Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Adding a Phone Number To Your Google Account Can Make it Less Secure' (vijayp.ca)

Posted by msmash on from the scare-security-stories dept.

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

24 of 106 comments (clear)

  1. Reason by Jiro · · Score: 4, Insightful

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

    1. Re:Reason by dcavanaugh · · Score: 2

      Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      Correct. It's not Google that wants your phone number linked to your email account -- it's the NSA. Email accounts may be disposable and free, but every phone is costing somebody money. Unless you buy a burner phone and service cards for cash, there is a financial trail behind every phone that leads back to a person. Once the NSA knows the person's phone number, geolocating the phone (and therefore the email account owner) is child's play for the inventors of PRISM.

      Even if you buy a burner phone and service for cash, and even if you turn off the phone after setting up your Gmail account, tracking down the account holder is as simple as forcing Google to "screw up" someone's password, forcing them to use the telephone-based password recovery protocol.

      Once you understand the loss of privacy that comes from linking telephones to user accounts, it's much easier to understand how the real goal has nothing to do with making your account "secure". The real target is your privacy.

    2. Re:Reason by PPH · · Score: 2

      Everyone wants your phone number so that they can link the account in their database to other information that contains your phone number.

      FTFY.

      I wrote a check the other day (with no phone # pre-printed) and the clerk asked for one to write down. I decided to run a test and said, "No phone." He asked, "What?!" I replied, "I don't have a phone." He looked like he was going to shit himself, but accepted the check anyway.

      Phone numbers accepted in this manner have little to do with security or identity verification. By the time the number is exposed as a fake, the thief is out the door with the goods. And if it was actually me that bounced a check, my bank handles it. And not by phone.

      Also, the telcos have been raped so many times by the feds and law enforcement that when they ask for subscriber data, they just hand it over, close their eyes and play dead. As a result, accessing any account data the telcos have on you is trivially easy for anyone from private detectives to foreign intelligence services.

      --
      Have gnu, will travel.
    3. Re:Reason by GNious · · Score: 2

      If you prefer not to give your phone number to Google, don't. Just turn on two-factor auth using a non phone number-based auth method, either the Authenticator app or (better yet) a security key, or both. Then download and print out some backup 2FA codes and keep them somewhere safe. Google won't have your phone number and you won't be vulnerable to mistakes by dumb telco customer service reps.

      Not google, but on Twitter I've had to use 2FA codes 2-3 times daily - any hiccup, and I have to log in again, and every time(!) it'll request a code.
      Sure, could print a dozen or 2, but I'll burn through them quickly.

    4. Re:Reason by bingoUV · · Score: 2

      Google definitely uses the phone number for learning connections between people.

      --
      Bingo Dictionary - Pragmatist, n. A myopic idealist.
    5. Re:Reason by tlhIngan · · Score: 2

      The number is to make account recovery possible in the event you've forgotten your password. The assumption is that attackers won't have access to your phone. That assumption is violated if your telco will transfer your number to the attacker's phone, of course.

      And the good folks at NIST have already commented that phone numbers are a bad authentication method and should never be used for the second factor.

      Because of exactly this - a phone number is not necessarily under control of the phone you think it is. There are many reasons why a phone number might not lead to the phone you expect, so you should never just trust a phone number.

    6. Re:Reason by Anonymuous+Coward · · Score: 2

      If you prefer not to give your phone number to Google, don't.

      You can no longer do that.

      I just tried setting up a gmail address -- it won't work unless I give them a phone number.

      And for an old address that you set up before this policy, they have the nice habit of blocking pop3s/smtps access from time to time, forcing you to login via web through a page where they pester you again about adding a phone number

      Because of that wanton blocking I can no longer trust to use my gmail address for any serious stuff, and unlike with my phone number, there's no EU directive to force them to port it to another provider ;-)

  2. It's not the phone number making it insecure by H3lldr0p · · Score: 5, Insightful

    it's the humans at the other end of the line.

    The lesson is the same one we've been screaming about for the past few decades. People are the weakest link. They're paid just to get on with the job, not to take the time to analyze or think that deeply. The article even mentions how the security the phone company has as part of their procedure was ignored. Why? Because for the support people it's about getting to the next caller.

    Change that and you've changed security. That'll cost money, but I have a feeling it's more than affordable.

    1. Re:It's not the phone number making it insecure by Jiro · · Score: 3, Insightful

      It's the "one database key connecting everything" idea that makes it insecure, so that if there's a breach in anything, it becomes a breach in everything you're involved in. If phone numbers and email addresses were kept separate, then the effect of the bad security at the phone company would be limited in scope to the phone account only.

      The lesson is that Big Data and specifically Google are evil for creating conditions where security breaches cause more damage than they otherwise would..

  3. Just say no. by DidgetMaster · · Score: 5, Insightful

    The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

    1. Re:Just say no. by CrashNBrn · · Score: 2

      When the real-name policy was in effect, you needed to put a name on the account in order to use Hangouts. It took a bit of finaggling, but it finally accepted: Crash N. Burn.

      Although apps wanting ALL information is egregious. Hell even OperaMax (data utilization|optimization tool) wants "location, and contacts" in it's most recent update. I'm skipping that update until I root my phone and start feeding bogus crap to such apps.

    2. Re:Just say no. by jenningsthecat · · Score: 2

      The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

      I second this. I NEVER give my phone number or real name to any service I'm not paying for, and I'm very careful about info I give to services I DO pay for. Google may have my cell number because I have an Android phone, but it's not associated with my account in any public-facing place AFAICT. And Google doesn't officially have my real name. I'm sure they know it just because they're Google - but my Gmail account is under a pseudonym, and I don't use it except to the extent necessary to use Google Play. So again, the association probably isn't available to casual hackers - they'd have to get deeper into Google to make the association, and that's beyond my control, short of becoming a techno-hermit.

      I also don't update apps immediately - I wait to see what others have to say in the reviews. Sometimes I don't update at all: as far as I'm concerned, in the Android ecosystem it's often a saw-off between patching old vulns and introducing new ones. I don't have location enabled, and WiFi, Bluetooth, and Data are turned off unless I'm using them. And I run a firewall. I have no illusions that these things make me either secure or anonymous, but I do try to make it a little harder for the carrion to pick clean the bones of the mostly-dead carcass of my privacy.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  4. So.... a verizon fuck up? by mark-t · · Score: 2

    Changing information on an account without verifying that the person doing the changing is actually authorized to do so is... well... negligent to the point of incompetence, and he may be able to successfully sue Verizon for the costs associated with getting his email back.

    --
    File under 'M' for 'Manic ranting'
  5. Account Recovery by bigfinger76 · · Score: 4, Informative

    Google no longer supports security questions for account recovery.

    1. Re:Account Recovery by swillden · · Score: 2

      Google no longer supports non-security questions for account recovery.

      FTFY. Security questions are a joke. The answers are almost always easy for an attacker with a little bit of information about you to find, and a lot of the time the legitimate user can't remember them. Moreover, those two traits are strongly correlated: the harder it is for an attacker to find the answers, the more likely it is that the user won't be able to find them either.

      Everyone should stop using them.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. So much for that meme! by macs4all · · Score: 2

    So much for the popular meme with some Slashdotters that iPhone users are idiots that only use Apple products because they don't know anything about "tech".

    Sounds like that particular iPhone user knew exactly how to take over someone's online identity. That implies at least some level of expertise in matters other than the "Ooh, shiny!" that some Slashdotters think is the norm with those who use Apple.

    Of course I am sort of joking; but the underlying facts are still there...

  7. Google is evidence that the internet failed by HBI · · Score: 3, Interesting

    The whole goddamned point was an online network not controlled by a big telco or the government. And here we are - controlled by monopolistic entities and/or governments. I'm so relieved it isn't a big national telecom monopoly (not).

    Through the combined efforts of criminal activity, rogue states and a failure to just fragment the network, large monopolistic entities now control communications in a way they hadn't since the advent of public internet access. You can't run your own servers, at least if you don't want to play whack-a-mole with constant threats, paramount being the DDoS that you have no power to resist yourself. The common protocols have been one by one exposed to be insecure. The price of sufficent infrastructure to provide an emulation of those protocols has risen to the point that individuals can't afford it. If you still are, you just haven't been attacked vigorously enough yet, or you're already compromised and don't know it.

    The problem is the money. None of this would be happening if it weren't possible to steal money or commit fraud over the network.

    Disconnecting entirely sounds better and better every day. It's just going to get worse.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:Google is evidence that the internet failed by PvtVoid · · Score: 2

      The whole goddamned point was an online network not controlled by a big telco or the government.

      You don't know much about the history of the internet, do you? The internet was invented by the Defense Advanced Research Project Agency with the goal of networking military computers in a failsafe fashion. The stated goals were:

      1. Internet communication must continue despite loss of networks or gateways.
      2. The Internet must support multiple types of communications service.
      3. The Internet architecture must accommodate a variety of networks.
      4. The Internet architecture must permit distributed management of its resources.
      5. The Internet architecture must be cost effective.
      6. The Internet architecture must permit host attachment with a low level of effort.
      7. The resources used in the internet architecture must be accountable.

      None of these have any thing to do with "not being controlled by government". Sorry.

    2. Re:Google is evidence that the internet failed by PvtVoid · · Score: 4, Funny

      I obviously have more familiarity with the situation in the mid-1990s than you do.

      Not my fault I've been in cryo-freeze since 1989. How did the Quayle Administration work out?

  8. Account recovery is ALWAYS the weakest link by green1 · · Score: 4, Interesting

    It doesn't really matter what that is, but if there's a way to "recover" your account, then it's by necessity, a way to completely bypass any other authentication you had. The more ways to recover the account, the more attack vectors there are.

    It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway.

    If I need a password to access the site, at least it's only one thing to remember, and only one point of weakness for an attacker.

    So the big question is, which is more important? the ability to recover an account you've been locked out of? or the security of knowing nobody else can either?

    Of course companies can really screw this up too. For instance Tumblr recently re-set everyone's passwords and forced them all to use their recovery option because their password database had been compromised. Anyone who did not have a working recovery option was completely screwed, even though their account was otherwise more secure.

    1. Re:Account recovery is ALWAYS the weakest link by CrashNBrn · · Score: 2

      A password manager. No forgotten passwords. No account recovery required.

  9. That's how Russians hacked British MPs last year by fubarrr · · Score: 2

    This is how Russians were hacking social media accounts and public emails of British MPs last year. It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI), advertising cookie brokers). Then they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from BT to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs. Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn't answer security questions. Amazingly, many cell operators don't check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.

  10. Social engineering by bradley13 · · Score: 3, Insightful

    Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

    This is made more believable by the ranks of the clueless, who really do get themselves into weird predicaments. Sometimes there really do need to be exceptions to the security rules. But when? How do you tell?

    I have a cousin who could do this. Let him talk to you for five minutes, and he'll have you believing anything he wants. Venus is actually in a retrograde orbit? Obama is actually a white guy in black face? It almost doesn't matter how outrageous it is. Fortunately, he's not evil, so it's just a party trick: he convinces people of stupid stuff, then let's them stew in their juices until they figure out that they've been tricked. It's damned unsettling...

    --
    Enjoy life! This is not a dress rehearsal.
  11. That's how Russians hacked British MPs last year by fubarrr · · Score: 2

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

    This is how Russians were hacking social media accounts and public emails of British MPs last year.

    It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).

    Then, they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from British Telecom to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, it is believed that they downloaded past conversations and other data through synchronisation APIs. Back then, Google only confirmed that they did sent a recovery SMS to one account, but hackers didn’t manage to answer a security question. This probably deterred them from attempting to try the same trick on Google accounts of other MPs whose numbers they pwned, or may be Googlers simply made that up to cover their asses.

    Amazingly, many cell operators don't check the digital signature on roaming requests, nor require the roaming counter-parties to pass them through.