Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Adding a Phone Number To Your Google Account Can Make it Less Secure' (vijayp.ca)

Posted by msmash on from the scare-security-stories dept.

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

106 comments

  1. Reason by Jiro · · Score: 4, Insightful

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

    1. Re:Reason by Joce640k · · Score: 0

      Correct.

      --
      No sig today...
    2. Re:Reason by swillden · · Score: 1

      Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      The number is to make account recovery possible in the event you've forgotten your password. The assumption is that attackers won't have access to your phone. That assumption is violated if your telco will transfer your number to the attacker's phone, of course.

      If you prefer not to give your phone number to Google, don't. Just turn on two-factor auth using a non phone number-based auth method, either the Authenticator app or (better yet) a security key, or both. Then download and print out some backup 2FA codes and keep them somewhere safe. Google won't have your phone number and you won't be vulnerable to mistakes by dumb telco customer service reps.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Reason by dcavanaugh · · Score: 2

      Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      Correct. It's not Google that wants your phone number linked to your email account -- it's the NSA. Email accounts may be disposable and free, but every phone is costing somebody money. Unless you buy a burner phone and service cards for cash, there is a financial trail behind every phone that leads back to a person. Once the NSA knows the person's phone number, geolocating the phone (and therefore the email account owner) is child's play for the inventors of PRISM.

      Even if you buy a burner phone and service for cash, and even if you turn off the phone after setting up your Gmail account, tracking down the account holder is as simple as forcing Google to "screw up" someone's password, forcing them to use the telephone-based password recovery protocol.

      Once you understand the loss of privacy that comes from linking telephones to user accounts, it's much easier to understand how the real goal has nothing to do with making your account "secure". The real target is your privacy.

    4. Re:Reason by PPH · · Score: 2

      Everyone wants your phone number so that they can link the account in their database to other information that contains your phone number.

      FTFY.

      I wrote a check the other day (with no phone # pre-printed) and the clerk asked for one to write down. I decided to run a test and said, "No phone." He asked, "What?!" I replied, "I don't have a phone." He looked like he was going to shit himself, but accepted the check anyway.

      Phone numbers accepted in this manner have little to do with security or identity verification. By the time the number is exposed as a fake, the thief is out the door with the goods. And if it was actually me that bounced a check, my bank handles it. And not by phone.

      Also, the telcos have been raped so many times by the feds and law enforcement that when they ask for subscriber data, they just hand it over, close their eyes and play dead. As a result, accessing any account data the telcos have on you is trivially easy for anyone from private detectives to foreign intelligence services.

      --
      Have gnu, will travel.
    5. Re:Reason by GNious · · Score: 2

      If you prefer not to give your phone number to Google, don't. Just turn on two-factor auth using a non phone number-based auth method, either the Authenticator app or (better yet) a security key, or both. Then download and print out some backup 2FA codes and keep them somewhere safe. Google won't have your phone number and you won't be vulnerable to mistakes by dumb telco customer service reps.

      Not google, but on Twitter I've had to use 2FA codes 2-3 times daily - any hiccup, and I have to log in again, and every time(!) it'll request a code.
      Sure, could print a dozen or 2, but I'll burn through them quickly.

    6. Re:Reason by bingoUV · · Score: 2

      Google definitely uses the phone number for learning connections between people.

      --
      Bingo Dictionary - Pragmatist, n. A myopic idealist.
    7. Re:Reason by thegarbz · · Score: 1

      Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      Don't be daft, Google already has that information.

    8. Re:Reason by tlhIngan · · Score: 2

      The number is to make account recovery possible in the event you've forgotten your password. The assumption is that attackers won't have access to your phone. That assumption is violated if your telco will transfer your number to the attacker's phone, of course.

      And the good folks at NIST have already commented that phone numbers are a bad authentication method and should never be used for the second factor.

      Because of exactly this - a phone number is not necessarily under control of the phone you think it is. There are many reasons why a phone number might not lead to the phone you expect, so you should never just trust a phone number.

    9. Re:Reason by Anonymous Coward · · Score: 0

      The other day when I rebooted my PC after more than a month of uptime, Google wanted me to confirm my phone number by sending me a text. Seems like a legit 2FA, right?

      Now for the hilarious part: the number in question is my google voice number (and logging into gmail also logs on to google voice), my actual prepaid cell phone account is configured so it cannot receive texts (because it costs $0.05 to receive, and there's no way to blacklist texts from spammers), my google voice is set up to send texts to my gmail account, and I always have 2-3 devices logged into my gmail account. So if I had clicked ok, I could have just checked gmail on another device to get the confirmation code.

      Result: I just laughed and dismissed the popover.

    10. Re:Reason by Anonymous Coward · · Score: 0

      Almost. Google would have a list of possible numbers and a probability associated with each. By giving google your phone number you just went from number x with 70% probability to number x with 100% probability.

    11. Re:Reason by Anonymous Coward · · Score: 0

      That's why you use the authenticator app to generate codes, the printed ones are just a backup. Besides, Google doesn't make you repeatedly log in on the same device.

      Twitter being shit is no reason not to use 2FA with Google.

    12. Re:Reason by Anonymuous+Coward · · Score: 2

      If you prefer not to give your phone number to Google, don't.

      You can no longer do that.

      I just tried setting up a gmail address -- it won't work unless I give them a phone number.

      And for an old address that you set up before this policy, they have the nice habit of blocking pop3s/smtps access from time to time, forcing you to login via web through a page where they pester you again about adding a phone number

      Because of that wanton blocking I can no longer trust to use my gmail address for any serious stuff, and unlike with my phone number, there's no EU directive to force them to port it to another provider ;-)

    13. Re: Reason by Mattcelt · · Score: 1

      Yes, but without linking that phone number to an account, they don't know who is controlling the email address.

      The NSA are not trying to find out who owns the phone, they're trying to learn who owns the email.

      Think things through before calling someone an idiot, amadán.

    14. Re:Reason by Darinbob · · Score: 1

      When google has asked me for 2-factor, they always want the phone and nothing else. They don't even say "2 factor" until you dig down and ask why. Early on I had no texting ability at all, explicitly disabled on my phone account, so providing a number would have been useless unless they were going to phone me directly. Even with texting now I don't want this as this phone will not be with me for the lifetime of the account.

      The biggest security headache involved in this is losing the phone, in which case having phone as part of the authentication becomes pointless.

  2. So, he (er, Bob) fucked up by not having by Anonymous Coward · · Score: 0

    2FA!

    FuckTheWorld (FTW)!

  3. It's not the phone number making it insecure by H3lldr0p · · Score: 5, Insightful

    it's the humans at the other end of the line.

    The lesson is the same one we've been screaming about for the past few decades. People are the weakest link. They're paid just to get on with the job, not to take the time to analyze or think that deeply. The article even mentions how the security the phone company has as part of their procedure was ignored. Why? Because for the support people it's about getting to the next caller.

    Change that and you've changed security. That'll cost money, but I have a feeling it's more than affordable.

    1. Re:It's not the phone number making it insecure by unixisc · · Score: 1

      I download the Authenticator App and just use that.

    2. Re:It's not the phone number making it insecure by Jiro · · Score: 3, Insightful

      It's the "one database key connecting everything" idea that makes it insecure, so that if there's a breach in anything, it becomes a breach in everything you're involved in. If phone numbers and email addresses were kept separate, then the effect of the bad security at the phone company would be limited in scope to the phone account only.

      The lesson is that Big Data and specifically Google are evil for creating conditions where security breaches cause more damage than they otherwise would..

    3. Re:It's not the phone number making it insecure by Anonymous Coward · · Score: 0

      That's a great idea. Let's get rid of people. Oh, wait, hold on.

      Ah, it seems my [insert Google service] has a problem. Let's contact tech support:

      I am the tech support. Please, describe your problems. Each time you are finished talking, type RET twice.

      Uh oh.

    4. Re:It's not the phone number making it insecure by Anonymous Coward · · Score: 0

      Great idea. Let's get rid of people. It's so obvious. I can't belie...

      Oh, hang on. I'm having trouble with my Google. Time to contact tech support:

      I am the tech support. Please, describe your problems. Each time you are finished talking, type RET twice.

      Oh crap.

      Is it because of your plans that you say oh crap?

    5. Re:It's not the phone number making it insecure by Anonymous Coward · · Score: 0

      I decided that Google's "Don't be evil" was insincere considerably more that a decade ago. And "Do the right thing" is only that the right thing is to track people better. While I may have a gmail account, I surely don't use it. And I've recently been locked out of the Verizon account, so that's a good thing. I do need to develop another, non-tracking personal email account as a back up though...

    6. Re:It's not the phone number making it insecure by houghi · · Score: 1

      In Belgium if a number is not used for a year, it will be put back in the pool, so you get the number that was used by somebody else previously.

      --
      Don't fight for your country, if your country does not fight for you.
  4. Just say no. by DidgetMaster · · Score: 5, Insightful

    The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

    1. Re:Just say no. by Anonymous Coward · · Score: 0

      Yep. My iPad started acting weird after an iOS upgrade. Turns out the upgrade decided I wanted to use iCloud backup for EVERYTHING - calendars, events, mail, browser history. It only started acting weird when I didn't have an account set up and was complaining my credentials were incorrect.

    2. Re:Just say no. by CrashNBrn · · Score: 2

      When the real-name policy was in effect, you needed to put a name on the account in order to use Hangouts. It took a bit of finaggling, but it finally accepted: Crash N. Burn.

      Although apps wanting ALL information is egregious. Hell even OperaMax (data utilization|optimization tool) wants "location, and contacts" in it's most recent update. I'm skipping that update until I root my phone and start feeding bogus crap to such apps.

    3. Re:Just say no. by jenningsthecat · · Score: 2

      The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

      I second this. I NEVER give my phone number or real name to any service I'm not paying for, and I'm very careful about info I give to services I DO pay for. Google may have my cell number because I have an Android phone, but it's not associated with my account in any public-facing place AFAICT. And Google doesn't officially have my real name. I'm sure they know it just because they're Google - but my Gmail account is under a pseudonym, and I don't use it except to the extent necessary to use Google Play. So again, the association probably isn't available to casual hackers - they'd have to get deeper into Google to make the association, and that's beyond my control, short of becoming a techno-hermit.

      I also don't update apps immediately - I wait to see what others have to say in the reviews. Sometimes I don't update at all: as far as I'm concerned, in the Android ecosystem it's often a saw-off between patching old vulns and introducing new ones. I don't have location enabled, and WiFi, Bluetooth, and Data are turned off unless I'm using them. And I run a firewall. I have no illusions that these things make me either secure or anonymous, but I do try to make it a little harder for the carrion to pick clean the bones of the mostly-dead carcass of my privacy.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    4. Re:Just say no. by Anonymous Coward · · Score: 0

      But don't you email people with those emails? Don't those emails usually contain something about you? Or, when they reply? Don't you have a job or go to school where you exchange numbers, names, meetings, or any kind of info?

    5. Re:Just say no. by Anonymous Coward · · Score: 0

      Valiant attempt at remaining hidden from Google.

      However they have so many services you've likely used a service with your real phone number, or real name, from a common wifi ap / common cookies, allowing them to link your pseudonymous self with your actual self.

  5. So.... a verizon fuck up? by mark-t · · Score: 2

    Changing information on an account without verifying that the person doing the changing is actually authorized to do so is... well... negligent to the point of incompetence, and he may be able to successfully sue Verizon for the costs associated with getting his email back.

    --
    File under 'M' for 'Manic ranting'
    1. Re:So.... a verizon fuck up? by XXongo · · Score: 1
      Really, I'd much rather not have the problem in the first place than have the consolation that if I want to, I could spend a portion of my life pursuing a lawsuit that might, if I spend the time on it, give me a few hundred or maybe even a thousand dollars back.

      The point is that Google offloaded their security to Verizon, who turned out to be a bit lax on security. Security is only as strong as its weakest point.

  6. Account Recovery by bigfinger76 · · Score: 4, Informative

    Google no longer supports security questions for account recovery.

    1. Re:Account Recovery by swillden · · Score: 2

      Google no longer supports non-security questions for account recovery.

      FTFY. Security questions are a joke. The answers are almost always easy for an attacker with a little bit of information about you to find, and a lot of the time the legitimate user can't remember them. Moreover, those two traits are strongly correlated: the harder it is for an attacker to find the answers, the more likely it is that the user won't be able to find them either.

      Everyone should stop using them.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Account Recovery by bigfinger76 · · Score: 1

      Probably has something to do with why they're no longer supported.

    3. Re:Account Recovery by Anonymous Coward · · Score: 1

      FTFY. Security questions are a joke. The answers are almost always easy for an attacker with a little bit of information about you to find, and a lot of the time the legitimate user can't remember them. Moreover, those two traits are strongly correlated: the harder it is for an attacker to find the answers, the more likely it is that the user won't be able to find them either.

      Everyone should stop using them.

      Use random characters for 'security question' answers, just like passwords. Store the answers in your password manager, just like your passwords.

      I agree with you, giving easily discoverable answers to common questions is not "security", so do not do it.

    4. Re:Account Recovery by jrumney · · Score: 1

      The answers are almost always easy for an attacker with a little bit of information about you to find,

      Which is why I always give false info to answer the questions. The problem is you don't need to answer security questions very often, so when recently, for certain types of transaction my bank suddenly started requiring an answer to a randomly picked security question from the 5 I had to give them 8 years ago when I set up internet banking on that account, I had to start visiting a physical branch to do my regular banking again.

    5. Re:Account Recovery by Anonymous Coward · · Score: 0

      If I've lost my passeord and thus nneed my security question answers, what makes you think I have my password manager database?

    6. Re:Account Recovery by penguinoid · · Score: 1

      If I've lost my passeord and thus nneed my security question answers, what makes you think I have my password manager database?

      I thought this when I made an account related to my student loans. I assumed the security questions were nothing more than a vulnerability and put gibberish as the answers (but neglected to write them down). Everything worked fine until I logged in from a different device, at which time they required the security questions. Had to call them to explain that I knew my password just fine, but had forgotten my security questions.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    7. Re:Account Recovery by chihowa · · Score: 1

      I always do the same (but I keep a record of the gibberish) and recently got stung by a bank website that didn't strip non-alphanumeric characters from the initial entry box, but does strip them from the validation box. :(

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    8. Re:Account Recovery by Anonymous Coward · · Score: 0

      Google demands a phone number when setting-up new accounts. They could allow people to choose TOTP instead, but the cell is necessary. And many of us presume this is because Google wishes to link the account to a real-world identifier.

      Now, that's their prerogative, as it's their platform. But it certainly does chip away at their image as a benevolent supplier of free services.

  7. NIST and Two-factor by Anonymous Coward · · Score: 1

    https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/

    1. Re:NIST and Two-factor by Anonymous Coward · · Score: 0

      Yes, this has come up on slashdot before https://tech.slashdot.org/story/16/07/25/233215/nist-prepares-to-ban-sms-based-two-factor-authentication

      The NIST DAG draft argues that SMS-based two-factor authentication is an insecure process because the phone may not always be in possession of the phone number,

  8. "prone to hack" by Anonymous Coward · · Score: 0

    >You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case.

    The summary goes on to state that adding the phone number *does* make it prone to hack. I'm so confused, does anyone even English anymore?

    1. Re:"prone to hack" by Anonymous Coward · · Score: 0

      >You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case.

      The summary goes on to state that adding the phone number *does* make it prone to hack. I'm so confused, does anyone even English anymore?

      Headline - X!
      First sentence - Not X!
      Second sentence - X!
      We is Englishing fine.

  9. So much for that meme! by macs4all · · Score: 2

    So much for the popular meme with some Slashdotters that iPhone users are idiots that only use Apple products because they don't know anything about "tech".

    Sounds like that particular iPhone user knew exactly how to take over someone's online identity. That implies at least some level of expertise in matters other than the "Ooh, shiny!" that some Slashdotters think is the norm with those who use Apple.

    Of course I am sort of joking; but the underlying facts are still there...

    1. Re:So much for that meme! by green1 · · Score: 1

      They didn't necessarily have any technical expertise. They had social engineering expertise which is something entirely different. In fact the 2 are often not really related. The stereotypical technical person (geek/nerd) is not known for their social engineering abilities.

    2. Re:So much for that meme! by macs4all · · Score: 1

      They didn't necessarily have any technical expertise. They had social engineering expertise which is something entirely different. In fact the 2 are often not really related. The stereotypical technical person (geek/nerd) is not known for their social engineering abilities.

      You realize, of course, that you have just replaced one Stereotype with another, right?

    3. Re:So much for that meme! by green1 · · Score: 1

      My point was that we do not know the level of technical expertise of the attacker, because their exploit was not of a technical nature. While pointing out that there is no reason to believe that there is any correlation between the 2 different skills.

      To emphasize the point I used a humorous stereotype in response to their stereotype, however it was not the point of the discussion, and I in fact specifically called it out as a stereotype as opposed to claiming that it was real.

    4. Re:So much for that meme! by macs4all · · Score: 1

      My point was that we do not know the level of technical expertise of the attacker, because their exploit was not of a technical nature.

      The attack itself may not have been technical in nature; But I still submit that the attacker had to know something about "tech" to so quickly and efficiently go right to the right places to effect a rapid takeover, staying ahead of the legit user.

  10. Google is evidence that the internet failed by HBI · · Score: 3, Interesting

    The whole goddamned point was an online network not controlled by a big telco or the government. And here we are - controlled by monopolistic entities and/or governments. I'm so relieved it isn't a big national telecom monopoly (not).

    Through the combined efforts of criminal activity, rogue states and a failure to just fragment the network, large monopolistic entities now control communications in a way they hadn't since the advent of public internet access. You can't run your own servers, at least if you don't want to play whack-a-mole with constant threats, paramount being the DDoS that you have no power to resist yourself. The common protocols have been one by one exposed to be insecure. The price of sufficent infrastructure to provide an emulation of those protocols has risen to the point that individuals can't afford it. If you still are, you just haven't been attacked vigorously enough yet, or you're already compromised and don't know it.

    The problem is the money. None of this would be happening if it weren't possible to steal money or commit fraud over the network.

    Disconnecting entirely sounds better and better every day. It's just going to get worse.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:Google is evidence that the internet failed by PvtVoid · · Score: 2

      The whole goddamned point was an online network not controlled by a big telco or the government.

      You don't know much about the history of the internet, do you? The internet was invented by the Defense Advanced Research Project Agency with the goal of networking military computers in a failsafe fashion. The stated goals were:

      1. Internet communication must continue despite loss of networks or gateways.
      2. The Internet must support multiple types of communications service.
      3. The Internet architecture must accommodate a variety of networks.
      4. The Internet architecture must permit distributed management of its resources.
      5. The Internet architecture must be cost effective.
      6. The Internet architecture must permit host attachment with a low level of effort.
      7. The resources used in the internet architecture must be accountable.

      None of these have any thing to do with "not being controlled by government". Sorry.

    2. Re:Google is evidence that the internet failed by HBI · · Score: 1

      You aren't tracking why it caught on. I obviously have more familiarity with the situation in the mid-1990s than you do. There were ample commercial alternatives to the internet which died on the vine precisely on the issue of corporate control and cost. If the government had attempted to closely control the network post-1994, none of this would have happened.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:Google is evidence that the internet failed by PvtVoid · · Score: 4, Funny

      I obviously have more familiarity with the situation in the mid-1990s than you do.

      Not my fault I've been in cryo-freeze since 1989. How did the Quayle Administration work out?

    4. Re:Google is evidence that the internet failed by thegarbz · · Score: 1

      And here we are - controlled by monopolistic entities and/or governments

      Is it? The only evidence I see here is that some guy lost access to his emails. This is about my grandma's level of thinking when we talk about "the internet".

      You can't run your own servers, at least if you don't want to play whack-a-mole with constant threats, paramount being the DDoS that you have no power to resist yourself.

      It just sounds like YOU can't run your own server. I personally have been running one without problem for 15 years now. Can't say I've ever been hacked or DDoS'd. But how is that Google's fault again?

      Disconnecting entirely sounds better and better every day.

      Or just don't use gmail for internet. I know it's hard since gmail IS the internet but there are actually alternatives.

    5. Re:Google is evidence that the internet failed by rxmd · · Score: 1

      Don't forget to vot!

      --
      As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
    6. Re:Google is evidence that the internet failed by HBI · · Score: 1

      His administration was small potatoe.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    7. Re:Google is evidence that the internet failed by Anonymous Coward · · Score: 0

      Although he wrote >"not being controlled by government".

      He could have written "not being INFLUENCED OR REGULATED by VERY INFLUENCIAL AND AUTHORITATIVE COMMERCIAL & GOVERNMENT AGENCIES".

      In which case you would have written he was accurate. The internet has moved beyond a cold-war communications network designed to continue in the face of nuclear decapitation, and moved to an ever present digital insight to every connected person's life, credit, legal, and commercial characteristics. Which is exactly why it's such a savory morsel for groups to control. Governmental, commercial, criminal, curious hobby, or otherwise.

      (and yes the 80's & 90's were great) sys64738?

  11. What? Is this Slashdot editing at its finest? by wonkey_monkey · · Score: 0

    'Adding a Phone Number To Your Google Account Can Make it Less Secure'

    You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case.

    Well done, you've contradicted the headline in the first sentence. I assume someone accidentally a word.

    --
    systemd is Roko's Basilisk.
  12. Quite the insider job - just a setup? by Overzeetop · · Score: 1

    So the person who hacked the email also knew this guys (nominally unpublished) cell phone number and went to the effort of calling Verizon in person to move his number to an entirely different SIM with apparently zero authorization? I mean - it could happen - but that's a shit-ton of human time to go after a single mark, with a pretty low likelihood of working. It just smells like a set up.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:Quite the insider job - just a setup? by pr0fessor · · Score: 1

      Not really... there are plenty of people that might know your unpublished cell number like ex wife/husband/girlfriend/boyfriend co-worker employee any of which might hold a large enough grudge to take the time to do something crazy.

      We had disgruntled ex-employee call and make appointments for breast enlargement consultations at every place in the area for one of our managers. They also had a bunch of free brochures and news letters sent to her home address and email.

    2. Re:Quite the insider job - just a setup? by aicrules · · Score: 1

      Perhaps he registered for another site with his email address and mobile number. Said site either used that info for no good, sold it to people who used it for no good, or was hacked by people who stole it and used it for no good. Taking his phone number probably put them in a position to be able to get to something more important like his bank account. Or the bank account of his elderly mother who is very concerned that her son texted her or called her saying he needed her to wire him 600$.

  13. Hmmmmmm by Anonymous Coward · · Score: 0

    That was a lot of inside info...

  14. Account recovery is ALWAYS the weakest link by green1 · · Score: 4, Interesting

    It doesn't really matter what that is, but if there's a way to "recover" your account, then it's by necessity, a way to completely bypass any other authentication you had. The more ways to recover the account, the more attack vectors there are.

    It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway.

    If I need a password to access the site, at least it's only one thing to remember, and only one point of weakness for an attacker.

    So the big question is, which is more important? the ability to recover an account you've been locked out of? or the security of knowing nobody else can either?

    Of course companies can really screw this up too. For instance Tumblr recently re-set everyone's passwords and forced them all to use their recovery option because their password database had been compromised. Anyone who did not have a working recovery option was completely screwed, even though their account was otherwise more secure.

    1. Re:Account recovery is ALWAYS the weakest link by CrashNBrn · · Score: 2

      A password manager. No forgotten passwords. No account recovery required.

    2. Re:Account recovery is ALWAYS the weakest link by Anonymous Coward · · Score: 1

      A password manager. No forgotten passwords. No account recovery required.

      A sheet of paper, stored in a hidden vault, with the passwords written down with a pen. Extremely inconvenient, but fairly safe.

    3. Re:Account recovery is ALWAYS the weakest link by green1 · · Score: 0

      So now people can hack your password manager and get access to ALL your sites instead of just one.

      A password manager is another "account recovery" option, it weakens your security. By how much depends on the type of password manager used.

      And how does the password manager solve the Tumblr incident I just mentioned? Or what if the password manager stops working for some reason (corrupt or lost database, cloud provider goes bankrupt, etc etc)

    4. Re:Account recovery is ALWAYS the weakest link by green1 · · Score: 0

      Slightly less secure than a password alone.

      An attacker can still get in with the password, but they can also now get in by gaining access to the vault. Now you could argue that the vault is more secure than the passwords, so the risk is minimal, but it still decreases rather than increases security over all. Additionally, what if the vault is destroyed? If you're talking one in your home, if your home is destroyed the vault could be as well. While it's true that you then have "bigger problems" to worry about, do you want to also be dealing with loss of access to all your online accounts at the same time?

    5. Re:Account recovery is ALWAYS the weakest link by Anonymous Coward · · Score: 0

      ... it weakens your security.

      It allows me to recall the fake name used in an online shopping/product registration account: smaller online footprint (under that name)
      It allows me to avoid re-using passwords: improved security.
      It allows meaningless answers to recovery/identity questions: improved security
      (When the question requests the location of my school, childhood home, best holiday, etc, I give a real but meaningless answer: eg. Sea of tranquility)

      Yes, it's a single point of failure that is managed by requiring an OS system file as a key-file, having off-line copies and not installing privileged cloud-based apps on my device. (eg. SkyDrive, DropBox, iTunes, etc)

    6. Re:Account recovery is ALWAYS the weakest link by Fish+(David+Trout) · · Score: 1

      "It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway."

      The you're doing it wrong.

      You should not have to remember your bogus answers. You should instead record them in your encrypted password safe.

      I probably have over 100 different accounts at 100 different sites all over the web and each and every one of them has a different randomly generated strong password and nonsense security questions (when they let me compose my own) and corresponding nonsense answer, and I can assure you I don't have nary a one of them memorized.

      Because I don't have to. I use a password safe.

      The only people that whine about how difficult it is to remember passwords or answers to security questions are those who, like fools that don't understand or practice good security, use the same password for multiple web sites (because <whine!> they otherwise can't remember all of their passwords! </whine!>).

      Stop whining and doing it wrong and start doing it right by taking security seriously: use a damn password safe so each and every account you have can have a completely different password and/or security question/answer!

      --
      "Fish" (David B. Trout)
    7. Re:Account recovery is ALWAYS the weakest link by green1 · · Score: 1

      What happens if your password safe is a) compromised b) destroyed?

      Using a password safe decreases security over all by adding a single point of failure for all of your accounts, and additionally decreases reliability by allowing you to lose access to all of your accounts at once if anything were to ever happen to it.

  15. Facebook by phorm · · Score: 1

    Facebook keeps asking me to confirm my phone # is correct. Of course it's a random "555" number I gave them, along with incorrect address etc because there's no f***ing way I want them to have that information...

    1. Re:Facebook by sims+2 · · Score: 1

      FB decided I needed to verify my id to keep my account
      The only problem is my id does not say "Ikate Facebork"

      --
      Minimum threshold fixed. Thanks!
    2. Re:Facebook by phorm · · Score: 1

      Well, not yet it doesn't...

  16. Another argument for Google Fi by bbsguru · · Score: 1

    At least if your phone service is Google fi there is a lessened chance of it being hijacked. (requires Nexus / Pixel phone)

  17. That can only happen on CDMA by Torp · · Score: 1

    On GSM networks you transfer your number between phones by moving the sim card. So there's no way you can get control of someone else's phone number via just a phone call.

    --
    I apologize for the lack of a signature.
    1. Re:That can only happen on CDMA by Anonymous Coward · · Score: 0

      Wrong. Hopelessly wrong.

      Socially engineer a PAC code and you can grab anyone's phone number and having it transferred onto your sim. And you can do that via a telephone call to their existing provider.

    2. Re:That can only happen on CDMA by zdzichu · · Score: 1

      But you can still move ('port') your number to different provider. It's all happening between telekoms. Lately crackers have been moving the numbers to shady VoIP providers, in order to intercept 2FA tokens.

      --
      :wq
    3. Re:That can only happen on CDMA by Torp · · Score: 1

      Maybe in the US, generally people do verify identity in the rest of the world...

      --
      I apologize for the lack of a signature.
  18. Duh? by Jezral · · Score: 1

    Though Bob didn't have multi-factor authentication enabled...

    I think I see your problem. Why have a phone attached but then not use MFA on the same device?

  19. The real question by anarcobra · · Score: 1

    Is how did they switch his phone number without any kind of authorization?
    He's a paying customer isn't he?
    Can anyone just walk into the store and request new simcards for random numbers?

  20. Is it the phone-no, or Verzion, that the issue? by GNious · · Score: 1

    Headline seems to indicate that adding phone numbers decreases security, but the blurb below it seems to indicate that adding VERIZON to your google account is the issue.

  21. " and colleagues at Google" by Anonymous Coward · · Score: 0

    Well it sure is nice if you have connections isn't it?

    Meanwhile, I have a dumb problem which Google's automated system cannot help with and no way to contact a human at Google to explain the situation and have it resolved.

    Fuck this guy, and fuck his "colleagues at Google" for giving this guy special treatment.

  22. That's how Russians hacked British MPs last year by fubarrr · · Score: 2

    This is how Russians were hacking social media accounts and public emails of British MPs last year. It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI), advertising cookie brokers). Then they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from BT to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs. Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn't answer security questions. Amazingly, many cell operators don't check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.

  23. Social engineering by bradley13 · · Score: 3, Insightful

    Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

    This is made more believable by the ranks of the clueless, who really do get themselves into weird predicaments. Sometimes there really do need to be exceptions to the security rules. But when? How do you tell?

    I have a cousin who could do this. Let him talk to you for five minutes, and he'll have you believing anything he wants. Venus is actually in a retrograde orbit? Obama is actually a white guy in black face? It almost doesn't matter how outrageous it is. Fortunately, he's not evil, so it's just a party trick: he convinces people of stupid stuff, then let's them stew in their juices until they figure out that they've been tricked. It's damned unsettling...

    --
    Enjoy life! This is not a dress rehearsal.
    1. Re:Social engineering by SeaFox · · Score: 1

      Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

      Pfft! More like "support worker helps the customer out because the customer is getting angry and he doesn't want a supervisor call". It's amazing how stupid users are all-for improved security until they "lose their key" and then blame the company for "not being helpful" when the protections work designed against them.

    2. Re: Social engineering by Anonymous Coward · · Score: 0

      Don't give Him too much credit. To be tricked, you need lack of knowledge. The blackface thing would work only on retards. Venus retrograde orbit, hmmmm. I don't know. What's retrograde orbit. And how would only he know this? Lol. Fooling stupid people is always easy.

    3. Re:Social engineering by Anonymous Coward · · Score: 0

      Venus is actually in a retrograde orbit?

      No. Venus is in retrograde rotation around its axis. It orbits the Sun in the same way anything else does.

    4. Re:Social engineering by Anonymous Coward · · Score: 0

      >...Venus is actually in a retrograde orbit?
      >...he convinces people of stupid stuff...

      If the topics he picks are of little knowledge, (Venus's orbit), and then he announces the answer- coming across like an informed person- then it is not beyond reasonable that people would believe him. Now if he picks topics the other person IS familiar with, (such as their job duties & responsibilities as a call center staff), and convinces them to double-cross that... well that's remarkable. But not introducing obscure trivia and then laughing when they don't know the answer.

  24. Your Cell Number Uniquely Identifies You by Anonymous Coward · · Score: 1

    I'll tell you a secret. It's the reason Google, Yahoo, and others have been asking for you cell number recently. They're following Facebook, who figured this out years ago. It's also the reason Facebook broke it's Messenger app out as a separate entity from it's Facebook iPhone app. And it's the reason Snapchat moved to build its social connection graph from your cell phone contacts list:

    Your Cell Number Uniquely Identifies You.

    Sure, you could get two cell phone lines. But most people don't do that. That's what the big data companies are now betting on.

    For years, you could register for multiple accounts on Facebook. Or other social sites. And FB HATED.this problem from the beginning, because they couldn't tell which accounts were unique, and which were made by the same physical human being. Sock puppet accounts ran rampant. Think about how hard it was for FB to sell advertising to its customers, when it couldn't guarantee how many real users it had.

    Fast forward to today. Any app, like WhatsApp for example, which starts up and gets a list of phone numbers from your contacts list on your phone....it uploads them to the server. They build a social graph in their server computers, a graph which represents who you have the phone numbers for. Now they know your unique cell number, and the number of all your friends.

    FB has a separate app, one which is tied to the phone number and so you can't impersonate someone else (unless you get two phones). And many big data companies have followed suit, coming up with one reason or another why they need your cell number....more secure?? password recovery?? They never tell you the real reason.

    So everyone think about this, next time you give away your cell number to an app or a website or a corporation. It's the new Social Security Number for our Digital Age.

  25. Terrible Editors. Title is inaccurate. by Anonymous Coward · · Score: 0

    A correct and sufficient title is 'Adding a Verizon ANYTHING To Your Google Account Can Make it Less Secure'

  26. Verizon account security by QuietLagoon · · Score: 1

    ... "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." ...

    Something similar happened to my Verizon account. Verizon does not appear to have a high level of account security.

  27. Adding more doors makes entering easier by Anonymous Coward · · Score: 0

    Who would have thought?

  28. That's how Russians hacked British MPs last year by fubarrr · · Score: 2

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

    This is how Russians were hacking social media accounts and public emails of British MPs last year.

    It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).

    Then, they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from British Telecom to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs. Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or may be Googlers simply made that up to cover their asses.

    Amazingly, many cell operators don't check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.

  29. I can't even give them a phone number by Anonymous Coward · · Score: 0

    ...as I don't have one. But if I did, I wouldn't give it to them for all the reasons mentioned here and in the story.

  30. That makes me wonder by Anonymous Coward · · Score: 0

    "Lets call him Bob"

    What happened to Alice? Where there's a Bob, there always has to be an Alice.

    1. Re:That makes me wonder by dfsmith · · Score: 1

      Eve kidnapped her?

  31. So..you are volunteering for the Red Team? by HBI · · Score: 1

    Best give them a host to get started on.

    There was a time I thought myself invincible. Then you learn that everything has limits.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:So..you are volunteering for the Red Team? by thegarbz · · Score: 1

      There was a time I thought myself invincible.

      And just why do you need to be invincible? Are you a big enough target to need the additional protection? If you are then you can afford better protection. If not then you don't need the protection to begin with.

      I'm not invincible. But I am one of several billion internet users which makes me a very irrelevant target in a sea of indecipherable shit.

      I'd say something smart like "come at me bro" but that's kind of the point isn't it. The internet is a perfectly safe place to host and manage your own connection unless you actively go out looking for trouble. In other news I spent a week in Chicago and didn't get shot either.

  32. But who was phone? by Mozai · · Score: 1

    Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record

    So it's not the phone, it's the company that didn't abide by their own policies.

  33. Hacking by Anonymous Coward · · Score: 0

    I don't know about hacking but when my ex was cheating on me, a friend of mine referred me to Mr Robert I thought it wasn't real but he later proved me wrong by helping me to spy on my ex-husband and got me all the necessary evidence I needed. He helped me to hack and spy on his emails, mobile , all his social media and his bank accounts, Robert did all this remotely without touching his devices. You can contact him with mastershield55@gmail.com if you are in the same shoe as I was..