'd say "Sorry, we have no idea who you are and the details you're providing don't match our records". It can take days to sort the whole thing out, by which time, your Internet Banking has been compromised and funds transferred out.
This was a major problem for Australian banks, because they cover the losses for customers if you lose funds as a result of Internet Banking, as long as you weren't negligent (e.g. you left your Internet Banking logged in on a public computer in a library, or something).
If you are relying on your telephone number as a security mechanism, I would change to something else. Something you have, ideally (Google Authenticator, a physical hard token, etc.).
Sources: ACMA Porting Rules for Telcos: http://www.acma.gov.au/Industry/Telco/Numbering/Portability/... Example A: http://lifestrategies.net.au/wp-content/uploads/2015/03/Marc... Example B: http://www.itnews.com.au/news/45k-stolen-in-phone-porting-sc... Example C: http://www.news.com.au/finance/business/banking/customer-sca...
Complaining on the internet won't help in this case.
I think someone should try.
https://krebsonsecurity.com/2016/08/a-life-or-death-case-of-...
Basically husband had a heart attack and when wife went to call for help her phone had been shut off by ID thieves. Husband died. Kids are suing Verizon for not preventing ID thieves. This story doesn't seem to make sense though because I thought a phone without service could still call 911.
Ah, there it is. No two factor turned on.
Am wondering .. how was the attacker able to compromise the account ?
Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.
