Companies Advise Tighter Security After Honan Hack

In the wake of the hacking of Mat Honan's accounts, Google, Facebook, Amazon, and Apple are just a few of the companies making their security policies tougher, and they are advising people to do the same. From the article: "Even as those companies’ teams moved to patch the holes, others moved to offer security tips. Matt Cutts, head of Google’s Webspam team, used his personal Website to urge Gmail users to embrace two-factor authentication. 'Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked,' he wrote in the August 6 posting."

Feels like post-911

[A+beautiful+mind]

In the name of security Google has been pestering for my phone number for years, while their motives are much less about my security and more about their business reasons.

Re:Feels like post-911

God, this thing annoys the hell out of me.
I need to write a userscript to auto-skip the page.

I AM NEVER GIVING YOU MY CELLPHONE NUMBER, I DON'T AND NEVER WILL HAVE ONE, I DESPISE THEM.
TAKE THE HINT GOOGLE.

I swear if this leads to more messages about this, I am just switching e-mail services.
My password is longer than the brain cells of most people who use Gmail, it ain't getting brute forced any time soon.
And I'm not someone stupid who runs fart.exe for funny fart noises.
They should just have an option in the settings where you can straight-up state "I am not a stupid person" so they won't treat you like a god damn 5 year old.
Every year that passes websites seem to get more insultingly simple. When is it going to be over? When will the web die? Will it be soon? Please tell me it will be soon!

Re:Feels like post-911

[patchmaster]

Google has had my phone number for years. To my knowledge I've yet to receive a single call that originated from Google or someone to whom Google gave my phone number.

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

Re:Feels like post-911

[Daas]

You're OK with them storing every single one of your emails but not your phone number? I hope tinfoil hats are on sale these days.

If you're too scared of using the phone number auth, just use the Android or iPhone authenticator app. Setup is quick, it's not too invasive and it just works.

Re:Feels like post-911

[ThunderBird89]

Yet it seems you're very happy to use the internet, whose death you so crave, to voice your opinion and grief about the internet you use to give voice to your opinion.
Seeing the contradiction?

[First sentence is deliberately self-referential and obfuscated]

Re:Feels like post-911

[rtfa-troll]

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The key thing to know is that phone based password recovery on Gmail has been used to hack accounts and that that has been widely publicised. In other words, giving your phone number over is less secure than not giving it over. In this case, Google is either stupid for continuing something they should know doesn't work or is evil for lying about why they want your phone number.

P.S. They have no intention on using the phone number to call you; Phone calls are much more expensive than the various other ways that Google has to contact you. What your phone number could potentially do is link together different accounts with different names and link you to friends who have that phone number in their uploaded phone directories.

Re:Feels like post-911

[tlhIngan]

I'm all for identifying evil as evil, but it would be nice to have some actual evidence before making the accusation.

The fact that a single "no" is not enough to get them to stop asking is evidence enough.

Not to mention Google really tries to hide the "No" button. It just pops up as a box that says you need to enter your phone number. If you look down, the link to skip it is very tiny, enough to miss it. I'm willing ot bet most people don't even know there's an option to skip it.

It also pops up randomly on you, and each time it seems the "No" link gets tinier and moved somewhere else.

For Do No Evil, they certainly are applying all the usual marketing tricks to hide stuff like free downloads and such. If they really cared, it would be in normal font with text saying it's completely optional and you can bypass it by clicking the nice big link.

Re:Feels like post-911

Mat, the guy who was "hacked", also had a great password and didn't run attachments. The hackers didn't even need to know his password to gain access to his accounts. He was more a victim of using guessable e-mail addresses to log into Apple, Amazon, Gmail, and Twitter. He also bought stuff on Apple and Amazon. If you've done those things, then you too can be a victim. It was more a hack of the "forgot password" pages. some social engineering of the support staff, and intimate knowledge of the identification procedures of said companies.

Re:Feels like post-911

[metrometro]

+1 to evidence based paranoia. Google IS my phone number, and whatever their faults, they don't call me and don't appear to share that number.

Re:Feels like post-911

[c++0xFF]

It's in Google's and your own best interest to make your accounts as secure as possible. They get a black eye in the media every time there's a high-profile hacking of a Google account ... which in turn hits at their reputation for providing solid, secure services.

Given that most users don't know what's best for them, I think it's completely reasonable for them to pester a little bit about a way to improve security.

Now, that said ... there should be a way to turn the reminder off completely. Some people (me) simply can't use it.

Re:two-factor security

[kaiser423]

Uh, they do have a one-time pad of pre-authenticated numbers, and an app that doesn't require an internet connection. I've authenticated form a 9200bps modem from the middle of the Pacific using my list of one-time security access codes.

In other words, it's glorious. Google does security right, and everyone else needs to take notice. Including corporate IT departments. I've used it for years, and every now and then when I need a new account, I go and get an outlook.com account or similar, because all the regular names are taken in gmail, but I always feel so naked using them. No security at all.

Re:two-factor security

[kaiser423]

But the app doesn't require cell phone service to be usable. You just need the smartphone or tablet. (in reference to your last sentence).

I do have a printout of one-time codes, but I find that I never use them anymore because I always just use the phone app, because it works as long as the phone has juice. Which you should have some available if you're using a computer to check your gmail...

And 2 factor will do what?

[the_B0fh]

Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me? Any computer I use to check gmail is fully under my control.

1) no man-in-the-middle sniffing
2) no key logger sniffing
3) assuming no one steals the password file from Google
4) my gmail password is not used elsewhere.

Re:And 2 factor will do what?

[kaiser423]

Any computer I use to check gmail is fully under my control.

Lucky you. That's not the case for most of us.

Re:And 2 factor will do what?

[KhabaLox]

Assuming no one can hack SSL, and I do not login from unknown computers, what will 2 factor do for me?

You are perhaps not the best target for 2-factor as your secondary (or tertiary) security measures given the fact that you already use 3 different security practices when accessing email: SSL, own computer, un-shared password. You probably also have a robust password. A lot of, if not most, people use only one, weak level: a six to eight character password shared across multiple sites. Two-factor will help them. (Of course, they should also use a unique, harder to crack password, but turning on 2-factor auth is probably easier).

Also, if you only access from trusted computers, 2-factor auth only needs to be set up once. Unless you are really paranoid about giving out a phone number, what's the bother?

Re:two-factor security

[robmv]

Adding more info about the application, the client is OSS so anyone can port it to Windows/Linux/Mac/Browser extension/you name it, there is nothing in Google solution that requires an smartphone nor data connection

No 2 factor please

[Chemisor]

2 factor authentication is unacceptable for anything that's frequently used. If you log in to your online banking account once a month, it's ok to jump through a few extra hoops for security. But for something you do every day, or several times a day like email, any extra barriers are unacceptable. I don't even want to enter my password more than once a day, why would I go through the incredible hassle of 2 factor authentication?

Re:two-factor security

[robmv]

As others has said, there is no need for data connection, the common problem user experience with Google application (that implements the OATH standard) is that it requires a little of time synchronization, if your phone date and time is too far from the real one, the generated code will not work. Google application request the Internet connection permission in order to query the time from Google servers and store the offset with your phone time, in case it your phone time is wrong. It connect sometimes to update that offset when connectivity is available. If you have correct date and time (and Timezone) data connectivity is not needed ever