> I'm curious [...] why Google doesn’t temporarily disable accounts so impacted until a human reviews activity.
Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.
Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).
So I've heard, that it's difficult to get a human involved if you have a problem with Google's free products. The article says "Eventually, with the help of Google’s customer support and some ex-colleagues who still work at Google, Bob was able to get his account back." For the average person who doesn't have ex-colleagues who still work at Google, or who's name isn't Linus Torvalds, it will be far more difficult.
>they've got a less-than-stellar reputation for support of paying customers
I've actually had surprisingly good support from the $150/month plan for their cloud products. They get back to me quickly and give good advice (with custom code samples when needed).
Like how I have more than enough information to get one of my old accounts back but their Automated Response Forms reject everything. Even the moderators on the gmail support forums rejected my claims as well and pretty much said "deal with it".
> Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in.
Google would obviously start losing money though if people perceived Gmail as easy to hack.
This is why last weekend I moved to FastMail. I've filed two support tickets since, and both were responded to in an hour or two. For the trivial cost of half a Netflix subscription, the most vital thing I have on the Internet is supported by real people.
It's hard to justify Gmail these days other than the frustration of migrating off of it.
As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.
You know, you can see articles where people report social engineering attacks on Amazon customer service and extract a great deal of information from them.
Having a human involved is not necessarily a solution, can be another attack vector.
Yeah, maybe human review is not the most scalable solution; if data analysis shows that certain patterns of behaviour are highly predictive of an account takeover, there are almost certainly product solutions for them.
I guess the real question is what the data actually show
Interestingly, one of the features announced for the new Google Pixel phone is some kind of free live support, though they didn't say which Google products are covered. It is an expensive phone but if the support includes help with other consumer cloud products it might be worth the price of admission.
Recently my wife, without any identification, went to Tmobile and was able to have my account automatically canceled and added to a new joint family account.
She went with my knowledge, but TMobile never called to confirm.
After which my phone no longer had service, and I had to install a new sim card prior.
While she did this with my knowledge, I no longer have access to make changes to the account, until she adds me to the list of authorized people, and I lost all my voice mail.
It's very disturbing that she could do this, without any sort of checks and authorization.
Also, FWIW, my wife and I do not share a last name, and she did not provide anything other than my phone number to TMobile. She was a new Tmobile customer, and I was an existing customer, albeit on a very cheap pre-paid plan.
Similar thing i experienced with Rogers Wireless in Canada recently.
wife and I had separate accounts. i logged in with her account to the rogers account site and added my phone number to her account with a few basic details that are on every statement sent in the mail....
I had a joint account with my wife as a owner.
then my work had a corp plan with rogers, so wanted to switch to that, but since I am the employee, i had to be the account owner.
this isnt actually so simple.
they had to create a net new account with me as owner.
and re-assign the phone numbers to the new account.
when i called in to their account support line, they asked for my 4 digit PIN.
I said i have no idea what it is, the guy in the store just punched some numbers in when he setup the account and never told me.
they were okay with that and proceeded to ask me some details that are on my mailed statements....
Then they said they needed the account holders permission.
--i was at work, my wife was out of town, i didnt feel like bothering her.
i said "hold on one minute, just let me get her".
i put the phone on mute for 30 seconds.
unmuted and changed my voice slightly "Hello? Yes i am fine with my husband taking ownership and transfering the numbers"
"she" then passed the phone back to me and the rep proceeded with the transfer.
I used to work in telco (in another country) and it's a difficult line to tread. 95% of customers have no idea what their 4 digit PIN was so you have to identify them other ways, and not being able to access their account is the kind of thing that pisses even legitimate customers off (which is why it's so easy to take advantage of).
Our company's policy was "if they don't know the PIN you have to connect them to the call centre and have them verify for you" but customers are rarely impressed to be handed a phone to the overseas call centre.
My mum had something similar happen with Verizon albeit as an act of fraud against her account. Her phone was working one day then mysteriously stopped working the next. She didn't think much of it, but as a matter of happenstance had picked up her bill a couple of days later to find that someone had managed to attach a new phone to her account (under a new contract no less!). According to the fraud rep, the switch took place in a Target nearby and was likely done without any identification other than the phone number. Eerily similar.
Yeah, a couple of years back, I went to a t-mobile store (I think it was on Broadway and Park Pl) to get a new SIM card; I'd lost it in Europe when I was on holiday. They gave me a new SIM card and let me pay cash without even checking my ID…
I recently had to regain account access to an employee's company provided phone on T-mobile after misplacing the password and PIN. If you know the phone number and can guess one of the numbers they recently called, you're in.
Was there a documented and confirmed link through your banking details, like did she have the credit card that you paid for the sim with, or was she named on a joint bank account associated with your phone account?
I don't doubt that a telecom would do such a thing as you describe but have some hope that you're just not seeing the back end confirmation?
Is anyone aware of repots on the comparative level of security of the various cell providers? I'd be interested to know how providers in various tiers of scale like US Cellular compare to TMobile and Sprint compare to Verizon and AT&T.
I don't think it's possible to make a Google account without a phone number anymore. It's really unfortunate, especially because I deliberately don't set up fallback contacts for my "alternate" gmail accounts, and Google keeps locking them as suspicious when I log in from a second location, and I need to "verify" with a phone number any time that happens (at which point I abandon the account).
I understand that they want to fight spam, but I'd be willing to spend 5 minutes doing captcha type activities in exchange for not requiring a phone number, and that should pretty severely rate limit account creation.
I've several children, and can no longer make Google accounts for their Chromebooks. All the phone numbers I have and control can no longer be used to register further accounts.
What happens to users that buy a new Android cell phone who's number has been burned by Google?
I think the main issue is that google doesn't accept certain senders anymore. As a generic thread about running a mailserver/mail service pops up here often.
That means users are shoveled into about one of 4 "acceptable" providers which have control of the entire market. They demand, full name and usually gender, mobile, alternative email and more.
So you get pushed into their information pipeline to stop "spam".
I never put in my number into my Google account. Ironically, the only US number I have is via Google voice/hangouts. So they have it. It's just not associated. I'm not even sure if it would be allowed, as there'd be no way to use it as a 2-factor auth without actually being logged in.
I created one on Monday, without a phone number. I did provide a (@outlook.com) recovery email. I did not try to create a Google Voice number for it though and I think that does require a phone number.
> This pattern seems like something security software should be able to detect: a password reset with incomplete information, followed immediately by a change in recovery email, name, and two-factor-auth settings, coupled with a “my account has been compromised” help request is highly suspicious.
This series of events could easily occur in legitimate cases. Say you lose or destroy your cellphone. Since you only ever logged in via your phone you don't know the password. Your recovery email was attached to a service you don't use because you normally use gmail. I'm not saying this scenario is a good idea just that it's probably quite common.
As a software developer I often hear from well meaning users that are appalled that software didn't do-the-right-thing in some complex scenario that appears to have an obvious solution because the desired outcome in obvious. In reality, handling the corner cases is complex. Adding these obvious solutions to the code easily leads to even worse situations.
At the very least, any change to the email address should send out an email to the old address stating "If you didn't make this change, click on this link to have your account frozen until you do a password reset."
It's silly to depend on an email for authentication, then allow the hacker to just delete the email address before they change the password. Giving the old address the right of first refusal defeats that kind of attack and should be dead simple to implement since the framework was already laid down for the "verify your email" step during setup.
> This series of events could easily occur in legitimate cases.
I don't think so. Why, in your scenario, would they file a help request saying the account had been compromised? They might file a request with some other content, but not that.
Your general point is valid, but I think the OP has probably figured out a set of features from which one could pretty reliably tell that something was amiss. And all he's suggesting is that such cases get bounced up to a human.
I guess 2FA using an authenticator app is the way to go for now. Do you guys agree with the removal of backup phone numbers recommended here? Seems reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup codes generated though.
The problem with the backup codes is that I have so many now. Pretty much a list of codes for every account I have 2FA enabled on (about a dozen). If I actually printed them out and kept them in my wallet, my wallet would be overflowing by now.
Authy has been a great improvement over Google Authenticator for me. I primarily used it when I migrated phones for the upteenth time, but were I to lose my phone, I could also restore the database on my tablet in the meantime and use that instead. The prospect of doing so does leave me a little concerned, however, because my phone has full-disk encryption enabled while my tablet does not.
Once I had my SIM card stuck in my phone. So when I wanted to use a different phone, I bought a new SIM card kit online and brought it to a T-mobile store. I told the clerk my SIM card is stuck in this phone so I want to transfer my number to the new SIM card. He asked for my phone number then scanned the new SIM card and transferred the number. I didn't have to provide any identity or proof that I actually own the number. It's scary how easy stealing someone's phone number can be.
Kind of related, but any Googlers here? Can you please make Google send notifications whenever someone tries to log in to an account and is required to do anything other than typing in their username/password? I REALLY should know when someone is trying to respond to a 2FA prompt or answer my security questions or use SMS or email to reset my password... it's ridiculous that these don't all result in emails right now.
Another issue with sending Google verification reset codes over SMS is that a lot of "Google Phones" allow for viewing text messages/headers while the phone is "locked." Therefore if you leave your phone (even for just a few seconds), someone could quickly gain access to the reset vectors. In looking at the DNC leaks for example, if an attacker had the phone number of a high-profile target, locates them in person, and then execute a reset "event", they're now in very serious jeopardy, assuming attacker gets physical access to the target's phone for just a few seconds. (Edit: Attacker might have the ability to also view their phone through a high-resolution camera(s) as the target pulls up the text message. Thus allowing attacker access to codes without physical access to device.)
If you are ever required to give a phone number but don't want to then you can use an official fictional one. This means no-one else will have access to it (or be annoyed by it). Same with email addresses.
Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.
Using a phone as a login credential is risky from a reliability point of view. At least with passwords and security questions you can (in theory) have 100% dependable access to them anywhere in the world if you memorize them, back them up, or put them on an encrypted USB flash drive or in an encrypted cloud location.
You can't do that with a phone. You can't duplicate your SIM card. If your phone is lost, broken, stolen, or your service is cut off or unavailable for whatever reason, you're screwed. At least with passwords, security questions, or hardware tokens (of which you can have several), you maintain reliable access no matter what if you've made backups.
You can't duplicate your SIM, but your phone carrier can. In some countries, this involves them checking your government-issued ID in person, which is handy for Google as a way to outsource the ID-checking requirements.
The issue is that they don't discriminate between carriers that perform good identity checking and those that don't.
(Reliability is actually well-addressed by Google - they offer this as a supplement to the other forms of verification they provide.)
I think with centralization comes control, arbitary rules, surveillance, potential for abuse of power and loss of end user control.
The fact that it keeps on becoming more and more difficult for individuals to run mailservers cannot be a coincidence.
The solution is decentralization at least for things like reddit, mail, search, social and other similar services. Multiple discrete 'old style' forums, search services, email providers and individual servers with dispersed control cannot be easily silenced, surveilled or subject to arbitary rules.
I think the usual response is people don't care but I think that's because they don't know and may not have stopped to consider the consequences. And perhaps more important before they didn't have to care. Now increasing creepiness from centralized providers means sooner or later users will wisen up.
If parents for instance become concerned about privacy issues they will go out of their way to protect their children and this can lead to new more privacy aware services, rules, and distributed applications. It also makes centralized unicorns based out of SV less of a desirable thing.
Huh. I wonder if the author had seen this video https://m.youtube.com/watch?v=Q00OZ_Xk24w which describes a similar story and recommends a solution based on the same factors (2FA on a number no one knows under a fake name).
But anyway I don't understand why he thinks it's some kind of shocker that this makes it less secure. It's another access method. Recovery options are obviously attack vectors.
One thing that I don't see mentioned: The attacker doesn't need to know the victim's email address or even name, if they have a compromised phone number.
If you go to mail.google.com and say "Find My Account," you can enter a phone number directly, and then proceed with SMS-based recovery, if it's enabled.
This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account.
Adding a phone number that people KNOW about can make it LESS secure. A workaround is to get a phone number that is only used for identity verification and not given out to anyone.
This works as long as they don't insist on verifying you through that secondary phone number (this is the case for now for Google I think - if something suspicious is going on, they ask you if you want an sms with a verification code, or an email to a secondary address; but maybe not all services with 2FA make this optional).
It's not fun to have 2 phones always with you. But maybe the 2-SIM devices will become more mainstream soon, which can solve this problem.
The reason why they use phone in the first place is that you will always have it with you. The reason why you have your phone with you is because you use it to make phone call. Unless you are suggesting to buy phone that supports dual SIM cards, I think this idea is not very practical. Why not have physical TFA device instead (they are usually much cheaper and lighter than a phone)?
That's a good point. Though I think it would be challenging to have a phone number that no one knows which you also carry around with you.
It's possible if you use something like Google Voice for most of your regular calls, but you still need to make sure that the telco can't tie your name to your number…
In Turkey, if you apply for a new SIM card (let's say you have micro and you want nano) then you cannot access your bank account (for example Garanti Bank, probably other big banks too). Doesn't matter whether you try to access the bank via your PC or phone or via your home telephone, a massage appears saying that your SIM card has been changes and thus you need to re-validate yourself. So, this means that the banks and mobile operators share data.
Plus, if you apply for a new SIM card and you have a changed information in your ID, such as your father's has changed his name or you have corrected your birth place, then your ID is send to the government and only when the government gives a permission then they can give you a new SIM.
If you are not the owner of the SIM card no one talks to you.
If you want a new phone number then you must register with your ID.
Two years ago, I added a friend on to my phone plan so that he could call his sick mother. I made it clear to Telus (my carrier) that he should not be able to modify the account or discuss account details with them, and they assured me that he wouldn't without both my PIN and express permission to add him to the account administrators list. Three months later he walked into a Telus store and got a new iPhone with a 2 year contract on my plan. When he stopped paying what he owed, guess who got stuck with the early termination fee?
Can Americans explain me how can you just do things like that by calling customer support? Wouldn't it make more sense to go and show your ID if you want to make changes like that?
Where would you go to show ID? In many places in America, the closest telco customer service office may be a 2 hour drive away. Everyone saves time/money by being able to do it over the phone; but unfortunately the customer service reps are usually poorly trained.
Does anyone know anything about the security with regard to using other providers (e.g. twilio or google voice) as a recovery number?
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?
The specific flaw exposed in this story is not exploitable with providers like Twilio and Google Voice, because they don't assign phone numbers to devices with SIM cards.
Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.
Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.
The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.
All of these require you to provide them. Phone number is given as XXX-XXX-XX12. Email is userna*@domain.com.
Failing all of those options, Google asks you to provide an associated email to help with recovery. It then provides a freeform text field for you to explain the situation and expect a response in 3-5 business days. If you have a secondary less-secured email address this could be a viable vector.
tl;dr two factor seems to add an additional layer of security / accounts that an attacker would have to compromise if appropriately configured. Recovery options weaken your security and you should be cautious when configuring.
When I set up my 2 way authentication, I noticed my account has a phone number added, which I don't recognize at all. The phone number has a Florida area code. I have never been to Florida. I emailed google about this, asking how the number was added? I didn't get any reply.
Honestly, did you expect a reply from Google? Have you ever had one?
Even people I was friendly with on forums or social networks that were employees for Google (or Microsoft for that matter, or both in one occasion) stopped responding when I mentioned anything from "heads up (since there is no contact listed for product x): there's a bug here, you might wanna forward that" to "do you know why this is that way?" It's a really weird experience. I've stopped trying to contact tech giants that are too big to care about an individual.
I think that for a lot of people, the added access is worth the security risk: they're more likely to forget their own password than to be hacked.
One of my moms friends had gone through the Gmail password reset process a few times, but she but she called me one day kind of frantic because she could no longer reset her password (or remember the old one).
It seems that previously Google had allowed either a phone call or an SMS to the phone number on her account, but had recently taken away the call option. Her phone was a landline that couldn't receive SMS messages.
She didn't have (or couldn't access) a backup account and couldn't remember the answers to any of her security questions, or at least not enough of them.
I always thought Google was trying to tie your gmail account back to a cell phone number so they could help end anonymity on the Internet. Or else give the information to the NSA or something. I'm trusting Google less and less these days.
At the very least, Google should not have come out in favor of a particular Presidential candidate. Corporations have become incredibly powerful entities, able to affect the lives of all their employees and many others. If they can't wield this power ethically, they need to be shut down or we risk suffering under fascism.
I imagine adding a phone number to your Google account is more about Google having a particular phone number explicitly linked to an account for their information graph rather than for security reasons.
Two factor auth using SMS us increasingly becoming a risky option. For not I have it on my personal accounts, but I'm considering changing over to Google Authenticator.
This is how Russians hacked social media accounts and public emails of British MPs last year.
It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).
Then, they used Russian cell phone networks to announce a “Roaming transfer” of their phone numbers from BT to them and then used an “SMS login” and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs.
Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or maybe Googlers simply made that up to cover their asses.
Amazingly, many cell operators don’t check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.
Google fills my droid with bloatware. Even worse: all of Google apps will not work without Google Play Services which is a super abusive app: among other things, it logs ALL MY ACTIVITY 24-7. So, if Google already runs apps with such privileges, why not adding a small app that mimics Whatsapp SMS verification. After verifying that a given SIM is installed on the phone where my Google account has been authenticated, it can establish a secure tunnel to send me 2FA codes. If a hacker would clone my SIM and even have my Google password they can prevent login until I grant permission from the first install/verification. Should I lose/change my phone, Google would not allow a second verification unless a pin is entered (which I created on the first SIM verification). Another aproach that avoids the pin number would be a delay before authenticating the second install. If I get 24hrs and a notifcation that I have logged-in on a second device, I certainly have enough time to fix any possible hack.
SIM swap fraud has been common in South Africa for years, and bank accounts were being cleaned out before the cell networks tightened their procedures. Yet I've started to see reports of similar scams in the developed world.
I'm surprised that anyone is surprised by this. Perhaps the time has come for a more global approach to security.
Would using a dedicated phone number (sim) that is not shared with any other service protect you from this? Basically nobody besides Google and you would know of this number. In India dual sim phones are very common and I've been thinking of getting a second sim (phone number) for this purpose.
Well of course it makes your account less secure. It's another attack vector. As shown in the post, Google doesn't say add a phone number "to make your account more secure", it says "so you don't get locked out". Intuitively, making it more difficult to get locked out of your own account would likely make it easier for someone else "not to be locked out" of your account.
Google does another stupid thing (or at least it used to do two years ago, but I think it's still doing it): when you pick Google Auth for 2FA, and for some reason you can't use it, you can still login to your account with an SMS code...
Like WTF Google? Any attacker could just as easily do that, too, anytime they want. As long as this remains true, Google Authenticator (or any other Google security measure that could easily by bypassed this way with SMS) has literally zero advantages over SMS, while retaining the disadvantages of being less convenient to use, etc.
SS7, phone numbers and telco stuff are built on trust, with a 1970s/1980s business model when the only people messing with the system was the ILEC.
It's trivially easy to fake scanned documents proving that you're authorized to port a phone number from one service to another. In this case there was probably no SS7 messing about at all, just somebod falsifying the info or socially engineering his cellular carrier to transfer the number to a new phone. Mitnick's "Art of Deception" book is an authoritative resource on this problem.
"there's not even a phone number to call or an e-mail address unless it's a paid product"
Well duh. What kind of support should Google offer to almost a billion users that pay nothing for the service?
"(and even then, they've got a less-than-stellar reputation for support of paying customers)."
Not from my experience. Have had to call them a handful of times on behalf of clients. A human always picked up quickly, and resolved my issue or answered my question. Also followed up.
What are the security implications of using my google voice number as a backup phone number to my google account (the same account)? I've been doing this for a few years, and its been very convenient. Basically, any time I need to log in with a new browser or device, using the number for two factor SMS gives me codes on all other logged in gmail windows, and on my phone.
I do this too, but it's circular. So there is a pretty significant risk of getting locked out entirely if your authentication tokens for your Google account expire on all devices at the same time.
Yes, that's unlikely. But if it happens, we're screwed.
A better option would probably be to set up two Google accounts with two Google Voice numbers and use them to cross-validate each other. I think I'll go do that now.
AFAICT, and this is supported by the Google screenshot shown promoting the feature, Google doesn't say the phone makes the account more secure, it says that it makes the account more usable, since it provides a way to recover from lockouts. This is one of many cases where usability and security aren't aligned.
i always failed to see why adding a phone number would be somehow more secure. However, i also knew this kind of attack was somewhat common for German online banking accounts using SMS TAN because service providers were easily convinced to send a new (second) sim card to a new address they would never heard of before.
Ha! My telco in UK(giffgaff) does not have any phone customer support, so the only way anyone could ask for an account transfer would be through a webform....after logging in to my account. Doing which would also send a notification to my email address. Feels slightly safer now.
I wonder if having having a really shitty prepaid carrier for this purpose or a commercial account is a viable strategy?
A lousy MVNO is impossible to contact in any situation. Usually with business accounts the carrier refuses to talk to anyone except the designated account manager.
TLDR: Telcos really are the weakest link, and you should not rely on your mobile phone number for 2FA.
Background: I have worked in IT Security at an Australian bank, and had close ties to the Internet Fraud department to help them understand fraudster's tactics.
Many banks use SMS for 2FA. Australia has a law regarding how long it should take customers to switching telco providers (called 'Porting' because your retain your phone number), and the timeframe in which this must be completed (90% within 3 hours, 99% within 2 business days). If the Telco doesn't complete in this time period, you can raise a complaint to the Telecommunications Industry Ombudsman.
Example: If you are currently with Telco A, to port your number to another company, you call Telco B and provide your details. They take care of the porting process, and you can have your service running on a new phone and SIM within 3 hours.
"All you need to have with you is your mobile number, the name of your old mobile provider, your account type (pre- or post-paid) and your account number. We'll handle the porting process from there. It can take from three hours to three days, but we try to do it as fast as we can."
Source: https://www.cnet.com/au/news/switching-telcos-easier-than-yo..., 2012
To make matters worse, the fraudsters would then change the details at the new Telco B (i.e. my address is now 123 Rainbow Road, and my mother's maiden name is Smith, not Jones). When the victim called Telco B, when Telco A told them a porting request had been completed, they'd say "Sorry, we have no idea who you are and the details you're providing don't match our records". It can take days to sort the whole thing out, by which time, your Internet Banking has been compromised and funds transferred out.
This was a major problem for Australian banks, because they cover the losses for customers if you lose funds as a result of Internet Banking, as long as you weren't negligent (e.g. you left your Internet Banking logged in on a public computer in a library, or something).
If you are relying on your telephone number as a security mechanism, I would change to something else. Something you have, ideally (Google Authenticator, a physical hard token, etc.).
The phone companies have horribly bad security practice. I once had a phone number taken over by someone. When asked, the phone company just said, oh, someone called in and wanted to take over the billing of the account, so we let him. WTF.
This is serious problem. In some banks having access to a phone allows the attacker to login into a web client and transfer money from the account. And many web services rely on SMS as a method to restore the password.
Basically husband had a heart attack and when wife went to call for help her phone had been shut off by ID thieves. Husband died. Kids are suing Verizon for not preventing ID thieves. This story doesn't seem to make sense though because I thought a phone without service could still call 911.
Yet one would suspect that Google, being both your telecom provider AND your email provider, would be less vulnerable to social engineering targeting one of their two services by means of the other.
You shouldn’t have. Google trusted the phone too much, using it instead of the user-supplied secrets to determine who was allowed to access the account. Whether or not the account used multi-factor authentication seems quite perfectly irrelevant?
No, they just change in their system the IMEI or ESN that phone number is registered to so all incoming calls and texts start going to the phone the attacker owns. It's just social engineering where you pretend to be the customer and tell them you need to transfer your number to a new phone.
I've also noticed that there's something very surprising about how Google has implemented their 2FA. When I log into Gmail from a new computer, it does not text me an authentication code and then lock me out of the account until I enter the code. Instead it lets me into my account immediately with only a password, and then sends my phone a notification that someone has logged in from a new computer. Ignoring this notification has no consequence for the logged-in computer. Convenient indeed, but this is really not how I expect 2FA to work, and does nothing to prevent an attacker from reading the contents of your emails or sending fraudulent emails with nothing but a password.
That's not how Google 2FA works; you seem to have misconfigured something. When you actually have 2FA on (like I do), you must enter your one-time code after entering the correct password.
Uhh, are you sure? I've never seen it behave this way and that doesn't make sense. Can anyone else corroborate this?
Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.
exelius|9 years ago
Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.
Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).
incompatible|9 years ago
alasdair_|9 years ago
I've actually had surprisingly good support from the $150/month plan for their cloud products. They get back to me quickly and give good advice (with custom code samples when needed).
doubt_me|9 years ago
seanwilson|9 years ago
Google would obviously start losing money though if people perceived Gmail as easy to hack.
ocdtrekkie|9 years ago
It's hard to justify Gmail these days other than the frustration of migrating off of it.
As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.
partycoder|9 years ago
Having a human involved is not necessarily a solution, can be another attack vector.
vijayp|9 years ago
I guess the real question is what the data actually show
guelo|9 years ago
agentdrtran|9 years ago
balls187|9 years ago
She went with my knowledge, but TMobile never called to confirm.
After which my phone no longer had service, and I had to install a new sim card prior.
While she did this with my knowledge, I no longer have access to make changes to the account, until she adds me to the list of authorized people, and I lost all my voice mail.
It's very disturbing that she could do this, without any sort of checks and authorization.
Also, FWIW, my wife and I do not share a last name, and she did not provide anything other than my phone number to TMobile. She was a new Tmobile customer, and I was an existing customer, albeit on a very cheap pre-paid plan.
sergers|9 years ago
wife and I had separate accounts. i logged in with her account to the rogers account site and added my phone number to her account with a few basic details that are on every statement sent in the mail....
I had a joint account with my wife as a owner.
then my work had a corp plan with rogers, so wanted to switch to that, but since I am the employee, i had to be the account owner.
this isnt actually so simple.
they had to create a net new account with me as owner. and re-assign the phone numbers to the new account.
when i called in to their account support line, they asked for my 4 digit PIN. I said i have no idea what it is, the guy in the store just punched some numbers in when he setup the account and never told me.
they were okay with that and proceeded to ask me some details that are on my mailed statements....
Then they said they needed the account holders permission. --i was at work, my wife was out of town, i didnt feel like bothering her.
i said "hold on one minute, just let me get her". i put the phone on mute for 30 seconds. unmuted and changed my voice slightly "Hello? Yes i am fine with my husband taking ownership and transfering the numbers"
"she" then passed the phone back to me and the rep proceeded with the transfer.
batiudrami|9 years ago
Our company's policy was "if they don't know the PIN you have to connect them to the call centre and have them verify for you" but customers are rarely impressed to be handed a phone to the overseas call centre.
I know I got it wrong at least once.
Zancarius|9 years ago
vijayp|9 years ago
mikeleeorg|9 years ago
http://www.businessinsider.com/hacker-social-engineer-2016-2
raisedbyninjas|9 years ago
pbhjpbhj|9 years ago
I don't doubt that a telecom would do such a thing as you describe but have some hope that you're just not seeing the back end confirmation?
prawks|9 years ago
Sir_Cmpwn|9 years ago
I bet I know which one of these resources was more important.
BinaryIdiot|9 years ago
x1798DE|9 years ago
I understand that they want to fight spam, but I'd be willing to spend 5 minutes doing captcha type activities in exchange for not requiring a phone number, and that should pretty severely rate limit account creation.
jasonjayr|9 years ago
What happens to users that buy a new Android cell phone who's number has been burned by Google?
vonklaus|9 years ago
That means users are shoveled into about one of 4 "acceptable" providers which have control of the entire market. They demand, full name and usually gender, mobile, alternative email and more.
So you get pushed into their information pipeline to stop "spam".
fullmetaleng|9 years ago
djsumdog|9 years ago
5555624|9 years ago
jcoffland|9 years ago
This series of events could easily occur in legitimate cases. Say you lose or destroy your cellphone. Since you only ever logged in via your phone you don't know the password. Your recovery email was attached to a service you don't use because you normally use gmail. I'm not saying this scenario is a good idea just that it's probably quite common.
As a software developer I often hear from well meaning users that are appalled that software didn't do-the-right-thing in some complex scenario that appears to have an obvious solution because the desired outcome in obvious. In reality, handling the corner cases is complex. Adding these obvious solutions to the code easily leads to even worse situations.
jandrese|9 years ago
It's silly to depend on an email for authentication, then allow the hacker to just delete the email address before they change the password. Giving the old address the right of first refusal defeats that kind of attack and should be dead simple to implement since the framework was already laid down for the "verify your email" step during setup.
ScottBurson|9 years ago
I don't think so. Why, in your scenario, would they file a help request saying the account had been compromised? They might file a request with some other content, but not that.
Your general point is valid, but I think the OP has probably figured out a set of features from which one could pretty reliably tell that something was amiss. And all he's suggesting is that such cases get bounced up to a human.
vijayp|9 years ago
Google and other service providers do have data to evaluate the benefit and cost of making decisions based on patterns, and they probably do.
nchelluri|9 years ago
- phonelines can be hijacked (this article)
- DNS can be hijacked in a similar manner
- SMS can be hijacked (for 2FA via text message)
I guess 2FA using an authenticator app is the way to go for now. Do you guys agree with the removal of backup phone numbers recommended here? Seems reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup codes generated though.
AdmiralAsshat|9 years ago
Authy has been a great improvement over Google Authenticator for me. I primarily used it when I migrated phones for the upteenth time, but were I to lose my phone, I could also restore the database on my tablet in the meantime and use that instead. The prospect of doing so does leave me a little concerned, however, because my phone has full-disk encryption enabled while my tablet does not.
RubyPinch|9 years ago
Pym|9 years ago
Have a look at this other story from last month, "On Phone Numbers and Identity":
- https://medium.com/the-coinbase-blog/on-phone-numbers-and-id...
- https://news.ycombinator.com/item?id=12597609
"It turns out the attacker was able to impersonate the employee on a call with Verizon"
peterjlee|9 years ago
wfunction|9 years ago
lukasb|9 years ago
We do send an email when you log in from a new device. What would you do if you got an email about failed attempts to login / reset password?
proee|9 years ago
jsingleton|9 years ago
If you need access then you could use https://smsprivacy.org or https://dtmf.io. I've not tried these though. Or of course you could build something yourself with https://www.twilio.com or https://www.nexmo.com.
I wrote a bit about this here: https://unop.uk/phone-numbers-for-examples-and-user-identifi...
throw7|9 years ago
https://support.google.com/accounts/answer/183723
Why mobile phones are more secure
Your mobile phone is a more secure identification method than your recovery email address or a security question because, unlike the other two, you have physical possession of your mobile phone.
xg15|9 years ago
TorKlingberg|9 years ago
FullMtlAlcoholc|9 years ago
That he was able to contact someone at customer support for his Gmail account was the most amazing thing in this article!
> and some ex-colleagues who still work at Google,
:( That's why
cantrevealname|9 years ago
You can't do that with a phone. You can't duplicate your SIM card. If your phone is lost, broken, stolen, or your service is cut off or unavailable for whatever reason, you're screwed. At least with passwords, security questions, or hardware tokens (of which you can have several), you maintain reliable access no matter what if you've made backups.
azernik|9 years ago
The issue is that they don't discriminate between carriers that perform good identity checking and those that don't.
(Reliability is actually well-addressed by Google - they offer this as a supplement to the other forms of verification they provide.)
throw2016|9 years ago
The fact that it keeps on becoming more and more difficult for individuals to run mailservers cannot be a coincidence.
The solution is decentralization at least for things like reddit, mail, search, social and other similar services. Multiple discrete 'old style' forums, search services, email providers and individual servers with dispersed control cannot be easily silenced, surveilled or subject to arbitary rules.
I think the usual response is people don't care but I think that's because they don't know and may not have stopped to consider the consequences. And perhaps more important before they didn't have to care. Now increasing creepiness from centralized providers means sooner or later users will wisen up.
If parents for instance become concerned about privacy issues they will go out of their way to protect their children and this can lead to new more privacy aware services, rules, and distributed applications. It also makes centralized unicorns based out of SV less of a desirable thing.
keyme|9 years ago
Using GSM? Your recovery code is sent essentially plaintext over the air.
Think you're not using GSM? I'll just follow you around until you are (say, if you go out of town).
Since I'm already following you around, maybe I'll just jam your 3G/4G for a minute. Save us the waiting around.
Disabling 2G on your phone is a shitty solution. I want to be able to receive calls/SMS even if it's insecure.
TL;DR:
My account -> Sign-in and security -> Signing in to google -> Account recovery options -> Recovery phone -> Remove number
jdavis703|9 years ago
willvarfar|9 years ago
cupantae|9 years ago
But anyway I don't understand why he thinks it's some kind of shocker that this makes it less secure. It's another access method. Recovery options are obviously attack vectors.
SamBam|9 years ago
If you go to mail.google.com and say "Find My Account," you can enter a phone number directly, and then proceed with SMS-based recovery, if it's enabled.
This means that any time an attacker gains access to a phone number, they can plug it into gmail and fish to see if they can break in to an account.
zitterbewegung|9 years ago
nchelluri|9 years ago
wyclif|9 years ago
jakub_g|9 years ago
It's not fun to have 2 phones always with you. But maybe the 2-SIM devices will become more mainstream soon, which can solve this problem.
CrendKing|9 years ago
vijayp|9 years ago
It's possible if you use something like Google Voice for most of your regular calls, but you still need to make sure that the telco can't tie your name to your number…
StavrosK|9 years ago
darkhorn|9 years ago
Plus, if you apply for a new SIM card and you have a changed information in your ID, such as your father's has changed his name or you have corrected your birth place, then your ID is send to the government and only when the government gives a permission then they can give you a new SIM.
If you are not the owner of the SIM card no one talks to you.
If you want a new phone number then you must register with your ID.
nommm-nommm|9 years ago
ollie87|9 years ago
Then again as a UK citizen they probably have access to my phone any way.
andyana|9 years ago
angry-hacker|9 years ago
exelius|9 years ago
unknown|9 years ago
[deleted]
FilterSweep|9 years ago
They aren't as accurate as physically showing your ID, however. Not that I'd want my ID digitized though.
camupod|9 years ago
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?
stanleydrew|9 years ago
Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.
Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.
The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.
abandonliberty|9 years ago
I have 2 factor enabled and did some testing.
Security options Account Recovery email (phone # disabled) 2 factor Recovery phone #, backup codes
All of these require you to provide them. Phone number is given as XXX-XXX-XX12. Email is userna*@domain.com.
Failing all of those options, Google asks you to provide an associated email to help with recovery. It then provides a freeform text field for you to explain the situation and expect a response in 3-5 business days. If you have a secondary less-secured email address this could be a viable vector.
tl;dr two factor seems to add an additional layer of security / accounts that an attacker would have to compromise if appropriately configured. Recovery options weaken your security and you should be cautious when configuring.
billconan|9 years ago
When I set up my 2 way authentication, I noticed my account has a phone number added, which I don't recognize at all. The phone number has a Florida area code. I have never been to Florida. I emailed google about this, asking how the number was added? I didn't get any reply.
lucb1e|9 years ago
Even people I was friendly with on forums or social networks that were employees for Google (or Microsoft for that matter, or both in one occasion) stopped responding when I mentioned anything from "heads up (since there is no contact listed for product x): there's a bug here, you might wanna forward that" to "do you know why this is that way?" It's a really weird experience. I've stopped trying to contact tech giants that are too big to care about an individual.
nfriedly|9 years ago
One of my moms friends had gone through the Gmail password reset process a few times, but she but she called me one day kind of frantic because she could no longer reset her password (or remember the old one).
It seems that previously Google had allowed either a phone call or an SMS to the phone number on her account, but had recently taken away the call option. Her phone was a landline that couldn't receive SMS messages.
She didn't have (or couldn't access) a backup account and couldn't remember the answers to any of her security questions, or at least not enough of them.
I think she just gave up and switched to Yahoo.
leesalminen|9 years ago
hash-set|9 years ago
At the very least, Google should not have come out in favor of a particular Presidential candidate. Corporations have become incredibly powerful entities, able to affect the lives of all their employees and many others. If they can't wield this power ethically, they need to be shut down or we risk suffering under fascism.
vonklaus|9 years ago
metabren|9 years ago
chris_wot|9 years ago
unknown|9 years ago
[deleted]
baybal2|9 years ago
It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).
Then, they used Russian cell phone networks to announce a “Roaming transfer” of their phone numbers from BT to them and then used an “SMS login” and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs.
Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or maybe Googlers simply made that up to cover their asses.
Amazingly, many cell operators don’t check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.
bikamonki|9 years ago
buyx|9 years ago
I'm surprised that anyone is surprised by this. Perhaps the time has come for a more global approach to security.
rohitarondekar|9 years ago
iconjack|9 years ago
mtgx|9 years ago
Like WTF Google? Any attacker could just as easily do that, too, anytime they want. As long as this remains true, Google Authenticator (or any other Google security measure that could easily by bypassed this way with SMS) has literally zero advantages over SMS, while retaining the disadvantages of being less convenient to use, etc.
walrus01|9 years ago
It's trivially easy to fake scanned documents proving that you're authorized to port a phone number from one service to another. In this case there was probably no SS7 messing about at all, just somebod falsifying the info or socially engineering his cellular carrier to transfer the number to a new phone. Mitnick's "Art of Deception" book is an authoritative resource on this problem.
josefresco|9 years ago
Well duh. What kind of support should Google offer to almost a billion users that pay nothing for the service?
"(and even then, they've got a less-than-stellar reputation for support of paying customers)."
Not from my experience. Have had to call them a handful of times on behalf of clients. A human always picked up quickly, and resolved my issue or answered my question. Also followed up.
whyagaindavid|9 years ago
unknown|9 years ago
[deleted]
spiznnx|9 years ago
stanleydrew|9 years ago
Yes, that's unlikely. But if it happens, we're screwed.
A better option would probably be to set up two Google accounts with two Google Voice numbers and use them to cross-validate each other. I think I'll go do that now.
johnjhayes|9 years ago
even if enabled, if it was set to send the code as sms it would go to ... the phone :-\
haser_au|9 years ago
pm24601|9 years ago
Anyone know if the procedure for transferring landlines is more painful for fraudsters?
ComodoHacker|9 years ago
dragonwriter|9 years ago
mercora|9 years ago
DINKDINK|9 years ago
gambiting|9 years ago
Spooky23|9 years ago
A lousy MVNO is impossible to contact in any situation. Usually with business accounts the carrier refuses to talk to anyone except the designated account manager.
haser_au|9 years ago
Background: I have worked in IT Security at an Australian bank, and had close ties to the Internet Fraud department to help them understand fraudster's tactics.
Many banks use SMS for 2FA. Australia has a law regarding how long it should take customers to switching telco providers (called 'Porting' because your retain your phone number), and the timeframe in which this must be completed (90% within 3 hours, 99% within 2 business days). If the Telco doesn't complete in this time period, you can raise a complaint to the Telecommunications Industry Ombudsman.
Example: If you are currently with Telco A, to port your number to another company, you call Telco B and provide your details. They take care of the porting process, and you can have your service running on a new phone and SIM within 3 hours.
"All you need to have with you is your mobile number, the name of your old mobile provider, your account type (pre- or post-paid) and your account number. We'll handle the porting process from there. It can take from three hours to three days, but we try to do it as fast as we can." Source: https://www.cnet.com/au/news/switching-telcos-easier-than-yo..., 2012
To make matters worse, the fraudsters would then change the details at the new Telco B (i.e. my address is now 123 Rainbow Road, and my mother's maiden name is Smith, not Jones). When the victim called Telco B, when Telco A told them a porting request had been completed, they'd say "Sorry, we have no idea who you are and the details you're providing don't match our records". It can take days to sort the whole thing out, by which time, your Internet Banking has been compromised and funds transferred out.
This was a major problem for Australian banks, because they cover the losses for customers if you lose funds as a result of Internet Banking, as long as you weren't negligent (e.g. you left your Internet Banking logged in on a public computer in a library, or something).
If you are relying on your telephone number as a security mechanism, I would change to something else. Something you have, ideally (Google Authenticator, a physical hard token, etc.).
Sources: ACMA Porting Rules for Telcos: http://www.acma.gov.au/Industry/Telco/Numbering/Portability/... Example A: http://lifestrategies.net.au/wp-content/uploads/2015/03/Marc... Example B: http://www.itnews.com.au/news/45k-stolen-in-phone-porting-sc... Example C: http://www.news.com.au/finance/business/banking/customer-sca...
unknown|9 years ago
[deleted]
ww520|9 years ago
codedokode|9 years ago
yAnonymous|9 years ago
Complaining on the internet won't help in this case.
unknown|9 years ago
[deleted]
sairamkunala|9 years ago
shawn-butler|9 years ago
I think someone should try.
nommm-nommm|9 years ago
https://krebsonsecurity.com/2016/08/a-life-or-death-case-of-...
Basically husband had a heart attack and when wife went to call for help her phone had been shut off by ID thieves. Husband died. Kids are suing Verizon for not preventing ID thieves. This story doesn't seem to make sense though because I thought a phone without service could still call 911.
syphilis2|9 years ago
awqrre|9 years ago
nameisu|9 years ago
lucb1e|9 years ago
sumitgt|9 years ago
AnonCoward1|9 years ago
bitmapbrother|9 years ago
Ah, there it is. No two factor turned on.
haser_au|9 years ago
hakcermani|9 years ago
Am wondering .. how was the attacker able to compromise the account ?
emeidi|9 years ago
claudius|9 years ago
ChoHag|9 years ago
esalman|9 years ago
feld|9 years ago
adrr|9 years ago
kibwen|9 years ago
Nacraile|9 years ago
Sargos|9 years ago
Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.
cmurphycode|9 years ago