Google really fails hard in the face of providing support when issues like this occur. The average person has to try various automated account recovery options which, as in the author's case, are readily changeable the moment the account is compromised, rendering them somewhat useless, and then users are out of luck.
It's a situation that is mind-boggling. Users as asked to place a significant chunk of their digital lives in the care of Google, it is unbelievable that they fail this badly. It's useful to note than it's not a situation that business users face. People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users? I would gladly pay for that level of support and security. For that matter if there were some way of converting my personal account over to G-Suite I would do so.
I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.
This is why I panicked when they announced they won't sync Google Photos with Google Drive anymore. With the sync, I can setup one of my computers to constantly download the photos and then copy it onto a local backup and an online backup. If my Google Account gets locked - I'll just copy the photos into something else and move on with my life. They removed that saying it's confusing to users - all the while it was an option users had to go explicitly enable.
I switched to iCloud which supports the download feature.
Where did they announce that? I still have that setting enabled, and I'm using it for backing up exactly the same way you described, so I really hope this doesn't just get magically turned off someday.
The most common way to do this is to have the Photos app on MacOS set to "download originals," then use whatever backup solution you like best.
I highly recommend setting this up. Last month through some sort of iCloud glitch my fiancé lost almost all of her photos from before the beginning of this year. We've escalated it to their highest tiers of support but the photos are gone. Redundancy is important, and even the best providers aren't foolproof. It was devastating to lose all of those memories.
Card-based cameras -> Plug in card, Dropbox + Google Photos pick up new photos
Backup 'server': Local synced Dropbox folder -> Local + Cloud backups
I couldn't see how to add iCloud to my existing syncs / backups. When I looked at it, I couldn't be sure it would keep photos on my phone long enough to allow Dropbox and Google Photos to pick them up. It's good that it's possible to get the originals over at a MacOS machine. Might be worth exploring then.
This is how I do it too, then backups are done through Arq and Amazon. I consider Google Photos as a “share / social” area. I would never entrust masters with Google.
> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this.
I can just see the people raging about this on social media now.
“Google charged me $50 to fix an issue with my account!”
“Google won’t give me any help unless I pay them! Extortion artists!”
Sure, people would complain. But they complain now when these issues happen. I'd rather a scenario where people complain but the problems are getting fixed. It's not completely unreasonable that Google offers low/no support for free products. It is unreasonable that they don't have any way to pay for help when there are serious problems.
This was quite unfun. (Fixed now, after I blackboxed what the actual problem was. Some Googlers are looking into the docs/error messages to fix that half.)
There’s also another bad side effect of Google. Google makes and gives away stuff for free and one of the reasons they do it is because they run a lean operation. They don’t provide any kind of support. Let’s say someone want to start a new company that provides all the same features of Google and provide solid support - there’s no way they can do it for free. Or even if it’s a reasonable price, people are going to pick free anyway. Except those of us who care. Just the fact Google and Facebook gives it away from free, in a sense, kills any possible paid service in the domains they operate. IMHO that qualifies as anti-competition and anti-trust. But the laws aren’t designed for this scenario at all.
Google One has support, it's pretty much the only button in the UI when you go there.
EDIT: actually it looks like the support might need to be reached from within the account, so that's still a major problem when you can't get in at all.
This kind of stuff is horrifying to me and why I willingly pay the Apple Tax. At the end of the day they have stores full of humans I can walk into and tell my sob story to and excellent telephone support.
I don't believe it works the way you think it does:
https://support.apple.com/en-us/HT204921"If you need more help, contact Apple Support. While we can answer your questions about the account recovery process, we can't verify your identity or expedite the process in any way."
That is fine but the scam started by reassigning the SIM; something not related to Apple. I am not having enough criminal fantasy but in your Apple World you live in a monoculture...usually this makes it just easier for intruders to make problems.
> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.
Have you considered alternatives that do offer support?
> People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users?
I know people are getting sick of this phrase, but I'm going to repeat it here anyway because it answers your question perfectly: why doesn't Google have customer support? They do, but if the product is free, you're not the customer.
As you note, Google does have real customer support for people who pay. The other people are not customers, they are advertising targets. Why waste money on support for them?
As someone using G Suite for personal purposes I'm glad to pay for support honestly (+ the peace of mind of being mostly in charge of my data, not having it be mined for whatever purposes).
On the other hand, a paid edge case support option for otherwise free services would be a win for both sides. If only the long term projection of the resulting incentives would not be so ugly...
I didn't realize, I apparently was automatically made a Google One user when they created the program because I pay for a bit of extra Drive storage. I'd really like to hear stories from people who have had a hacked/stolen account and the support Google One provided.
Is this a reference to something? I haven't heard much about Google One's support good or bad.
The concern I'd have with G-One is that if you lost access to your account, you also aren't a Google One customer, and the support likely won't assist you. Creating a chicken/egg situation.
Not a reference to any story, just a few personal experiences. I had various issues, and they couldn't escalate anything to actually fix them, they just read support docs back to me. It's not like the paid support that gsuite customers get (although I'd be happy to pay more for that if I could).
Buy a domain (12+USD year depends on extension) + G-Suite (around 4-5USD/Month) and that's it.
As a bonus, you always can swap your email provider without changing your email address.
Why is it that the most dramatic stories of people's digital lives being lost/broken usually seem to revolve around a compromised mobile phone number? Mobile phone numbers are not unique (they are recycled) and are terrible security (mobile phone companies are careless). I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner. I refuse to connect my mobile phone to these services.
It seems like one of the most important lessons of computer security has already been forgotten: It's only as good as the weakest link. Not only this but decentralization/redundancy is often better than centralization/dependency. For example, I'm not sitting awake at night worrying over some semi-pseudo password I generated for an old unencrypted forum run on some random persons server.
> I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner.
I had something very similar happen when I got a new number. I kept getting calls for the previous owner from what I assume to have been a bank, a library (for passed-due books no less; left a voice mail), and random people trying to contact this person. Not long thereafter, I started getting text updates from Facebook any time one of their contacts posted something. Facebook fortunately disables this with the text message STOP (IIRC) [1], but it bothered me that a nefarious actor could have passively collected the names of this person's contacts, messages, or more.
Not quite sure what to do, I did end up calling most of them back to inform them they had the wrong number, if they left a voice mail. The calls stopped about a year and a half later, and while I was somewhat annoyed at the time, in retrospect it could have been much worse!
Because every time you login to gmail without a phone number there's a big "add your phone number for super security!!" pop up on the screen. People do what the google tells them to do.
Thanks for the reminder--I've done it several times in the past, but it wasn't a scheduled thing at all.
There's a new checkbox in takeout that lets you schedule a backup every 2 months (and then presumably you'll get an email when you need to download it).
Does anyone else have issues with takeout failing with "unknown error occurred" if you use the default of selecting all products? I have to manually create multiple takeout archives (one for gmail, one for photos, one for location history...)
Yeh that's unfortuante but it is normal for box's API. This isn't Google being overly grabby, its the only scope available to third party read and writing to box.
Thanks for reminding me... again... about this. Why haven't I backed up my gmail data yet? It has been years since I realized I have to do it. Why haven't I done it?
I'll agree that POP is pretty easy and worthwhile here.
One caveat: I'm not certain that it's identical to what Takeout provides. I downloaded the mbox file via Takeout and the Takeout version was a fair bit larger than my Thunderbird mbox file as I recall. Maybe Thunderbird stores the emails more efficiently than Takeout? I should examine this more closely. As far as I am aware there are no missing emails in Thunderbird, though I could write a script to be certain.
Edit: Seems that I misremembered. The Takeout file seems to be appreciably smaller than what Thunderbird has, but in line with what Gmail reports at the bottom. I guess Thunderbird is actually less efficient than Gmail. Attachments might explain some of this, as I deleted some attachments in Gmail that I kept in Thunderbird.
Yes, it was zipped, but I was comparing uncompressed. I've now checked. There's about a 500 MB difference for about 10 GB of emails. So not too bad, but appreciably different.
Anyone who wants to defend themselves, consider using U2F where you can and Google Advanced Protection. I just recently picked up a bluetooth security key because one is needed to log an iPhone into an account using advanced protection; there is no SMS backup loophole. The Titan key bundle comes with a bluetooth and USB key, which is enough to get started, though frankly you probably want a couple additional backup keys too.
U2F keys are great but I look forward to the day when they’re more widely available outside the US. And I’m still waiting for my replacement from Feitian for the recent vulnerability. Not to say you shouldn’t use them, but... they have their limits. Particularly Advanced Protection which forces you to use Google’s browser in many situations and disables API access so I can’t use the API to get my own data, only Google’s official apps and a small exception for Apple’s.
Yeah, Chromium is needed to add keys, which effectively means you can’t enable Advanced Protection without Chromium. I personally ran into this wall. I acknowledge that this sucks, as a person that intentionally only uses Firefox, but to be clear logging in and most other operations work absolutely fine with Advanced Protection.
Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.
I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.
With that done, GitHub prompts me for my key. My Linux office workstation is missing the necessary udev rule, so I couldn't test more. (Funnily, pressing Cancel caused them to send me a SMS, so their 2FA is practically worthless).
I've run into strange interactions where adding a key is disabled in Firefox (even with the security.webauth.u2f flag set to true), but once one key is added, you can add subsequent keys no problem.
This is how Github worked for me - I think it's just a mis-match in the code checking for U2F functionality...
I think adding the key use a different mechanism - there are two JS interfaces for U2F, and FF only supports one of them.
TBH I've added my key to GitHub with chromium, but have since moved to FF; so that might be what you're seeing with GitHub.
Youtube/YoutubeTV seem to be walled off on 2nd factor auth. I've been able to log into both on browsers w/o 2nd factor and then get prompted when logging into web gmail.
That’s a great idea and would’ve saved me some time. Sadly, I had ordered and received my Titan kit before even realizing I still had an Android device, less that I could use it to bootstrap my iOS device...
I hope Apple some day supports NFC or maybe even USB U2F, both things Android has supported on phones for a bit.
Probably because the more barriers you put in the way of scams, social engineering, etc. the harder you make it for people to legitimately get back into their accounts and the more likely it is that you'll instead read stories about how someone "forgot their credentials and lost access to everything in their account and Google won't do anything about it."
No opinion on SMS specifically but there are tradeoffs.
It would be more just if people losing access to their accounts were those that lost their credentials rather than anyone that has a SMS number tied to their account. Other approaches to account recovery could be explored but none of them should involve SMS.
Google is a pain as there's no way to talk to a human. I have lost access to an old Gmail account as my phone broke. Without authenticator I can't get in. I can't set up authenticator anew because I don't have the password anymore. I still have same phone and plenty of emails - just no way to get in.
When you set up 2fa with Google they give you a set of backup codes you can use to get back in case you lose access to your phone/authenticator. It's important to store those somewhere safe.
I have no idea what the pros and cons are and certainly can’t speak for why. However, I think the existence of the Advanced Protection Program is definitely acknowledgment that the SMS backup is not secure enough for everyone.
The thing is, not long ago I had no issue recovering my account if it got compromised. I think attackers today have gotten better at finding ways to beat the system. One thing I’ve seen, albeit I don’t know if it works on Google accounts, is enabling high security after stealing an account, effectively making recovery very hard.
Though, I can’t really speculate on if that’s what’s going on here.
Because, depending on your risk profile, it can be very helpful:
> We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it). However, once you've defined an alternative 2FA method (Google auth, u2f key, etc) then you can remove the SMS method completely.
Believe it or not banks are really bad at security. They are so bad at it that they don't even realize how bad at it they are. But the banks all copy from each other so "what the other guy is doing" is more or less their justification for what they do. Most of them have little to no idea why they do what they do for IT security, they just do what the Computer Security for Dummies book says to do (walk through the IT security department at any big bank and I bet you there is a dog eared copy of that tome on every desk)
Synchrony is one of the worst offenders, they won't even let you change your password without doing SMS verification, and their source of phone numbers is a Transunion skip trace database (which you can't change or remove any information from), so getting past Synchrony can be as easy as filling out a contest form at a mall, waiting for the phone number to appear with Transunion, then choosing that phone number to do SMS verification. It might take a couple months but payoff can be huge.
My hero at the moment is Capital One, they allow you to do e-mail authentication instead of SMS, and their iOS app also doubles as an additional factor (one requiring you to enter your password or use touch ID to use).
I was also extremely happy to find that the brokerage Robinhood offers Google Auth as a second factor. E*Trade also offers 2FA but a proprietary token w/ lcd display (which they happily charge you for).
My trick has been to give banks a false phone number that rings busy forever. That does effectively keep me from using banks that require SMS authentication, but there are more then enough that either offer other methods or drop their SMS requirement if you list your mobile number as your home number (indicating that its a wired phone and can't receive SMS). That doesn't keep my Synchrony accounts secure but there are enough protections around credit cards that my liability would be $50 at worst, with Synchrony having to eat the remainder of the loss.
> When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it)
I don't remember that ever being the case, either when Google first launched Google Authenticator and 2FA (when I pretty soon after set it up) or when I later went through the setup process for my work account at my current job (a couple years ago).
That is awesome then! It was a lot of hassle for me to find a phone that accepts incoming calls (and wouldn't come back to me) so I could get past the first step - though to Google's credit the number I used never showed up anywhere so they didn't try to sell me out.
It depends on your threat level. If you're just trying to avoid phishing, it's great, something like 99.9% effective. However, if you're worried you'll be targeted, where someone will go through the effort to do this to you specifically, then it's not a good choice.
2FA does not fully protect you against phishing. The attacker can just passthrough all credentials including your 2FA code. It limits the attack to a time window and any further security sensitive changes that require 2FA may be protected unless the user naively re-enters their code.
U2F/ WebAuthn credentials can't be passed through.
Or in more detail, the credentials aren't human readable and are per-FQDN, so when you visit badguy.example thinking it's goodguy.example, your Security Key will cheerfully hand over valid credentials for badguy.example, but there is no way to give them credentials for goodguy.example because that's not where you are.
Multiple physical keys in multiple formats stored in multiple places. I've got a few security keys: one on a keyring, one in a locked file cabinet, one locked in a safe. Backup codes are printed on good quality acid-free paper with good toner and then are put in acid-free envelopes or laminated, stored in a safe at home and a trusted family member's house.
I'm far more concerned with an attacker from the internet or destruction from a fire or natural disaster than someone using my computer at my home who happens to have my username/password combination as well.
I have two. One stays with me, the other in a safe.
Which is legitimately a pain in the ass to register, manage, keep in sync, etc but I only use it for a few very important accounts--Google being one of them.
You should have emergency backup keys as well printed on real paper. I have a set stored with our important files, and another in my nightstand. Having my phone stolen would be a damnable inconvenience, since that is my second factor -- although not via SIM, but via Google's in-app authentication. But it wouldn't be fatal.
I use andOTP, which is compatible with Google Authenticator and actually allows backing up the private keys (one of the key missing features of Google Authenticator, though maybe they've fixed that).
What’s better? Serious question. Very few companies spend as much on security as Google. You have to do your part and configure something like Advanced Protection, but if someone’s going to go to all the effort listed in the article, which provider would be a better bet?
It's not like email providers get hacked all the time. Individual email accounts do get hacked.
Find an email provider that provides decent support, i.e. you can call and talk to a real person. Make sure they support 2FA (ideally the non SIM variant). Also recovery tokens that you can write down and stuff like that.
Personally I run my own mail server but I understand that's not everybody's cup of tea.
A smaller, paid provider may make it easier to get someone on the phone to resolve problems when things go wrong. Having better support than Google would not take much.
"Getting someone on the phone" is a big reason these kinds of problems happen in the first place. The reason Google doesn't do that is because they would be too big of a social engineering target, and couldn't possibly be secure in the face of that at a reasonable cost.
Absolutely, if you want. I am not advocating to use or not use Gmail or other services. But also be sure to use U2F on whatever you can, be it Fastmail or Proton Mail or what have you. I think Proton Mail is still working on their U2F support today, though.
At the end of the day, there’s a lot of differences between the many webmail offerings. The apps, the support, the feature-sets, etc. If you have gotten used to things like the nuances of Gmail filters, switching anywhere can be challenging, I think, and the same could be said about the reverse. I’ve been considering using both Gmail and FastMail simultaneously for a while, especially for custom domains. Also, JMAP is cool.
I am mostly just suggesting that folks who read stories like these and fear similar predicaments take the time, effort, expense, etc. to properly secure whatever accounts they have.
Thought experiment: if someone steals an account with no 2FA, enables U2F and other security mechanisms, how will support verify who truly owns the account? Or the reverse: user enables U2F and someone calls in and tries to claim the account was stolen?
Having humans make judgements is important because the real world is complicated and people are imperfect, but using U2F in the first place can save you a huge headache, no matter what services you use. If support can just flip a bit and disable U2F, it isn’t very useful for the same reasons accounts get hijacked to begin with.
I mean, i think you answered the question yourself. History of account security details, things like login logs, IP addresses, when things were changed, payment information, etc can corroborate the story a user is trying to tell (ie, my account got stolen), or refute it.
And those things? It comes down to having strong process rules and having intelligent life forms make the decision.
This is the first thing I thought of when reading that. For sure, Google's lack of real support for fixing things when someone does steal enough 2FA creds, like phone number, is a drag. On the other hand, it appears that setting up Advanced Protection probably gives you a much harder to hack account than any other provider could do.
This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.
Once you've configured a security key on a Google account, it's entirely possible to remove phone-number based account recovery -- and strongly recommended for at-risk users. See step 21 et seq. in the Tech Solidarity security guide for people working on political campaigns:
For no particular reason, Google does require you to temporarily configure phone-number based recovery while configuring other 2FA options -- but once they're set up, you don't need the phone number anymore.
1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.
2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.
3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.
4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.
6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
That's possible?! I only ever change password if I suspect it might have been compromised. Now if a service allows to use old passwords, that's quite a bummer and makes password change meaningless.
> Call your cellphone carrier and ask to set up a password/PIN
Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is presented to the CSR in plaintext (as they verify the pin over the phone verbally).
I'd assumed they'd transfer to some pin-capture applet to verify, but nope.
> Use an authentication app, such as Google Authenticator
If you decide on Google Authenticator, make sure you scan the barcode with 2 devices (say, your tablet and your phone) to back up that credential. Or just use Authy.
You can print out a copy of the barcode and keep it somewhere safe. It's a little bit scary as that barcode is a super powerful extra key but, you will have a key that will work and not be reliant on any device to store it.
There are plenty of TOTP apps (besides Authy) that support backing up the code generation keys. I use andOTP, for example, which supports backing up locally to the phone's internal storage (and optionally encrypting that backup with either AES + a passphrase or a PGP key if you've setup an OpenPGP provider on your device). 1Password's iOS (and Android?) app also supports TOTP.
> 2) Consider your phone number and SIM card insecure.
Your phone number is an obvious attack vector. I think having a dual sim phone with 2fa dedicated number that is not publicly associated with you, possibly with the carrier that has it's security in order, would decrease the odds of getting hacked.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
This is what I'm worried about, if I don't have a phone number on a gmail account, won't it make it harder to get access to that gmail account if I am locked out. Even though there's obviously a bad security loophole with just having a phone number on your account as a recovery option, is it not worse to be locked out of your account with no way to get in?
Even if you go through the g.co/advancedprotection onboarding process, they still say account recovery is possible and that it would take 3-5 days extra. Granted, it's not easy, but it's much easier to buy security keys and put one in a safe deposit box than it is to try to get every carrier to be nice to you and not SIM-swap your account.
In the space of the afternoon after reading this article, I removed SMS 2FA from all my accounts, installed Authy, added all my accounts to it, found out Authy is also insecure[0], reconfigured it to be less insecure, and basically despaired.
My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
A lock on your door is obviously insecure, but can work because it introduces friction for the burglar, while there are other targets around. It's a similar principle at work for online security. Some amount of protection coupled with the statistical likelihood of being targeted already goes a long way.
After reading a similar article on HN a year ago, I too decided to use Authy but the realized that it was vulnerable to the same methods. I eventually decided to use andOTP[1].
While it doesn't automatically sync across devices, it does allow you to create backups[2] which can be encrypted with AES or your PGP key. Just store this in Dropbox/Drive/Box and offline storage and you're good to go.
> My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
I find it strange that there is no procedure for the following situation:
* all emergency/account recovery info changed
* Person contacts shortly thereafter claiming account hack
I lost a legacy skype account recently. It had had no email attached to it, so the hacker was able to add theirs and get notified whenever I got back into the account. There was no way to remove their email or add new security mechanisms without waiting 24 hours, so I had no way to keep them from resetting the password.
The account was shut down for spam not long after. As far as I could tell there was no way to effectively reach microsoft about this, despite being a paying office 365 customer. They had a security chat but it was a deadend, and slow.
Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.
Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.
Security is only as strong as the weakest link, and SMS is very weak.
The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.
I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.
It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)
In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.
> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.
You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.
No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.
It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!
So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.
> The problem is SMS account recovery, which is a really bad idea.
The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"
In times like these, I am glad to live in a stone age country like German, where it is near-impossible to get a new SIM without going to the store in person and presenting a government-issued ID.
Sorry but you are wrong. Today was news on heise that clearing bank accounts by replacements and transfering the money to some popular new banks like fidor and n26 resulted in a temporary ban of a small bank to transfer any money to these banks.
It‘s happening here too ;)
Or a country like Sweden where you have to authenticate customer service through 2 FA using an application connected to your bank account, where you input a password or fingerprint.
And then the change only happens after you confirm a text message sent to your phone asking you to approve the request.
I would say that for the average user sms 2FA is secure enough.
P.S. I might have a different perspective as where i am from, there really aren't important services (banks etc.) that are using sms 2FA. Mobile operators doesn't ship SIM cards over mail, you can get a new SIM only in person providing ID (or PIN/PUK in case of prepaid cards). Probably my country is just too small market for these kind of attacks so i feel secure enough when using sms 2FA.
Depends on what it’s protecting, for example banks using it isn’t, as it’s a common enough attack vector it’s appeared on consumer programs on TV fairly often and they had to introduce a law to allow people to be refunded in cases of sim swap.
It seems like this only happens to people who have poor opsec about their email addresses, phone numbers, and are publicly related to the cryptocurrency movement. I mean, I'm sure it happens to other people, but that's the only case I've ever heard about.
I would personally be wary about publicly listing the email I use with my bank, or my phone number, and I've done what I can to scrub the internet of these values. If you have to be publicly reachable through a medium other than Facebook or Twitter, have a separate email and phone number through which you conduct your serious personal business. But most people do not need this kind of public reachability, or else have it through work. For those types of people, it would behoove them to keep their profile small.
A writer for ZDnet might be a public figure, but to call him "very public" seems like a stretch. There are probably millions of people as public or more than him.
That's less common wisdom and more of a catchy but dumb meme. There are all sorts of things you can buy that have crappy-to-nonexistent customer service.
I think there can be several reasons that a company lacks good customer service. One might be lack of competition. Another could be that they don't see their users as customers.
Sure, but even Comcast isn't as bad as Google; not as much depends on Comcast, and Google has mountains of p[eople's key life-altering data, yet it is nearly impossible to speak with a human that has any capability to effect a change.
As with every generalizations, there are exceptions, but they generally only prove the rule.
I was thinking more along the lines of manufacturer's warranties, which are often hard to actually use. Or Teslas being in the shop for weeks due to an unavailable part.
Customer service has more to do with company-specific culture than what you actually paid. There are good and bad examples in every industry (or even with the same company).
This is why I would like to trust my digital identity to my bank.
They have enough local, physical presence so that I could show up in person and prove who I am. Also the personnel is already familiar with checking the identity and hopefully less suspectiple to social engineering.
2FA tokens and codesheets without SMS backup are secure, but bit tricky to manage. Takes some effort to distribute to different, secure places (think if house burns) and some regular checks to verify backup tokens are alive and codesheets not lost.
My good bank has no physical presence whatsoever. I mean, I presume they operate a call centre somewhere, maybe in Scotland, but I've never seen it.
They can reach out and cause things to happen at a distance, but I don't want that used to authenticate me. They used it when I had lost my cards, to cause me to receive a bundle of cash so I could get on with my day just paying cash everywhere.
I have a specialized OTP device with a chiclet keyboard, and a password used for normal stuff. When I do something serious, like the time I bought somewhere to live, I call them to set up the transaction, then a different random person gets assigned to call me back and verify the details - this way if one employee goes rogue they can't empty my account by claiming I called them. They have a password for me, and the second employee uses that password so that I know it's really the bank calling me.
It's a Telephone Bank in the UK, launched in 1989 and I became a customer a year or three after that. Because it doesn't have any branches its call centre staff have to be trained to handle absolutely anything - if they can't fix it then it won't get fixed.
I found it because my father used it, I have no idea why, he was not ordinarily a man to favour technologically sophisticated solutions, he never owned his own email address for example. Maybe as a working man he found it frustrating that other banks were closed after hours? First Direct is never closed, it operates 24/7. I have used other banks for some things, but I've always kept accounts with First Direct because of their truly extraordinary customer service hence I call it the "good bank". I actually know one of their Founders and apparently that commitment to customer service was key to their original vision for the bank, he led a strategy session for the start-up where I work now and it used that vision to give us a worked example. He was Chairman at another start-up I've worked for too. Small world.
For the buying a home part I do mean that I bought it outright by the way, there wasn't a mortgage or anything like that - so that's a lot of money, let's say six figures. I presume the precaution was triggered by the fact that I wanted to move this large sum (almost all the money I had) to an account I'd never sent any money to before. Sounds almost exactly like a scam.
I would _like_ to believe any other bank would have similar protections - but of course I don't buy a home every day, so I have no other examples to compare, and most of my contemporaries have a mortgage so the very large sums aren't involved.
The password when they call me thing was nice, to be honest they didn't proactively set that up. I suggested it off-handedly one day and they were like "Of course, yes, we can set that up". I presume it's not custom, just they didn't explicitly advertise it to me as an option. That happens a lot, I didn't want contactless on my new card recently, and they were like "Yup, of course, done. Replacements for this card will also not have contactless until you call to change that".
Phone providers, email providers, and banks should provide an option to require in-person verification for account recovery or in the case of phone providers transfer of a number to a different SIM. These events should be infrequent enough that it would be OK if there was a fee for verification.
This might seem impractical for people who live somewhere that the provider doesn't have an office, but it actually isn't. There is a nationwide, readily available mechanism already in place for this. They are called notary publics.
It could work like this:
1. You request account recovery, and pay the fee, and provide your physical contact information.
2. The provider hires a notary public in your area, and sends them a form for you to sign authorizing the account recovery.
3. The notary meets with you, verifies your identity, notarizes your signature on the form, and then lets your provider know that this has successfully completed.
4. Now that the provider knows the request was legitimate, the recovery or transfer can go through.
This is why I don't use Google for anything of importance. No customer support = I am not using it for anything of importance. Consider it a 'burner' service.
Someone trusts faceless uncaring tech companies with all of their most crucial data.
Companies get hacked. User's life is crashed. Companies feel nothing and have pathetic "support".
"Thankfully", insider access grants privileges.
> Thankfully, I have a good friend at $COMPANY who was very concerned with my plight and was able to get $PRIVILEGED_SUPPORT
My point is that we have set up these systems that have us all skating on thin ice, and when people inevitable fall through (or are pulled under by thieves) we have almost no recourse, unless we happen to be well-connected to the internal workings of these machines.
We're turning the world into Morlocks and Eloi. We've got to wake up and slow this shit down.
> While Twitter is a free service, I would still expect some level of assistance for someone who has had the same account for 13 years and can get thousands of people to verify my identity.
'free service' being the operative words, and they can probably trust the user to do all the hard work of maintaining a new account for another 13 years (with associated pageviews) without lifting a finger.
> I made sure to have two-factor authentication (2FA) enabled with this service. It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.
O RLY. The point of 2FA is that one of those factors is a physical token which cannot be stolen remotely. Anything involving SMS to a phone number is not 2FA and never will be 2FA and anyone claiming otherwise is either an idiot or assumes you are...
The fact that ACH is slow is a feature not a bug. Remember that when people want to speed up money transfers.
> After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever.
But also, the US regulatory environment is very friendly towards individuals when it comes to fraudulent electronic transfers, regardless of how quickly they execute.
IMHO. "I trusted cloud services to store my data". I never do that. I have multiple offline encrypted backup copies (on-site and off-site). I do not trust anything out of my arm's reach. The cloud is not an option for serious backups (unless you have n copies with different vendors + offline backups). I think the convenience of the cloud (with encryption) is an option when you have offline backups. I hope you will get your data back and that nothing will be compromised.
Don't use 2FA, if the 2nd factor is anything mobile-based. Use strong passphrases, and type them when you need access to the assets they protect.
There is the concept of "security VS convenience", a trade-off you make when using secured assets. 2FA is convenience just as much as it is security. By having SMS as a method to reset a password, you reduce the attackers workload from cracking a difficult password to "compromise your mobile phone physically or electronically". I trust my passphrases much more than my mobile device and/or carrier.
This doesn't make sense. Why not use both 2fa AND a strong passphrase? To get to the second factor the attacker still needs your password. There is nothing that says you should use a simple password if you have 2fa configured.
The author really hasn't learnt anything if he thinks that enabling all Google recovery options is the right thing to do. The only thing you should ever use is "Google Authenticator" and then store a copy of its recovery codes in a safe place (bank vault or zero-knowledge encrypted online storage). But better yet, don't use GMail in the first place.
> I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.
I guess the author learned that lesson, but… please don't. Backups in the cloud are fine, but such sensitive information has to be encrypted. Ideally with a 6 words diceware password or so.
And if it is meant for your close ones to recover if you die, write that password down, and lock it up in a couple homes you trust.
I believe Google has some kind of service you can turn on where you will pair it with a U2F token like a Yubikey or their Titan key. At that point, all other forms of login and password recovery are turned off. In theory, that should stop the SIM-swap attack.
I use Authenticator, which should also stop a SIM-swap. However, I've noticed that many services seem to require activating 2FA via text message in order to activate authenticator. Has anyone else noticed that?
Quite a few do require you to have at least two second-factor methods set up, although I think for me only one has ever insisted on setting up phone / text 2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-based might be all you can use (considering a surprisingly small number of 2FA supporting sites seem to implement recovery codes).
Unfortunately, Yubikey at least basically only works in Google Chrome, so if you actually want to use your account you have to use methods other than the Yubikey.
Conventionally, one metaphorically chooses a _hill_ to die on, and lines in the sand are only crossed or redrawn, not died on.
The insistence on using Chrome is arbitrary and I don't like it. The use of U2F rather than WebAuthn at least has a technical justification (older Android devices can't do WebAuthn, and while it's backward compatible in the sense that you can use a WebAuthn authentication having signed up with U2F, vice versa is not possible, so old Android devices would have a confusing UX behaviour) but the insistence on Chrome is just arbitrary lock-in.
I won't be dying on that hill either, but it does suck.
> The insistence on using Chrome is arbitrary and I don't like it.
Supposedly this limitation is because Firefox doesn't implement the JavaScript calls that permit a U2F-calling site to know the type of U2F key being used and Google wants to enforce, when enrolling for ATP, that at least one of the two keys being enrolled can be used wirelessly (Bluetooth or NFC).
I don't agree with it either but will only truly be mad if/when Mozilla implements the requisite call and Google still blocks enrollment without Chrome.
I certainly didn't appreciate how much SIM cards are the keys to our modern lives until mine got stolen. Interestingly, my thieves took a different tack: they actually stole the physical SIM card! You might ask how this could happen: I was traveling internationally and had a friendly guy at an official kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He palmed my SIM and gave me back a dud without me noticing. He then shipped it back to Atlanta where collaborators used it to blindly called credit card support numbers. Some of these credit card numbers were hits — places where I had existing accounts and where they recognized my phone number. They social-engineered their way to get the CC companies to divulge more information about me — including the CC numbers themselves — allowing them to increase my credit limits and open new cards. They then went on a $40k shopping spree.
Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.
Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
> Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
What about the part that's "being a part of a criminal conspiracy to steal $40k?" I guess that's not something for the airport police to deal with though.
In light of the extended Fraud on your account, I believe
that due to the 7 day lapse between you collecting the SIM
and returning to the USA, then your details could have been
compromised anywhere. In all probability, this occurred in
the USA as this is where the accounts have been set up and
believed the fraudsters would have had to have been in order
to benefit from the crime.
The fact that you bought a SIM card in the UK is purely
circumstantial I’m afraid, therefore we would not
investigate this further.
Of course I was shouting "THEY HAD TO SHIP IT BACK TO THE U.S. FOR IT TO WORK" as well as providing the call logs documenting calls from the Atlanta region (where I don't live and hadn't visited), but it fell on deaf ears and I gave up. That response made me feel like a tin-hatted conspiracy theorist, though: yes, I am certain I was defrauded through an international criminal conspiracy.
I understand your frustration, but I also think they have a point.
What you're telling us is all based on your educated guesses as to how they might have pulled this. There are things that feel a bit weird and I'm guessing you have no evidence to prove them, such as the scammer shipping the real SIM back to Atlanta in time before you realise the issue.
How did you realise the SIM card you were handed was fake? Couldn't it be that they instead duplicated your SIM whilst you weren't looking?
IMHO the police (or FBI or whatevs) in the US should conduct the investigation as that's were the fraud happened. They'll evaluate if it's worth it contacting their counterparts in the UK to move forward. However I also think it is good that you've given a heads up to the UK local authorities.
Do you remember what company was offering the local SIMs? I've seen mostly Lebara, but not in Heathrow...
The SIM ICCID that I physically had in my hands upon return was different than the ICCID that ATT had on file for me. I also watched the dude do it right in front of me, but of course SIM cards are quite easy to palm. It was the "Tourist Services" kiosk and I bought a £20 Lebara card. He very kindly taped the ATT card down to the Lebara cardboard packaging, and I wasn't able to remove that tape without damaging it so I'm quite certain that it wasn't swapped elsewhere.
I did also report it to both my local police and the FTC and the FBI but never could gain traction as nobody thought it was their jurisdiction. I eventually gave up once my credit was repaired.
Just playing devil's advocate, the ICCID on file would also be different if they had managed to compromise your account and change the sim associated with it.
That might be reasonable. It also makes the scam OP is guessing happened a pretty good criminal scam, since the police will refuse to investigate it...
I mean, what possible additional evidence could one plausibly have that the guessed scam is indeed what happened?
Which is the scary thing about all these SIM-theft things. It clear happened, there's really no way for the victim to know how/where/what/when/who.
It certainly took me quite some time to put all the pieces together — and I'd wager very few folks defrauded like this are able to realize exactly what happened.
Anyway, thanks for sharing. This is not exactly an obvious fraud.
I think one way to prevent it, aside from remembering to not let your SIM off your hands is to mark/paint your SIM and make it unique and easily recognizable.
Then you can deal with it immediatelly, even if you forget the rule to not give your SIM temporarily to others. (You'll probaly not forget, but people who may not have your experience and still want to protect themselves against this, may.) Also the attackers will not probably attempt to swap unique looking SIM in the first place.
Other ways are to use phones with 2 SIM card slots or simply use a local carrier with decent international roaming support or (of course) carry a paperclip to just do it yourself.
fun fact about sims. they run a java operating system which can be accessed via binary SMS messages (apdu messages) - invisible to your phone, with the right sim pin, they can get filesystem access in this 'os' and steal your private keys and phone identification numbers, effectively allowing them to mitm / clone your phone and calls/sms etc.
that being said it's just plain silly how important these crummy devices are, and how little information and warnings they come with.
set a good sim pin, that will save u from this type of trouble. of course, it won't save u from physical phone / sim access.
You can setup a SIM PIN, but I hadn't enabled it and I bet few folks do as it's not connected to the device lock code and not on by default: https://support.apple.com/en-us/HT201529
Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even if I removed my SIM. Putting the SIM in a phone without a PIN results in nothing being required.
Edit: Thanks for correcting me- I guess my SIM does not have a PIN.
SIM cards themselves can have a PIN attached to them too, usually with a lockout after 3 unsuccessful attempts. The card is supposed to be secure against tampering, but since it's running an OS which receives very little scrutiny and runs lots of legacy tech, there are likely all kinds of exploits to reset / root the SIM and bypass any PIN protection. It's still useful against casual theft though.
While there have been a few very scary hacks that could compromise a currently-unlocked-and-running SIM, I don't think there is anything you can do to a powered-down SIM without the PIN.
A SIM card has its own PIN, completely independent from the phone's pin. If I put my SIM in someone else's phone, it will ask for my PIN, even when they don't have a PIN set.
> We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services.
I pay for Drive (now part of Google One) and they advertise free phone support with it. I've never used it, and it turns out it's not a phone number you can call, but rather you request a call from them:
Back before phones we had things like fire safes that would hold your "precious memories" so when your house burned down you wouldn't lose them. That is so much harder to do these days.
One of the things I do is periodically spool off ephemeral data to BD-R's (write once Blu-Ray disks). At 25GB a pop they aren't super dense but I don't actually generate more 'new' data than that in a given month. It was something I do because when I started in this business I made backups because crappy disk drives would lose data. But these days you can get crypto ransomed and poof all that data unavailable?
There is no doubt a market for some new 'best practices' for data security. Perhaps No Starch Press will get someone to collect those ideas into a book.
> It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.
The most annoying part about this is that Twitter demands your phone number. You can't use another method for 2FA, such as U2F or OTP. I assume it's not at all because they want to authorize you or keep your account safe, but rather because they want to be able to identify you. User's lose both privacy and security.
Just to clarify, you can use U2F to login, but you can’t only use U2F. Eventually you’ll be locked out of your account (after logging in) and forced to provide a valid number.
> While I had a PIN associated with my SIM, I still do not know how the thief was able to get past this the first time, I changed this PIN on the call.
If he's really talking about the SIM PIN, I don't think having one helps against this kind of attack. The SIM PIN is to prevent people in possession of your physical SIM from using your cellular account for voice or data.
What you need with T-Mobile is a separate PIN that is required for porting out your number [1]. You set this PIN up by calling support.
I thought of the port out pin too, but I think the attacker convinced t-mobile support to activate a different SIM. I don't think the PIN does anything in that scenario.
If you haven't yet, remove your telephone number as a recovery option for your Gmail account. And also, why can't US fix the shit that is transferring SIM cards? In the UK you can request a SIM transfer code but it takes at least a few days - there's plenty of time to catch it and stop it before someone transfers your SIM. Why can't American operators do the same? Just say "you have received your request, please wait 7 days for it to be processed" - why does it have to be instant?
? Of course there is - it's called a PAC code, and it takes at least 1 working day with the fastest operators, in the meantime you get notified that it's happening.
No, you're confused. A PAC code is used when switching carriers, it has nothing to do with the scam described here where an attacker contacts your carrier and claims "I lost my SIM".
Activating a replacement SIM can happen in minutes (and that's a good thing : would you want to wait 7 days to get service again ?)
The only thing that seems different from the US is that I don't think everything can be done over the phone here : you need to go physically into a shop and (hopefully) show ID.
The issue is partially that while social engineering countermeasures that could help prevent sim swaps could be helped by better training and more rigorous security checks, there are actually bad actors who are employees of the carriers who can be paid off to switch SIMs.
Google Fi requires you to have access to your google account to port or sim swap your number. So if you have real 2FA you should be safer.
I just had my AT&T sim swapped two weeks ago. According to police, the sim swappers are insiders at the telcos or have compromised corporate credentials and are logging into the telco admin portal and processing the swaps themselves.
I’ve now switched to Google Fi. I’m banking on the assumption that Google doesn’t keep an admin portal open to the internet and that they don’t give sim swap/port access to employees that aren’t paid well enough to be willing to take a small bribe to swap the sims.
no sim is no calls or sms. however, an inactive sim is allowed to call 611 (or provider equivalent) , 911(or local equivalent) and a few such emergency numbers generally. You do need the sim to be in working order and in the device. but it does not need to be activated.
> This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.
This is why you should never store passwords on your computer / cloud in plain text.
> Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money.
Is it common in the United States to allow online banking without any physical second factor? My bank requires me to use some kind of device similar to https://en.wikipedia.org/wiki/Chip_Authentication_Program with my card and code to login or execute transactions. I think most other banks in my country require something similar.
my UK bank ties their app to my phone using an off band code i receive from a person after calling their contact number. if i reinstall my OS i need to call them to receive another code.
By all means use hosted email, but if you want to stop this happening to you make sure you register your own domain! At least then you can open a new mail account and move the domain to this. That way you can make sure you can recover your other accounts...as long as you don't lose you DNS of course!
Companies should never require SMS as a 2nd factor. It isn't secure. Let's call out names:
* Twitter requires you to enable cell-phone based 2nd factor before they let you enable any other 2nd factor. Luckily in my case their buggy software determined that my cell phone number is "incorrect", so I was never able to.
* Twilio (the authors of Authy!) let you use TOTP codes from Authy in addition to SMS-based 2FA. There is no way to disable the SMS authentication, so your account is never secure.
* Many banks assume that SMS is a secure channel, which it isn't, and force its use as 2FA.
This should get more publicity and companies should be called out on forcing people to use SMS as a 2nd factor. There are many reasons why this is a bad idea, and the story described in the article is just one of many possible attacks.
Its because all of these companies are cheap and don't want to deal with the customer support cost of people who lose a virtual/physical MFA device. Instead, they treat virtual/physical MFA like a convenience feature that their customers keep whining about. But, if you've got that SMS on backup, then who cares if you lose the MFA; just use your phone, security be damned.
1Password is also guilty of this in a different way: They won't let you register a U2F physical security key unless you also have a virtual security key on the account.
This is ridiculously simple. I'll spell it out:
1) Offer Virtual, U2F, and SMS-based multi-factor authentication. SMS is still useful for convenience on platforms which pose less of a security risk to your digital life.
2) Don't gatekeep methods of multi-factor authentication behind others.
3) Allow multiple devices for each method of multi-factor authentication, especially physical U2F keys.
4) Offer backup codes.
5) Offer an Enhanced Lockdown option, whereby customer support account recovery is irrevocably impossible in the event of lost multi-factor.
This is a good reminder to never entrust Google with sensitive financial records and documents. Sure, the cloud service is a convenience, but, if a hacker accesses your account, it doesn't take much to download copies of those documents and use them against you.
I strongly suspect the problem will continue until someone gets a nice, fat judgement against a telco over SIM swap damage. As it stands now they lose very little when it happens, why should they make their systems secure?
> I have countless PR folks, friends, family, and others who are in my long Gmail history and am currently unable to access any of that information
I have all this in my gmail also, but my mail downloads to my computer (I use Mail on my Mac). My Mail application data in turn backs up to a few backup drives, so I have this data in several places.
Do people use gmail without having a copy stored anywhere else? I totally get that this guy has been screwed many different ways, including by Google, but it seems unwise to not have a backup copy of your mail anywhere.
Recently I discovered that Facebook has a policy that no one with pending misdemeanors can be hired if they are just a contractor. We recently had to turn away a 23 year old combat veteran who had deployed to Afghanistan because he had a pending Class C misdemeanor. That’s a max fine of $50 for the state this was in. All for a $16.50 an hour job.
The amount of indifference to suffering by people in the corporate world today has gotten...I am not even sure what
the word is.
The lack of customer support provided my tech companies today is pathetic. Combine this with Google's decreasing effectiveness in looking up solutions to technical problems and we get this :(
I have a really odd, obscure problem with SMB and Windows 10 and would really like to just call up a Microsoft tech support hotline like they used to have, except they don't even offer a paid service for that any more to consumers. Got a problem with Windows? Get fucked!
Don't use an sms/voice phone number as part of your 2-step verification in Google.
In the past, I did use a verizon landline phone number as Verizon had the ability to "lock/freeze" that number from any outside changes, but I got rid of my landline a while ago.
Also, print out some backup codes and stick it in your wallet.
I have no idea what month and year I created my google account, and google doesn't seem to make that info available to you in a simple manner.
> Also, print out some backup codes and stick it in your wallet.
The idea of backup codes is good. Putting them in your wallet reduces your security though. Depending on the value of your accounts, you give a (physical) attacker everything he or she needs to compromise you.
>If anyone has tips on how I might get my Google and Twitter accounts back, I would greatly appreciate the feedback.
I know of one approach that might get results, but he's already done it: publicly shame them in an article. It's the only way to get results from these algorithm-driven companies that lack anything resembling an actual customer service department.
Google Takeout is your friend. I download all my drive, calendar, email, etc once a month. (Not photos, since I have those already.)
It pays to be skeptical with your data. 3 copies. 2 local one offsite. If your only copy is offsite in the control of someone else... that's a terrible decision.
Anyone know if Google Voice numbers have more protection from the SIM attack? I would assume that those numbers are hard to port out anywhere given their usage, right? Are mobile numbers part of a separate pool of numbers with different rules on porting?
I will never understand how someone can have all his digital life in one single place.. I mean, mail eMail, Passwords to all other sites, scanned documents - all in google? That is asking for trouble. Also, 2FA via Text makes your account unsafer, if any.
"T-Mobile suggests adding its port validation feature to all accounts. To do this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone. The T-Mobile customer care representative will ask you to create a 6-to-15-digit passcode that will be added to your account."
And then I forget/lose my 15 digit passcode, then what? Either there is a retrieval method that makes the whole thing irrelevant, or else I've replaced one catastrophe with another to no purpose.
Feels like a real pain and the author has genuine honesty that I appreciate. But that's also why I don't ever use chrome to store my passwords! Why on earth would you do that??
Google now allows the removal of SMS and Voicemail based 2FA if you have a hardware token configured. Good news is you can now use your Android phone as a hardware token.
While there is apparently a desktop interface, if someone gets access to my phone, they have the live access codes right there. When the SIM is stolen, can the authenticator also be accessed with the new location of that identity?
The process for moving Authenticator involves receiving a six digit Google code on your phone -- which was just effectively stolen with the SIM...
While Google may have built in protections, they are not obvious at this point to me, a casual user of Google Authenticor.
Does anyone have any more information to keep this more secure?
Last time I switched phones I had to set up GA from scratch, re-scanning the seeds on every account. The initial SMS code was just to attach an authenticator to a new device. Someone compromising your phone number shouldn't be able to get access to your codes, they would need the physical device.
Also note that there is no official desktop client, anything that claims to be is 3rd party and wouldn't be connected to your current codes.
You can just say you forgot your password and they’ll send you a text message with a code to reset the password if you’ve registered a number with that account.
As a tech-reviewer I'd assume OP to be more tech-savvy than your average shmoe, yet they kept ALL (literally all) Finanical and generally sensitive information in a central location that easily breached (G-drive) and to top it off used 2FA through SMS for many of their services. If anything this article only discredits the author of any common sense in the tech-space.
What do companies still use phone numbers for 2FA? This should be an automatic design decision to not use the phone number for anything outside of initial account set up. All the banks use it.
Why don’t I take my entire life and give it to tech companies? That seems like a good idea! I’ll just upload all my tax returns and other critical documents to the cloud because the cloud is well thought out and rock solid. I know this because software of all kinds is known to be well thought out and written in a pragmatic and thoughtful manner. There have never been instances of people exploiting flaws in software or the companies that maintain software. The web is not broken and is definitely not a precarious mountain of turds held together with scotch tape. The web is rock solid and I will trust it with my very life. My whole career depends on a twitter account and i have never tried to lessen my reliance on a single twitter account. Having my entire career depend on a twitter account is a safe and prudent thing to do. I have children.
Since becoming aware of my own problems with google (they truly could care less about their users data) and reading stories about previous incidents of swapping SIM cards.
My solution to all of it is literally just 2 emails. Both 2fa. Recovery exists but the numbers and emails are unknown to the world beyond Google or m$ servers. And those don't get used to register anything ever. I park my recoveries then use my main email as my most public one. Everything else is registered and recoverable on the second email that also isn't publicly known unless one of the services I'm attached to gets their data leaked etc etc etc....so even if they did successfully swap my SIM they can't get anything else.
TMobile got hacked a few months back and around the same time my personal debit card that stayed in my wallet the whole time and I don't ever use in public literally for that reason. Got charged. They tried to empty it all. I pressed and pressed the only thing they could do for me was ask for a specific code. Verbal 2fa. I think if I remember correctly none of the data showed up publicly anywhere yet not sure about the specific incident I just thought the timing was weird.
If that's the best security TMobile has and that's all their customer support has to offer us. They have failed as a company in my eyes. And it will only get worse not better as more middle managers get their cut of the security upgrades that they will partially and incorrectly implement.
Of course they won't lift a finger your not a Kardashian
Google really fails hard in the face of providing support when issues like this occur. The average person has to try various automated account recovery options which, as in the author's case, are readily changeable the moment the account is compromised, rendering them somewhat useless, and then users are out of luck.
It's a situation that is mind-boggling. Users as asked to place a significant chunk of their digital lives in the care of Google, it is unbelievable that they fail this badly. It's useful to note than it's not a situation that business users face. People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users? I would gladly pay for that level of support and security. For that matter if there were some way of converting my personal account over to G-Suite I would do so.
I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.
This is why I panicked when they announced they won't sync Google Photos with Google Drive anymore. With the sync, I can setup one of my computers to constantly download the photos and then copy it onto a local backup and an online backup. If my Google Account gets locked - I'll just copy the photos into something else and move on with my life. They removed that saying it's confusing to users - all the while it was an option users had to go explicitly enable.
I switched to iCloud which supports the download feature.
FWIW, I use syncthing for this exact use case.
SyncThing is fantastic, it's really solid and always just works.
Where did they announce that? I still have that setting enabled, and I'm using it for backing up exactly the same way you described, so I really hope this doesn't just get magically turned off someday.
Google Photos will stop syncing to Drive on July 10, 2019 https://gsuiteupdates.googleblog.com/2019/06/google-photos-d...
HN discussion: https://news.ycombinator.com/item?id=20166131
Would you mind elaborating on your iCloud setup to handle this please?
The most common way to do this is to have the Photos app on MacOS set to "download originals," then use whatever backup solution you like best. I highly recommend setting this up. Last month through some sort of iCloud glitch my fiancé lost almost all of her photos from before the beginning of this year. We've escalated it to their highest tiers of support but the photos are gone. Redundancy is important, and even the best providers aren't foolproof. It was devastating to lose all of those memories.
Thanks. Currently I do this:
Phone -> Dropbox + Google Photos (automatically)
Card-based cameras -> Plug in card, Dropbox + Google Photos pick up new photos
Backup 'server': Local synced Dropbox folder -> Local + Cloud backups
I couldn't see how to add iCloud to my existing syncs / backups. When I looked at it, I couldn't be sure it would keep photos on my phone long enough to allow Dropbox and Google Photos to pick them up. It's good that it's possible to get the originals over at a MacOS machine. Might be worth exploring then.
This is how I do it too, then backups are done through Arq and Amazon. I consider Google Photos as a “share / social” area. I would never entrust masters with Google.
I should go and backup my photos asap then...
In case you own an iPhone, it's given to you the option to backup your photos to your iCloud account (Apple service bundled into the phone).
How is your solution different from uploading to Google Drive?
Editing, search, organization, sharing and viewing tools. Google Photos is a fantastic UI for that - provided, the pictures actually live in my Drive.
> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this.
I can just see the people raging about this on social media now.
“Google charged me $50 to fix an issue with my account!”
“Google won’t give me any help unless I pay them! Extortion artists!”
Etc.
Sure, people would complain. But they complain now when these issues happen. I'd rather a scenario where people complain but the problems are getting fixed. It's not completely unreasonable that Google offers low/no support for free products. It is unreasonable that they don't have any way to pay for help when there are serious problems.
Make it something you can pay in advance, then.
For a fee, you get marked as a high-risk/high-value account, get the recovery service and risky factors of authentication get extra scrutiny, etc.
You can get extra security from Google for free. https://landing.google.com/advancedprotection/
Patio11 just had an automated loss of access on his phone when enrolling. Lack of support hurts there too.
https://mobile.twitter.com/patio11/status/114040469625693798...
This was quite unfun. (Fixed now, after I blackboxed what the actual problem was. Some Googlers are looking into the docs/error messages to fix that half.)
Not exactly free, because you must buy a couple of hardware tokens. Fifty dollars when bought from google. But free besides that.
They'd probably get bad headlines regardless of whether or not they required an in-advance subscription:
- Don't allow upgrading after a problem arises to get premium support: "Google won't let me pay to fix my account"
- Allow upgrading after a problem arises to get premium support: "Google extorting me to regain access to my account"
I believe Google does offer support to consumers via Google One (where available), it’s priced very reasonably too.
One of Google One’s selling points Google advertises is phone based access to Google experts.
There’s also another bad side effect of Google. Google makes and gives away stuff for free and one of the reasons they do it is because they run a lean operation. They don’t provide any kind of support. Let’s say someone want to start a new company that provides all the same features of Google and provide solid support - there’s no way they can do it for free. Or even if it’s a reasonable price, people are going to pick free anyway. Except those of us who care. Just the fact Google and Facebook gives it away from free, in a sense, kills any possible paid service in the domains they operate. IMHO that qualifies as anti-competition and anti-trust. But the laws aren’t designed for this scenario at all.
> kills any possible paid service in the domains they operate.
I can think of paid services that compete in the domains google operates in. Fastmail is an easy one.
It’s $20/year to get 100GB of space for GoogleOne. Worth it so that you have a paid account with support options.
The author mentions that they are a paying customer.
Google One has support, it's pretty much the only button in the UI when you go there.
EDIT: actually it looks like the support might need to be reached from within the account, so that's still a major problem when you can't get in at all.
This kind of stuff is horrifying to me and why I willingly pay the Apple Tax. At the end of the day they have stores full of humans I can walk into and tell my sob story to and excellent telephone support.
I don't believe it works the way you think it does:
https://support.apple.com/en-us/HT204921 "If you need more help, contact Apple Support. While we can answer your questions about the account recovery process, we can't verify your identity or expedite the process in any way."
That is fine but the scam started by reassigning the SIM; something not related to Apple. I am not having enough criminal fantasy but in your Apple World you live in a monoculture...usually this makes it just easier for intruders to make problems.
> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.
Have you considered alternatives that do offer support?
> People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users?
I know people are getting sick of this phrase, but I'm going to repeat it here anyway because it answers your question perfectly: why doesn't Google have customer support? They do, but if the product is free, you're not the customer.
As you note, Google does have real customer support for people who pay. The other people are not customers, they are advertising targets. Why waste money on support for them?
As someone using G Suite for personal purposes I'm glad to pay for support honestly (+ the peace of mind of being mostly in charge of my data, not having it be mined for whatever purposes).
> Why waste money on support for them?
On the other hand, a paid edge case support option for otherwise free services would be a win for both sides. If only the long term projection of the resulting incentives would not be so ugly...
Google One advertises real support for consumer users... but it turns out they can't really so anything but read support docs to you.
I didn't realize, I apparently was automatically made a Google One user when they created the program because I pay for a bit of extra Drive storage. I'd really like to hear stories from people who have had a hacked/stolen account and the support Google One provided.
Is this a reference to something? I haven't heard much about Google One's support good or bad.
The concern I'd have with G-One is that if you lost access to your account, you also aren't a Google One customer, and the support likely won't assist you. Creating a chicken/egg situation.
Not a reference to any story, just a few personal experiences. I had various issues, and they couldn't escalate anything to actually fix them, they just read support docs back to me. It's not like the paid support that gsuite customers get (although I'd be happy to pay more for that if I could).
Yes, there should be some support for non-paying users. Even if it comes at a cost, like a flat rate incident fee.
g suite is awesome for personal accounts. One of the few non abusive services that google offers.
Buy a domain (12+USD year depends on extension) + G-Suite (around 4-5USD/Month) and that's it. As a bonus, you always can swap your email provider without changing your email address.
Why is it that the most dramatic stories of people's digital lives being lost/broken usually seem to revolve around a compromised mobile phone number? Mobile phone numbers are not unique (they are recycled) and are terrible security (mobile phone companies are careless). I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner. I refuse to connect my mobile phone to these services.
It seems like one of the most important lessons of computer security has already been forgotten: It's only as good as the weakest link. Not only this but decentralization/redundancy is often better than centralization/dependency. For example, I'm not sitting awake at night worrying over some semi-pseudo password I generated for an old unencrypted forum run on some random persons server.
> I change mobile numbers at least once a year and most years I end up receiving calls/messages on behalf of the previous owner.
I had something very similar happen when I got a new number. I kept getting calls for the previous owner from what I assume to have been a bank, a library (for passed-due books no less; left a voice mail), and random people trying to contact this person. Not long thereafter, I started getting text updates from Facebook any time one of their contacts posted something. Facebook fortunately disables this with the text message STOP (IIRC) [1], but it bothered me that a nefarious actor could have passively collected the names of this person's contacts, messages, or more.
Not quite sure what to do, I did end up calling most of them back to inform them they had the wrong number, if they left a voice mail. The calls stopped about a year and a half later, and while I was somewhat annoyed at the time, in retrospect it could have been much worse!
[1] https://www.facebook.com/help/225089214296643
Because every time you login to gmail without a phone number there's a big "add your phone number for super security!!" pop up on the screen. People do what the google tells them to do.
This is a good place to remind everyone of Google Takeout [1]. Back up all of your data. Don't let this horror story happen to you.
[1] https://takeout.google.com/settings/takeout
Thanks for the reminder--I've done it several times in the past, but it wasn't a scheduled thing at all.
There's a new checkbox in takeout that lets you schedule a backup every 2 months (and then presumably you'll get an email when you need to download it).
Does anyone else have issues with takeout failing with "unknown error occurred" if you use the default of selecting all products? I have to manually create multiple takeout archives (one for gmail, one for photos, one for location history...)
Absolutely! Always fails. I didn't know about the alternative you mention...thanks....
Works fine for me with select all. Maybe it was a temporary thing.
I was just about to set this up to automatically put everything in my organization's Box every six months, but:
> With access to your XXX@YYY.ZZZ Box account, Google Download Your Data can:
> Read and write all files and folders stored in Box
Nope. Download link it is.
Yeh that's unfortuante but it is normal for box's API. This isn't Google being overly grabby, its the only scope available to third party read and writing to box.
The API scope doesn't have any knowledge of individual files or applications. https://developer.box.com/docs/scopes
Conversely, Google Drive does have scopes available for Application specific folder read/write https://developers.google.com/drive/api/v3/appdata
So box needs to up its game.
To be clear though, unless Box does actually offer a finer-tuned 'write to specific dir' access control, that's not nosey Google's fault.
Thanks for reminding me... again... about this. Why haven't I backed up my gmail data yet? It has been years since I realized I have to do it. Why haven't I done it?
Because it's not easy to automate.
Gmail alone is easy - use POP in a mail client, set it to mark stuff read, leave it on the server etc https://support.google.com/mail/answer/7104828?hl=en
I'll agree that POP is pretty easy and worthwhile here.
One caveat: I'm not certain that it's identical to what Takeout provides. I downloaded the mbox file via Takeout and the Takeout version was a fair bit larger than my Thunderbird mbox file as I recall. Maybe Thunderbird stores the emails more efficiently than Takeout? I should examine this more closely. As far as I am aware there are no missing emails in Thunderbird, though I could write a script to be certain.
Edit: Seems that I misremembered. The Takeout file seems to be appreciably smaller than what Thunderbird has, but in line with what Gmail reports at the bottom. I guess Thunderbird is actually less efficient than Gmail. Attachments might explain some of this, as I deleted some attachments in Gmail that I kept in Thunderbird.
The takeout file might be compressed too. Most mail clients don't bother to compress anything.
Yes, it was zipped, but I was comparing uncompressed. I've now checked. There's about a 500 MB difference for about 10 GB of emails. So not too bad, but appreciably different.
Attachments?
They now have a feature that lets you schedule it to run every few months. You could probably automate the download from your email client.
`gmvault` in a cron job works pretty well...
Check out Mailstore Home
My previous experience (years ago) was that it actually gave me incomplete backups... which is.. insane and frustrating. Hopefully that’s fixed now.
Anyone who wants to defend themselves, consider using U2F where you can and Google Advanced Protection. I just recently picked up a bluetooth security key because one is needed to log an iPhone into an account using advanced protection; there is no SMS backup loophole. The Titan key bundle comes with a bluetooth and USB key, which is enough to get started, though frankly you probably want a couple additional backup keys too.
https://landing.google.com/advancedprotection/
(The usual disclosure: I work for Google, but not on anything related to this, only speaking as a user.)
U2F keys are great but I look forward to the day when they’re more widely available outside the US. And I’m still waiting for my replacement from Feitian for the recent vulnerability. Not to say you shouldn’t use them, but... they have their limits. Particularly Advanced Protection which forces you to use Google’s browser in many situations and disables API access so I can’t use the API to get my own data, only Google’s official apps and a small exception for Apple’s.
Yeah, Chromium is needed to add keys, which effectively means you can’t enable Advanced Protection without Chromium. I personally ran into this wall. I acknowledge that this sucks, as a person that intentionally only uses Firefox, but to be clear logging in and most other operations work absolutely fine with Advanced Protection.
Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.
I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.
Seems like Firefox U2F is just disabled by default: https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-f... (tl;dr: Open about:config, search for u2f, enable)
With that done, GitHub prompts me for my key. My Linux office workstation is missing the necessary udev rule, so I couldn't test more. (Funnily, pressing Cancel caused them to send me a SMS, so their 2FA is practically worthless).
I've run into strange interactions where adding a key is disabled in Firefox (even with the security.webauth.u2f flag set to true), but once one key is added, you can add subsequent keys no problem.
This is how Github worked for me - I think it's just a mis-match in the code checking for U2F functionality...
I think adding the key use a different mechanism - there are two JS interfaces for U2F, and FF only supports one of them. TBH I've added my key to GitHub with chromium, but have since moved to FF; so that might be what you're seeing with GitHub.
Oh yeah, I’ve set all that stuff up already and I am able to login; NixOS makes it mostly pretty easy.
Youtube/YoutubeTV seem to be walled off on 2nd factor auth. I've been able to log into both on browsers w/o 2nd factor and then get prompted when logging into web gmail.
Or use your Android phone as your second factor.
https://security.googleblog.com/2019/06/use-your-android-pho...
That’s a great idea and would’ve saved me some time. Sadly, I had ordered and received my Titan kit before even realizing I still had an Android device, less that I could use it to bootstrap my iOS device...
I hope Apple some day supports NFC or maybe even USB U2F, both things Android has supported on phones for a bit.
Why doesn't Google get rid of SMS recovery completely? It's a huge security flaw that can be easily exploited.
Probably because the more barriers you put in the way of scams, social engineering, etc. the harder you make it for people to legitimately get back into their accounts and the more likely it is that you'll instead read stories about how someone "forgot their credentials and lost access to everything in their account and Google won't do anything about it."
No opinion on SMS specifically but there are tradeoffs.
It would be more just if people losing access to their accounts were those that lost their credentials rather than anyone that has a SMS number tied to their account. Other approaches to account recovery could be explored but none of them should involve SMS.
Google is a pain as there's no way to talk to a human. I have lost access to an old Gmail account as my phone broke. Without authenticator I can't get in. I can't set up authenticator anew because I don't have the password anymore. I still have same phone and plenty of emails - just no way to get in.
When you set up 2fa with Google they give you a set of backup codes you can use to get back in case you lose access to your phone/authenticator. It's important to store those somewhere safe.
I have no idea what the pros and cons are and certainly can’t speak for why. However, I think the existence of the Advanced Protection Program is definitely acknowledgment that the SMS backup is not secure enough for everyone.
The thing is, not long ago I had no issue recovering my account if it got compromised. I think attackers today have gotten better at finding ways to beat the system. One thing I’ve seen, albeit I don’t know if it works on Google accounts, is enabling high security after stealing an account, effectively making recovery very hard.
Though, I can’t really speculate on if that’s what’s going on here.
Because, depending on your risk profile, it can be very helpful:
> We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.
* https://security.googleblog.com/2019/05/new-research-how-eff...
Not everyone has to worry about being targeted by nation states.
When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it). However, once you've defined an alternative 2FA method (Google auth, u2f key, etc) then you can remove the SMS method completely.
Believe it or not banks are really bad at security. They are so bad at it that they don't even realize how bad at it they are. But the banks all copy from each other so "what the other guy is doing" is more or less their justification for what they do. Most of them have little to no idea why they do what they do for IT security, they just do what the Computer Security for Dummies book says to do (walk through the IT security department at any big bank and I bet you there is a dog eared copy of that tome on every desk)
Synchrony is one of the worst offenders, they won't even let you change your password without doing SMS verification, and their source of phone numbers is a Transunion skip trace database (which you can't change or remove any information from), so getting past Synchrony can be as easy as filling out a contest form at a mall, waiting for the phone number to appear with Transunion, then choosing that phone number to do SMS verification. It might take a couple months but payoff can be huge.
My hero at the moment is Capital One, they allow you to do e-mail authentication instead of SMS, and their iOS app also doubles as an additional factor (one requiring you to enter your password or use touch ID to use).
I was also extremely happy to find that the brokerage Robinhood offers Google Auth as a second factor. E*Trade also offers 2FA but a proprietary token w/ lcd display (which they happily charge you for).
My trick has been to give banks a false phone number that rings busy forever. That does effectively keep me from using banks that require SMS authentication, but there are more then enough that either offer other methods or drop their SMS requirement if you list your mobile number as your home number (indicating that its a wired phone and can't receive SMS). That doesn't keep my Synchrony accounts secure but there are enough protections around credit cards that my liability would be $50 at worst, with Synchrony having to eat the remainder of the loss.
> When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it)
I don't remember that ever being the case, either when Google first launched Google Authenticator and 2FA (when I pretty soon after set it up) or when I later went through the setup process for my work account at my current job (a couple years ago).
That is awesome then! It was a lot of hassle for me to find a phone that accepts incoming calls (and wouldn't come back to me) so I could get past the first step - though to Google's credit the number I used never showed up anywhere so they didn't try to sell me out.
It depends on your threat level. If you're just trying to avoid phishing, it's great, something like 99.9% effective. However, if you're worried you'll be targeted, where someone will go through the effort to do this to you specifically, then it's not a good choice.
2FA does not fully protect you against phishing. The attacker can just passthrough all credentials including your 2FA code. It limits the attack to a time window and any further security sensitive changes that require 2FA may be protected unless the user naively re-enters their code.
U2F/ WebAuthn credentials can't be passed through.
Or in more detail, the credentials aren't human readable and are per-FQDN, so when you visit badguy.example thinking it's goodguy.example, your Security Key will cheerfully hand over valid credentials for badguy.example, but there is no way to give them credentials for goodguy.example because that's not where you are.
Hence that 100% score on Google's page.
Meant to say TOTP or SMS 2FA.
I've just checked and Google now allows the removal of SMS based 2FA if you have an alternative 2FA method configured.
What is your contingency plan for when that physical key is lost, stolen or damaged?
Multiple physical keys in multiple formats stored in multiple places. I've got a few security keys: one on a keyring, one in a locked file cabinet, one locked in a safe. Backup codes are printed on good quality acid-free paper with good toner and then are put in acid-free envelopes or laminated, stored in a safe at home and a trusted family member's house.
I'm far more concerned with an attacker from the internet or destruction from a fire or natural disaster than someone using my computer at my home who happens to have my username/password combination as well.
I have two. One stays with me, the other in a safe.
Which is legitimately a pain in the ass to register, manage, keep in sync, etc but I only use it for a few very important accounts--Google being one of them.
You should have emergency backup keys as well printed on real paper. I have a set stored with our important files, and another in my nightstand. Having my phone stolen would be a damnable inconvenience, since that is my second factor -- although not via SIM, but via Google's in-app authentication. But it wouldn't be fatal.
I use andOTP, which is compatible with Google Authenticator and actually allows backing up the private keys (one of the key missing features of Google Authenticator, though maybe they've fixed that).
A good equivalent to andOTP on iOS is OTP Auth (backups, optional cloud syncs, it just works): https://apps.apple.com/us/app/otp-auth/id659877384
I have about six, one in each computer I regularly use.
Have multiple keys/tokens?
Why not "defend" yourself by not relying on gmail? It's not exactly the first time this has happened.
What’s better? Serious question. Very few companies spend as much on security as Google. You have to do your part and configure something like Advanced Protection, but if someone’s going to go to all the effort listed in the article, which provider would be a better bet?
It's not like email providers get hacked all the time. Individual email accounts do get hacked.
Find an email provider that provides decent support, i.e. you can call and talk to a real person. Make sure they support 2FA (ideally the non SIM variant). Also recovery tokens that you can write down and stuff like that.
Personally I run my own mail server but I understand that's not everybody's cup of tea.
Is there anything specific to Google about this? Could it be the same story about another email provider?
And if not then why not? Is it because Google is a bigger and more obvious target or something specific they are doing badly?
If you think people should switch then these are the kind of questions you should answer.
A smaller, paid provider may make it easier to get someone on the phone to resolve problems when things go wrong. Having better support than Google would not take much.
"Getting someone on the phone" is a big reason these kinds of problems happen in the first place. The reason Google doesn't do that is because they would be too big of a social engineering target, and couldn't possibly be secure in the face of that at a reasonable cost.
Fair enough. Is there any email provider that has similar procedures to NFSN?
https://faq.nearlyfreespeech.net/q/LostEverything
The article doesn't say if the user had two-factor authentication set up. I guess it's implied they used SMS as the second factor.
This would happen with any email provider.
So the fix isn't changing email provider, it's using a more secure second factor, e.g. U2F.
Right, but at least with a different email provider it's infinitely more likely to get actual support if this happens.
"I don't remember my password and I have a new phone, can you help me" is precisely how attackers do sim swaps in the first place.
Absolutely, if you want. I am not advocating to use or not use Gmail or other services. But also be sure to use U2F on whatever you can, be it Fastmail or Proton Mail or what have you. I think Proton Mail is still working on their U2F support today, though.
FastMail has humans respond to all support tickets. Imagine being able to recover your email without spending 5 days talking to a google form?
source: I work at fastmail. It's cool.
At the end of the day, there’s a lot of differences between the many webmail offerings. The apps, the support, the feature-sets, etc. If you have gotten used to things like the nuances of Gmail filters, switching anywhere can be challenging, I think, and the same could be said about the reverse. I’ve been considering using both Gmail and FastMail simultaneously for a while, especially for custom domains. Also, JMAP is cool.
I am mostly just suggesting that folks who read stories like these and fear similar predicaments take the time, effort, expense, etc. to properly secure whatever accounts they have.
Thought experiment: if someone steals an account with no 2FA, enables U2F and other security mechanisms, how will support verify who truly owns the account? Or the reverse: user enables U2F and someone calls in and tries to claim the account was stolen?
Having humans make judgements is important because the real world is complicated and people are imperfect, but using U2F in the first place can save you a huge headache, no matter what services you use. If support can just flip a bit and disable U2F, it isn’t very useful for the same reasons accounts get hijacked to begin with.
I mean, i think you answered the question yourself. History of account security details, things like login logs, IP addresses, when things were changed, payment information, etc can corroborate the story a user is trying to tell (ie, my account got stolen), or refute it.
And those things? It comes down to having strong process rules and having intelligent life forms make the decision.
This is the first thing I thought of when reading that. For sure, Google's lack of real support for fixing things when someone does steal enough 2FA creds, like phone number, is a drag. On the other hand, it appears that setting up Advanced Protection probably gives you a much harder to hack account than any other provider could do.
This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.
Once you've configured a security key on a Google account, it's entirely possible to remove phone-number based account recovery -- and strongly recommended for at-risk users. See step 21 et seq. in the Tech Solidarity security guide for people working on political campaigns:
https://techsolidarity.org/resources/security_key_gmail.htm
For no particular reason, Google does require you to temporarily configure phone-number based recovery while configuring other 2FA options -- but once they're set up, you don't need the phone number anymore.
A few suggestions:
1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.
2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.
3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.
4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.
6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
That's possible?! I only ever change password if I suspect it might have been compromised. Now if a service allows to use old passwords, that's quite a bummer and makes password change meaningless.
> Call your cellphone carrier and ask to set up a password/PIN
Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is presented to the CSR in plaintext (as they verify the pin over the phone verbally).
I'd assumed they'd transfer to some pin-capture applet to verify, but nope.
> Use an authentication app, such as Google Authenticator
If you decide on Google Authenticator, make sure you scan the barcode with 2 devices (say, your tablet and your phone) to back up that credential. Or just use Authy.
Authy allows you to recover your account using... SMS. So this is also vulnerable to SIM swapping. https://medium.com/mycrypto/what-to-do-when-sim-swapping-hap...
Omg you're kidding me
> scan the barcode with 2 devices
You can print out a copy of the barcode and keep it somewhere safe. It's a little bit scary as that barcode is a super powerful extra key but, you will have a key that will work and not be reliant on any device to store it.
There are plenty of TOTP apps (besides Authy) that support backing up the code generation keys. I use andOTP, for example, which supports backing up locally to the phone's internal storage (and optionally encrypting that backup with either AES + a passphrase or a PGP key if you've setup an OpenPGP provider on your device). 1Password's iOS (and Android?) app also supports TOTP.
> 2) Consider your phone number and SIM card insecure.
Your phone number is an obvious attack vector. I think having a dual sim phone with 2fa dedicated number that is not publicly associated with you, possibly with the carrier that has it's security in order, would decrease the odds of getting hacked.
> Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.
What is really infuriating is that it is not required for BestBuy-type authorized resellers that hook directly into the system.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
This is what I'm worried about, if I don't have a phone number on a gmail account, won't it make it harder to get access to that gmail account if I am locked out. Even though there's obviously a bad security loophole with just having a phone number on your account as a recovery option, is it not worse to be locked out of your account with no way to get in?
Even if you go through the g.co/advancedprotection onboarding process, they still say account recovery is possible and that it would take 3-5 days extra. Granted, it's not easy, but it's much easier to buy security keys and put one in a safe deposit box than it is to try to get every carrier to be nice to you and not SIM-swap your account.
> 5) Ask yourself, what will happen if you lose both your laptop and your phone at once?
Yes! For example, if you're robbed on your way home from work, and they take your laptop and your mobile.
In the space of the afternoon after reading this article, I removed SMS 2FA from all my accounts, installed Authy, added all my accounts to it, found out Authy is also insecure[0], reconfigured it to be less insecure, and basically despaired.
My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
[0] https://medium.com/p/1367f296ef4d#681f
A lock on your door is obviously insecure, but can work because it introduces friction for the burglar, while there are other targets around. It's a similar principle at work for online security. Some amount of protection coupled with the statistical likelihood of being targeted already goes a long way.
After reading a similar article on HN a year ago, I too decided to use Authy but the realized that it was vulnerable to the same methods. I eventually decided to use andOTP[1].
While it doesn't automatically sync across devices, it does allow you to create backups[2] which can be encrypted with AES or your PGP key. Just store this in Dropbox/Drive/Box and offline storage and you're good to go.
[1] https://github.com/andOTP/andOTP/blob/master/README.md [2] https://raw.githubusercontent.com/flocke/andOTP/master/asset...
> My solution going forward will be to spend all of my money each month so there's nothing to steal, and have a terrible reputation online that therefore can't be ruined.
Way ahead of you there buddy
(sorry, I know, no jokes..)
I find it strange that there is no procedure for the following situation:
* all emergency/account recovery info changed
* Person contacts shortly thereafter claiming account hack
I lost a legacy skype account recently. It had had no email attached to it, so the hacker was able to add theirs and get notified whenever I got back into the account. There was no way to remove their email or add new security mechanisms without waiting 24 hours, so I had no way to keep them from resetting the password.
The account was shut down for spam not long after. As far as I could tell there was no way to effectively reach microsoft about this, despite being a paying office 365 customer. They had a security chat but it was a deadend, and slow.
Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.
Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.
Security is only as strong as the weakest link, and SMS is very weak.
The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.
Overall the situation isn’t great.
I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.
It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)
In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.
I encountered the similar problem the last time I upgraded. There are alternatives to Google Authenticator that offer backups and cloud syncs while maintaining security. andOTP on Android and OTP Auth on iOS. https://play.google.com/store/apps/details?id=org.shadowice.... https://apps.apple.com/us/app/otp-auth/id659877384
> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.
You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.
I would recommend saving the recovery codes in a password manager app (that is not your browser)
No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.
It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!
So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.
I still have my Google Account recovery codes in my wallet that I first generated in 2011.
Better not lose your wallet!
When you’re at Google scale, all of these methods have real world flaws.
The industry needs to learn that sms 2fa is not secure because getting a sim for someone else is so easy. And this happening in every country.
SMS 2FA is fine. 2FA adds another layer on top of your password. The second factor doesn’t have to be particularly secure to make you safer.
The problem is SMS account recovery, which is a really bad idea.
> The problem is SMS account recovery, which is a really bad idea.
The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"
Companies do that, but they shouldn't call it 2FA at that point as it is no longer a _second_ factor: it has become the primary factor.
I'm not sure I've ever seen SMS account recovery.
Google has sms account recovery.
In times like these, I am glad to live in a stone age country like German, where it is near-impossible to get a new SIM without going to the store in person and presenting a government-issued ID.
Sorry but you are wrong. Today was news on heise that clearing bank accounts by replacements and transfering the money to some popular new banks like fidor and n26 resulted in a temporary ban of a small bank to transfer any money to these banks. It‘s happening here too ;)
Or a country like Sweden where you have to authenticate customer service through 2 FA using an application connected to your bank account, where you input a password or fingerprint.
And then the change only happens after you confirm a text message sent to your phone asking you to approve the request.
Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?
What about hackers bribing an employee?
I would say that for the average user sms 2FA is secure enough.
P.S. I might have a different perspective as where i am from, there really aren't important services (banks etc.) that are using sms 2FA. Mobile operators doesn't ship SIM cards over mail, you can get a new SIM only in person providing ID (or PIN/PUK in case of prepaid cards). Probably my country is just too small market for these kind of attacks so i feel secure enough when using sms 2FA.
Depends on what it’s protecting, for example banks using it isn’t, as it’s a common enough attack vector it’s appeared on consumer programs on TV fairly often and they had to introduce a law to allow people to be refunded in cases of sim swap.
It wasn't secure enough for the author of this article.
Not really an average person isn't he?
How is he not an average person, as far as security goes?
1) he didn't use a password app
2) he thought google drive was a safe place for his stuff
3) he thought google drive was a secure place for his stuff
All three things, which I would bet are fairly common assumptions (the last 2 are certainly part of Google's marketing!), turned out to bite him.
He is a public personality and in that role has been related to Bitcoin. And he also has his phone number and email publicly visible on the internet.
https://gizmodo.com/a-tv-anchor-tries-to-gift-bitcoin-on-air...
It seems like this only happens to people who have poor opsec about their email addresses, phone numbers, and are publicly related to the cryptocurrency movement. I mean, I'm sure it happens to other people, but that's the only case I've ever heard about.
I would personally be wary about publicly listing the email I use with my bank, or my phone number, and I've done what I can to scrub the internet of these values. If you have to be publicly reachable through a medium other than Facebook or Twitter, have a separate email and phone number through which you conduct your serious personal business. But most people do not need this kind of public reachability, or else have it through work. For those types of people, it would behoove them to keep their profile small.
Before the identity theft occurred, what about the the author made him particularly "not average"? Being an early twitter adopter or something?
I wouldn't call a writer for ZDnet who probably has a very public persona an average JOE.
A writer for ZDnet might be a public figure, but to call him "very public" seems like a stretch. There are probably millions of people as public or more than him.
You're saying that you're safe because you're not an interesting target. People tend to agree that security through obscurity is not a good strategy.
As for how hackers can swap someone's SIM, consider:
- Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?
- What about hackers bribing an employee?
Bank of America uses SMS.
Silicon Valley has a systemic customer service problem. The price you pay for "Free" services.
His cell provider was the problem, and that is a paid service. They never should have given someone else a SIM, they are absolutely liable.
I think the common wisdom dictates that since we aren't paying, we aren't the actual customers. I'll bet advertisers have great customer service.
That's less common wisdom and more of a catchy but dumb meme. There are all sorts of things you can buy that have crappy-to-nonexistent customer service.
I think there can be several reasons that a company lacks good customer service. One might be lack of competition. Another could be that they don't see their users as customers.
Sure, but even Comcast isn't as bad as Google; not as much depends on Comcast, and Google has mountains of p[eople's key life-altering data, yet it is nearly impossible to speak with a human that has any capability to effect a change.
As with every generalizations, there are exceptions, but they generally only prove the rule.
I was thinking more along the lines of manufacturer's warranties, which are often hard to actually use. Or Teslas being in the shop for weeks due to an unavailable part.
Customer service has more to do with company-specific culture than what you actually paid. There are good and bad examples in every industry (or even with the same company).
> There are all sorts of things you can buy that have crappy-to-nonexistent customer service.
But that doesn't contradict the point of the comment you were replying to, does it?
Edit: You should reply instead of just downvoting.
Article author was paying for some of it.
He was paying for all those services (except Twitter and Facebook [which was ok]).
The hack was the fault of T-Mobile though. He pays for that.
This is why I would like to trust my digital identity to my bank.
They have enough local, physical presence so that I could show up in person and prove who I am. Also the personnel is already familiar with checking the identity and hopefully less suspectiple to social engineering.
2FA tokens and codesheets without SMS backup are secure, but bit tricky to manage. Takes some effort to distribute to different, secure places (think if house burns) and some regular checks to verify backup tokens are alive and codesheets not lost.
My good bank has no physical presence whatsoever. I mean, I presume they operate a call centre somewhere, maybe in Scotland, but I've never seen it.
They can reach out and cause things to happen at a distance, but I don't want that used to authenticate me. They used it when I had lost my cards, to cause me to receive a bundle of cash so I could get on with my day just paying cash everywhere.
I have a specialized OTP device with a chiclet keyboard, and a password used for normal stuff. When I do something serious, like the time I bought somewhere to live, I call them to set up the transaction, then a different random person gets assigned to call me back and verify the details - this way if one employee goes rogue they can't empty my account by claiming I called them. They have a password for me, and the second employee uses that password so that I know it's really the bank calling me.
I would like to know more about this bank!
What bank is it? How did you find it?
I've not heard of features similar to this, especially the last part about buying a house.
It's First Direct https://www1.firstdirect.com/
It's a Telephone Bank in the UK, launched in 1989 and I became a customer a year or three after that. Because it doesn't have any branches its call centre staff have to be trained to handle absolutely anything - if they can't fix it then it won't get fixed.
I found it because my father used it, I have no idea why, he was not ordinarily a man to favour technologically sophisticated solutions, he never owned his own email address for example. Maybe as a working man he found it frustrating that other banks were closed after hours? First Direct is never closed, it operates 24/7. I have used other banks for some things, but I've always kept accounts with First Direct because of their truly extraordinary customer service hence I call it the "good bank". I actually know one of their Founders and apparently that commitment to customer service was key to their original vision for the bank, he led a strategy session for the start-up where I work now and it used that vision to give us a worked example. He was Chairman at another start-up I've worked for too. Small world.
For the buying a home part I do mean that I bought it outright by the way, there wasn't a mortgage or anything like that - so that's a lot of money, let's say six figures. I presume the precaution was triggered by the fact that I wanted to move this large sum (almost all the money I had) to an account I'd never sent any money to before. Sounds almost exactly like a scam.
I would _like_ to believe any other bank would have similar protections - but of course I don't buy a home every day, so I have no other examples to compare, and most of my contemporaries have a mortgage so the very large sums aren't involved.
The password when they call me thing was nice, to be honest they didn't proactively set that up. I suggested it off-handedly one day and they were like "Of course, yes, we can set that up". I presume it's not custom, just they didn't explicitly advertise it to me as an option. That happens a lot, I didn't want contactless on my new card recently, and they were like "Yup, of course, done. Replacements for this card will also not have contactless until you call to change that".
Phone providers, email providers, and banks should provide an option to require in-person verification for account recovery or in the case of phone providers transfer of a number to a different SIM. These events should be infrequent enough that it would be OK if there was a fee for verification.
This might seem impractical for people who live somewhere that the provider doesn't have an office, but it actually isn't. There is a nationwide, readily available mechanism already in place for this. They are called notary publics.
It could work like this:
1. You request account recovery, and pay the fee, and provide your physical contact information.
2. The provider hires a notary public in your area, and sends them a form for you to sign authorizing the account recovery.
3. The notary meets with you, verifies your identity, notarizes your signature on the form, and then lets your provider know that this has successfully completed.
4. Now that the provider knows the request was legitimate, the recovery or transfer can go through.
This is why I don't use Google for anything of importance. No customer support = I am not using it for anything of importance. Consider it a 'burner' service.
Exactly
So the same pattern unfolds:
Someone trusts faceless uncaring tech companies with all of their most crucial data.
Companies get hacked. User's life is crashed. Companies feel nothing and have pathetic "support".
"Thankfully", insider access grants privileges.
> Thankfully, I have a good friend at $COMPANY who was very concerned with my plight and was able to get $PRIVILEGED_SUPPORT
My point is that we have set up these systems that have us all skating on thin ice, and when people inevitable fall through (or are pulled under by thieves) we have almost no recourse, unless we happen to be well-connected to the internal workings of these machines.
We're turning the world into Morlocks and Eloi. We've got to wake up and slow this shit down.
Agree.
These two snippets inspired /facepalm:
> While Twitter is a free service, I would still expect some level of assistance for someone who has had the same account for 13 years and can get thousands of people to verify my identity.
'free service' being the operative words, and they can probably trust the user to do all the hard work of maintaining a new account for another 13 years (with associated pageviews) without lifting a finger.
> I made sure to have two-factor authentication (2FA) enabled with this service. It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.
O RLY. The point of 2FA is that one of those factors is a physical token which cannot be stolen remotely. Anything involving SMS to a phone number is not 2FA and never will be 2FA and anyone claiming otherwise is either an idiot or assumes you are...
The fact that ACH is slow is a feature not a bug. Remember that when people want to speed up money transfers.
> After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever.
Instant transfers work fine in countries where banks do their job properly.
Mobile phone numbers shouldn't be used as a second factor, much less as a way to fully recover online credentials to your bank account.
You're probably right. You definitely shouldn't be able to recover your online credentials then immediately transfer out all the money.
But also, the US regulatory environment is very friendly towards individuals when it comes to fraudulent electronic transfers, regardless of how quickly they execute.
IMHO. "I trusted cloud services to store my data". I never do that. I have multiple offline encrypted backup copies (on-site and off-site). I do not trust anything out of my arm's reach. The cloud is not an option for serious backups (unless you have n copies with different vendors + offline backups). I think the convenience of the cloud (with encryption) is an option when you have offline backups. I hope you will get your data back and that nothing will be compromised.
Don't use 2FA, if the 2nd factor is anything mobile-based. Use strong passphrases, and type them when you need access to the assets they protect.
There is the concept of "security VS convenience", a trade-off you make when using secured assets. 2FA is convenience just as much as it is security. By having SMS as a method to reset a password, you reduce the attackers workload from cracking a difficult password to "compromise your mobile phone physically or electronically". I trust my passphrases much more than my mobile device and/or carrier.
This doesn't make sense. Why not use both 2fa AND a strong passphrase? To get to the second factor the attacker still needs your password. There is nothing that says you should use a simple password if you have 2fa configured.
Because they can do "forgot password" using the 2fa.
Passphrases can be phished.
The author really hasn't learnt anything if he thinks that enabling all Google recovery options is the right thing to do. The only thing you should ever use is "Google Authenticator" and then store a copy of its recovery codes in a safe place (bank vault or zero-knowledge encrypted online storage). But better yet, don't use GMail in the first place.
> I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.
I guess the author learned that lesson, but… please don't. Backups in the cloud are fine, but such sensitive information has to be encrypted. Ideally with a 6 words diceware password or so.
And if it is meant for your close ones to recover if you die, write that password down, and lock it up in a couple homes you trust.
I believe Google has some kind of service you can turn on where you will pair it with a U2F token like a Yubikey or their Titan key. At that point, all other forms of login and password recovery are turned off. In theory, that should stop the SIM-swap attack.
See: https://support.google.com/accounts/answer/7539956?hl=en
I use Authenticator, which should also stop a SIM-swap. However, I've noticed that many services seem to require activating 2FA via text message in order to activate authenticator. Has anyone else noticed that?
Quite a few do require you to have at least two second-factor methods set up, although I think for me only one has ever insisted on setting up phone / text 2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-based might be all you can use (considering a surprisingly small number of 2FA supporting sites seem to implement recovery codes).
The point is that, while there are dangers, TXT 2FA is leagues better than not having anything at all.
Unfortunately, Yubikey at least basically only works in Google Chrome, so if you actually want to use your account you have to use methods other than the Yubikey.
You can use it in any browser. You have to register it in chrome. Crappy, but not a line in the sand I'm willing to die on.
Conventionally, one metaphorically chooses a _hill_ to die on, and lines in the sand are only crossed or redrawn, not died on.
The insistence on using Chrome is arbitrary and I don't like it. The use of U2F rather than WebAuthn at least has a technical justification (older Android devices can't do WebAuthn, and while it's backward compatible in the sense that you can use a WebAuthn authentication having signed up with U2F, vice versa is not possible, so old Android devices would have a confusing UX behaviour) but the insistence on Chrome is just arbitrary lock-in.
I won't be dying on that hill either, but it does suck.
> The insistence on using Chrome is arbitrary and I don't like it.
Supposedly this limitation is because Firefox doesn't implement the JavaScript calls that permit a U2F-calling site to know the type of U2F key being used and Google wants to enforce, when enrolling for ATP, that at least one of the two keys being enrolled can be used wirelessly (Bluetooth or NFC).
I don't agree with it either but will only truly be mad if/when Mozilla implements the requisite call and Google still blocks enrollment without Chrome.
You'd think Ubuntu chromium-browser might be acceptable for Google U2F setup -- but no, not when I tried a couple of months ago.
Worked for me. :(
What error did you see?
Ha! That was an amusing mix of phrases. You got what I meant though, and provided some color. Agreed on it sucking.
The problem starts with a mobile provider simply giving away a service to someone else. Twice. This is shocking.
I certainly didn't appreciate how much SIM cards are the keys to our modern lives until mine got stolen. Interestingly, my thieves took a different tack: they actually stole the physical SIM card! You might ask how this could happen: I was traveling internationally and had a friendly guy at an official kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He palmed my SIM and gave me back a dud without me noticing. He then shipped it back to Atlanta where collaborators used it to blindly called credit card support numbers. Some of these credit card numbers were hits — places where I had existing accounts and where they recognized my phone number. They social-engineered their way to get the CC companies to divulge more information about me — including the CC numbers themselves — allowing them to increase my credit limits and open new cards. They then went on a $40k shopping spree.
Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.
Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
tldr: Don't let anyone ever touch your SIM cards.
> Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.
What about the part that's "being a part of a criminal conspiracy to steal $40k?" I guess that's not something for the airport police to deal with though.
Ayup. Here's what I got back from them:
Of course I was shouting "THEY HAD TO SHIP IT BACK TO THE U.S. FOR IT TO WORK" as well as providing the call logs documenting calls from the Atlanta region (where I don't live and hadn't visited), but it fell on deaf ears and I gave up. That response made me feel like a tin-hatted conspiracy theorist, though: yes, I am certain I was defrauded through an international criminal conspiracy.I understand your frustration, but I also think they have a point.
What you're telling us is all based on your educated guesses as to how they might have pulled this. There are things that feel a bit weird and I'm guessing you have no evidence to prove them, such as the scammer shipping the real SIM back to Atlanta in time before you realise the issue.
How did you realise the SIM card you were handed was fake? Couldn't it be that they instead duplicated your SIM whilst you weren't looking?
IMHO the police (or FBI or whatevs) in the US should conduct the investigation as that's were the fraud happened. They'll evaluate if it's worth it contacting their counterparts in the UK to move forward. However I also think it is good that you've given a heads up to the UK local authorities.
Do you remember what company was offering the local SIMs? I've seen mostly Lebara, but not in Heathrow...
The SIM ICCID that I physically had in my hands upon return was different than the ICCID that ATT had on file for me. I also watched the dude do it right in front of me, but of course SIM cards are quite easy to palm. It was the "Tourist Services" kiosk and I bought a £20 Lebara card. He very kindly taped the ATT card down to the Lebara cardboard packaging, and I wasn't able to remove that tape without damaging it so I'm quite certain that it wasn't swapped elsewhere.
I did also report it to both my local police and the FTC and the FBI but never could gain traction as nobody thought it was their jurisdiction. I eventually gave up once my credit was repaired.
Just playing devil's advocate, the ICCID on file would also be different if they had managed to compromise your account and change the sim associated with it.
They also had the last-changed date (which was from when I set up my account).
That might be reasonable. It also makes the scam OP is guessing happened a pretty good criminal scam, since the police will refuse to investigate it...
I mean, what possible additional evidence could one plausibly have that the guessed scam is indeed what happened?
Which is the scary thing about all these SIM-theft things. It clear happened, there's really no way for the victim to know how/where/what/when/who.
It certainly took me quite some time to put all the pieces together — and I'd wager very few folks defrauded like this are able to realize exactly what happened.
I do wonder if it's still happening...
Is SIM cloning still easily doable?
Anyway, thanks for sharing. This is not exactly an obvious fraud.
I think one way to prevent it, aside from remembering to not let your SIM off your hands is to mark/paint your SIM and make it unique and easily recognizable.
Then you can deal with it immediatelly, even if you forget the rule to not give your SIM temporarily to others. (You'll probaly not forget, but people who may not have your experience and still want to protect themselves against this, may.) Also the attackers will not probably attempt to swap unique looking SIM in the first place.
Other ways are to use phones with 2 SIM card slots or simply use a local carrier with decent international roaming support or (of course) carry a paperclip to just do it yourself.
fun fact about sims. they run a java operating system which can be accessed via binary SMS messages (apdu messages) - invisible to your phone, with the right sim pin, they can get filesystem access in this 'os' and steal your private keys and phone identification numbers, effectively allowing them to mitm / clone your phone and calls/sms etc.
that being said it's just plain silly how important these crummy devices are, and how little information and warnings they come with.
set a good sim pin, that will save u from this type of trouble. of course, it won't save u from physical phone / sim access.
Is this true in say an iPhone? I don’t think there’s even a way to set a sim pin?
You can setup a SIM PIN, but I hadn't enabled it and I bet few folks do as it's not connected to the device lock code and not on by default: https://support.apple.com/en-us/HT201529
How did they get your 4-digit PIN? Don't you have to enter it on every reboot?
Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even if I removed my SIM. Putting the SIM in a phone without a PIN results in nothing being required.
Edit: Thanks for correcting me- I guess my SIM does not have a PIN.
SIM cards themselves can have a PIN attached to them too, usually with a lockout after 3 unsuccessful attempts. The card is supposed to be secure against tampering, but since it's running an OS which receives very little scrutiny and runs lots of legacy tech, there are likely all kinds of exploits to reset / root the SIM and bypass any PIN protection. It's still useful against casual theft though.
While there have been a few very scary hacks that could compromise a currently-unlocked-and-running SIM, I don't think there is anything you can do to a powered-down SIM without the PIN.
A SIM card has its own PIN, completely independent from the phone's pin. If I put my SIM in someone else's phone, it will ask for my PIN, even when they don't have a PIN set.
SIM PINs aren't enabled by default on iPhones and are independent of your device lock code.
It's not an iPhone thing. It's entirely on your carrier whether or not to enable it on a new SIM.
> We pay for Google Drive, Google Fi, and Google Play Movies so I was hoping there would be some level of customer service for paying customers. There are no phone numbers available for customers who pay for services or those who only use free services.
I pay for Drive (now part of Google One) and they advertise free phone support with it. I've never used it, and it turns out it's not a phone number you can call, but rather you request a call from them:
https://support.google.com/googleone/contact/googleone_c2c?h...
So there is a level of support for paying customers... at least in theory. I haven't heard of anyone's experiences with it in practice, however.
Curious if anyone here has tried Google One support, and whether their reps have the ability to escalate issues, the way G Suite reps can?
Back before phones we had things like fire safes that would hold your "precious memories" so when your house burned down you wouldn't lose them. That is so much harder to do these days.
One of the things I do is periodically spool off ephemeral data to BD-R's (write once Blu-Ray disks). At 25GB a pop they aren't super dense but I don't actually generate more 'new' data than that in a given month. It was something I do because when I started in this business I made backups because crappy disk drives would lose data. But these days you can get crypto ransomed and poof all that data unavailable?
There is no doubt a market for some new 'best practices' for data security. Perhaps No Starch Press will get someone to collect those ideas into a book.
> It turns out that the 2FA with text messaging sent to a cell phone may be useless when hackers steal your SIM right out from under you.
The most annoying part about this is that Twitter demands your phone number. You can't use another method for 2FA, such as U2F or OTP. I assume it's not at all because they want to authorize you or keep your account safe, but rather because they want to be able to identify you. User's lose both privacy and security.
Just to clarify, you can use U2F to login, but you can’t only use U2F. Eventually you’ll be locked out of your account (after logging in) and forced to provide a valid number.
> You can't use another method [with Twitter] for 2FA, such as U2F or OTP.
Are you sure?
* https://www.yubico.com/works-with-yubikey/catalog/twitter/
If you remove your phone number, you’ll eventually be locked out of your account and forced to provide a number. It’s unfortunate.
They still ban your account without valid non-VOIP phone.
> While I had a PIN associated with my SIM, I still do not know how the thief was able to get past this the first time, I changed this PIN on the call.
If he's really talking about the SIM PIN, I don't think having one helps against this kind of attack. The SIM PIN is to prevent people in possession of your physical SIM from using your cellular account for voice or data.
What you need with T-Mobile is a separate PIN that is required for porting out your number [1]. You set this PIN up by calling support.
[1] https://www.t-mobile.com/customers/secure
This T-mobile doc has more on the 6-15 digit "PIN/passcode":
Note that it can be set up via the T-Mobile web site, alternative to the phone support line.I thought of the port out pin too, but I think the attacker convinced t-mobile support to activate a different SIM. I don't think the PIN does anything in that scenario.
In many asian countries they recycle telephone numbers quite frequently, some providers as often as 3 months.
Perhaps it would be interesting to get a few pre-paid SIM cards and see if it there is any Google accounts connected to them?
If you haven't yet, remove your telephone number as a recovery option for your Gmail account. And also, why can't US fix the shit that is transferring SIM cards? In the UK you can request a SIM transfer code but it takes at least a few days - there's plenty of time to catch it and stop it before someone transfers your SIM. Why can't American operators do the same? Just say "you have received your request, please wait 7 days for it to be processed" - why does it have to be instant?
There's no such thing as a "SIM transfer code" in the UK. SIM swap scams are a thing here too : https://www.bbc.co.uk/news/business-46047714
? Of course there is - it's called a PAC code, and it takes at least 1 working day with the fastest operators, in the meantime you get notified that it's happening.
No, you're confused. A PAC code is used when switching carriers, it has nothing to do with the scam described here where an attacker contacts your carrier and claims "I lost my SIM". Activating a replacement SIM can happen in minutes (and that's a good thing : would you want to wait 7 days to get service again ?) The only thing that seems different from the US is that I don't think everything can be done over the phone here : you need to go physically into a shop and (hopefully) show ID.
In India to port a sim you have to first send a sms and would receive a verification number which is valid for a month or something.
Which is the problem...
Is there some mobile provider that has a way higher standard of security? Something like "Cloudflare for SIM"
No.
The issue is partially that while social engineering countermeasures that could help prevent sim swaps could be helped by better training and more rigorous security checks, there are actually bad actors who are employees of the carriers who can be paid off to switch SIMs.
Google Fi requires you to have access to your google account to port or sim swap your number. So if you have real 2FA you should be safer.
I just had my AT&T sim swapped two weeks ago. According to police, the sim swappers are insiders at the telcos or have compromised corporate credentials and are logging into the telco admin portal and processing the swaps themselves.
I’ve now switched to Google Fi. I’m banking on the assumption that Google doesn’t keep an admin portal open to the internet and that they don’t give sim swap/port access to employees that aren’t paid well enough to be willing to take a small bribe to swap the sims.
I noticed that author assumed he couldn't call 611 and took how long to contact via alternate phones.
I'm pretty sure 611 works without a SIM card.
no sim is no calls or sms. however, an inactive sim is allowed to call 611 (or provider equivalent) , 911(or local equivalent) and a few such emergency numbers generally. You do need the sim to be in working order and in the device. but it does not need to be activated.
How would the phone know which network to 611?
I would expect it to work for a carrier-branded device even with no SIM card, unless the device has been flashed with a stock firmware from the OEM.
For a non-carrier-branded device though, perhaps the presence of a SIM card is required.
> This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.
This is why you should never store passwords on your computer / cloud in plain text.
> Given that I had 2FA enabled for my bank account and the bank account info on Google Drive, it was just a matter of time before the thief started stealing my money.
Is it common in the United States to allow online banking without any physical second factor? My bank requires me to use some kind of device similar to https://en.wikipedia.org/wiki/Chip_Authentication_Program with my card and code to login or execute transactions. I think most other banks in my country require something similar.
my UK bank ties their app to my phone using an off band code i receive from a person after calling their contact number. if i reinstall my OS i need to call them to receive another code.
By all means use hosted email, but if you want to stop this happening to you make sure you register your own domain! At least then you can open a new mail account and move the domain to this. That way you can make sure you can recover your other accounts...as long as you don't lose you DNS of course!
Companies should never require SMS as a 2nd factor. It isn't secure. Let's call out names:
* Twitter requires you to enable cell-phone based 2nd factor before they let you enable any other 2nd factor. Luckily in my case their buggy software determined that my cell phone number is "incorrect", so I was never able to.
* Twilio (the authors of Authy!) let you use TOTP codes from Authy in addition to SMS-based 2FA. There is no way to disable the SMS authentication, so your account is never secure.
* Many banks assume that SMS is a secure channel, which it isn't, and force its use as 2FA.
This should get more publicity and companies should be called out on forcing people to use SMS as a 2nd factor. There are many reasons why this is a bad idea, and the story described in the article is just one of many possible attacks.
Its because all of these companies are cheap and don't want to deal with the customer support cost of people who lose a virtual/physical MFA device. Instead, they treat virtual/physical MFA like a convenience feature that their customers keep whining about. But, if you've got that SMS on backup, then who cares if you lose the MFA; just use your phone, security be damned.
1Password is also guilty of this in a different way: They won't let you register a U2F physical security key unless you also have a virtual security key on the account.
This is ridiculously simple. I'll spell it out:
1) Offer Virtual, U2F, and SMS-based multi-factor authentication. SMS is still useful for convenience on platforms which pose less of a security risk to your digital life.
2) Don't gatekeep methods of multi-factor authentication behind others.
3) Allow multiple devices for each method of multi-factor authentication, especially physical U2F keys.
4) Offer backup codes.
5) Offer an Enhanced Lockdown option, whereby customer support account recovery is irrevocably impossible in the event of lost multi-factor.
So, I've just realized that Chase online banking, while mandating SMS 2FA, also lets you choose "send code via E-mail".
I'll… just leave this here without any further comment.
This is a good reminder to never entrust Google with sensitive financial records and documents. Sure, the cloud service is a convenience, but, if a hacker accesses your account, it doesn't take much to download copies of those documents and use them against you.
I strongly suspect the problem will continue until someone gets a nice, fat judgement against a telco over SIM swap damage. As it stands now they lose very little when it happens, why should they make their systems secure?
It’s probably a good time to remind people complaining that there is no Google support to call:
You are not their customer. You are their product.
This is quite literally true. They only have to care for us cattle enough to keep us as good products.
> I have countless PR folks, friends, family, and others who are in my long Gmail history and am currently unable to access any of that information
I have all this in my gmail also, but my mail downloads to my computer (I use Mail on my Mac). My Mail application data in turn backs up to a few backup drives, so I have this data in several places.
Do people use gmail without having a copy stored anywhere else? I totally get that this guy has been screwed many different ways, including by Google, but it seems unwise to not have a backup copy of your mail anywhere.
Recently I discovered that Facebook has a policy that no one with pending misdemeanors can be hired if they are just a contractor. We recently had to turn away a 23 year old combat veteran who had deployed to Afghanistan because he had a pending Class C misdemeanor. That’s a max fine of $50 for the state this was in. All for a $16.50 an hour job.
The amount of indifference to suffering by people in the corporate world today has gotten...I am not even sure what the word is.
Are you sure you are commenting in the right thread?
The article did mention that their Facebook account was the only one that wasn't compromised.
> Through all of these hacks, it was interesting to find that Facebook was the one reliable and secure service under my control.
Perhaps their comment was attempting to provide some anecdotal data in an effort to explain why the author's Facebook account remained secure.
Though I agree with you in the sense that it's far more likely that they simply commented on the wrong article. :)
The lack of customer support provided my tech companies today is pathetic. Combine this with Google's decreasing effectiveness in looking up solutions to technical problems and we get this :(
I have a really odd, obscure problem with SMB and Windows 10 and would really like to just call up a Microsoft tech support hotline like they used to have, except they don't even offer a paid service for that any more to consumers. Got a problem with Windows? Get fucked!
Don't use an sms/voice phone number as part of your 2-step verification in Google.
In the past, I did use a verizon landline phone number as Verizon had the ability to "lock/freeze" that number from any outside changes, but I got rid of my landline a while ago.
Also, print out some backup codes and stick it in your wallet.
I have no idea what month and year I created my google account, and google doesn't seem to make that info available to you in a simple manner.
> Also, print out some backup codes and stick it in your wallet.
The idea of backup codes is good. Putting them in your wallet reduces your security though. Depending on the value of your accounts, you give a (physical) attacker everything he or she needs to compromise you.
If you are going to keep these things on your person, consider protecting them with a hand-written cipher. Example: https://www.schneier.com/academic/solitaire/
>If anyone has tips on how I might get my Google and Twitter accounts back, I would greatly appreciate the feedback.
I know of one approach that might get results, but he's already done it: publicly shame them in an article. It's the only way to get results from these algorithm-driven companies that lack anything resembling an actual customer service department.
A good mitigation including getting a password manager might be to add a sync passphrase to chrome right?
https://support.google.com/chrome/answer/165139?visit_id=636...
And this is a tech journalist who has friends at Google. The average guy on the street is %%%%'d in this new world.
Google Takeout is your friend. I download all my drive, calendar, email, etc once a month. (Not photos, since I have those already.)
It pays to be skeptical with your data. 3 copies. 2 local one offsite. If your only copy is offsite in the control of someone else... that's a terrible decision.
Anyone know if Google Voice numbers have more protection from the SIM attack? I would assume that those numbers are hard to port out anywhere given their usage, right? Are mobile numbers part of a separate pool of numbers with different rules on porting?
I will never understand how someone can have all his digital life in one single place.. I mean, mail eMail, Passwords to all other sites, scanned documents - all in google? That is asking for trouble. Also, 2FA via Text makes your account unsafer, if any.
> ... enable a requirement that my SIM could not be changed unless someone went into the store with at least one means of physical identification ...
Anyone have experience with this, or heard reports of attacks by means of forged physical ID?
How to Fight Mobile Number Port-out Scams https://krebsonsecurity.com/2018/02/how-to-fight-mobile-numb...
"T-Mobile suggests adding its port validation feature to all accounts. To do this, call 611 from your T-Mobile phone or dial 1-800-937-8997 from any phone. The T-Mobile customer care representative will ask you to create a 6-to-15-digit passcode that will be added to your account."
And then I forget/lose my 15 digit passcode, then what? Either there is a retrieval method that makes the whole thing irrelevant, or else I've replaced one catastrophe with another to no purpose.
Feels like a real pain and the author has genuine honesty that I appreciate. But that's also why I don't ever use chrome to store my passwords! Why on earth would you do that??
Google now allows the removal of SMS and Voicemail based 2FA if you have a hardware token configured. Good news is you can now use your Android phone as a hardware token.
Google Authenticator is a huge question.
While there is apparently a desktop interface, if someone gets access to my phone, they have the live access codes right there. When the SIM is stolen, can the authenticator also be accessed with the new location of that identity?
The process for moving Authenticator involves receiving a six digit Google code on your phone -- which was just effectively stolen with the SIM...
While Google may have built in protections, they are not obvious at this point to me, a casual user of Google Authenticor.
Does anyone have any more information to keep this more secure?
Last time I switched phones I had to set up GA from scratch, re-scanning the seeds on every account. The initial SMS code was just to attach an authenticator to a new device. Someone compromising your phone number shouldn't be able to get access to your codes, they would need the physical device.
Also note that there is no official desktop client, anything that claims to be is 3rd party and wouldn't be connected to your current codes.
You can generate backup codes and print/store them securely[0]. That is independent of your phone.
[0]: https://myaccount.google.com/signinoptions/two-step-verifica...
I don't understand how the attacker got access to his Google account just from his phone number? Was his password "password"?
You can just say you forgot your password and they’ll send you a text message with a code to reset the password if you’ve registered a number with that account.
Oh yeah, that's a terrible security practice.
Something that's very concerning about these stories is that it seems to happen more with TMobile than other carriers.
As a tech-reviewer I'd assume OP to be more tech-savvy than your average shmoe, yet they kept ALL (literally all) Finanical and generally sensitive information in a central location that easily breached (G-drive) and to top it off used 2FA through SMS for many of their services. If anything this article only discredits the author of any common sense in the tech-space.
Someone should start a blog at "googlevictims.com". The domain is available.
Moving your irreproducible data into cloud storage is everything but a backup.
What do companies still use phone numbers for 2FA? This should be an automatic design decision to not use the phone number for anything outside of initial account set up. All the banks use it.
Google NEVER helps - with anything.
Whether it's at home, work or on cloud, if you don't have a DR or backup plan, all it takes is a typo ...
“Maybe I was naive”
Why don’t I take my entire life and give it to tech companies? That seems like a good idea! I’ll just upload all my tax returns and other critical documents to the cloud because the cloud is well thought out and rock solid. I know this because software of all kinds is known to be well thought out and written in a pragmatic and thoughtful manner. There have never been instances of people exploiting flaws in software or the companies that maintain software. The web is not broken and is definitely not a precarious mountain of turds held together with scotch tape. The web is rock solid and I will trust it with my very life. My whole career depends on a twitter account and i have never tried to lessen my reliance on a single twitter account. Having my entire career depend on a twitter account is a safe and prudent thing to do. I have children.
Since becoming aware of my own problems with google (they truly could care less about their users data) and reading stories about previous incidents of swapping SIM cards.
My solution to all of it is literally just 2 emails. Both 2fa. Recovery exists but the numbers and emails are unknown to the world beyond Google or m$ servers. And those don't get used to register anything ever. I park my recoveries then use my main email as my most public one. Everything else is registered and recoverable on the second email that also isn't publicly known unless one of the services I'm attached to gets their data leaked etc etc etc....so even if they did successfully swap my SIM they can't get anything else.
TMobile got hacked a few months back and around the same time my personal debit card that stayed in my wallet the whole time and I don't ever use in public literally for that reason. Got charged. They tried to empty it all. I pressed and pressed the only thing they could do for me was ask for a specific code. Verbal 2fa. I think if I remember correctly none of the data showed up publicly anywhere yet not sure about the specific incident I just thought the timing was weird.
If that's the best security TMobile has and that's all their customer support has to offer us. They have failed as a company in my eyes. And it will only get worse not better as more middle managers get their cut of the security upgrades that they will partially and incorrectly implement.
Of course they won't lift a finger your not a Kardashian
couldn't care less