Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Adding a Phone Number To Your Google Account Can Make it Less Secure' (vijayp.ca)

Posted by msmash on from the scare-security-stories dept.

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.

9 of 106 comments (clear)

  1. Reason by Jiro · · Score: 4, Insightful

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

  2. It's not the phone number making it insecure by H3lldr0p · · Score: 5, Insightful

    it's the humans at the other end of the line.

    The lesson is the same one we've been screaming about for the past few decades. People are the weakest link. They're paid just to get on with the job, not to take the time to analyze or think that deeply. The article even mentions how the security the phone company has as part of their procedure was ignored. Why? Because for the support people it's about getting to the next caller.

    Change that and you've changed security. That'll cost money, but I have a feeling it's more than affordable.

    1. Re:It's not the phone number making it insecure by Jiro · · Score: 3, Insightful

      It's the "one database key connecting everything" idea that makes it insecure, so that if there's a breach in anything, it becomes a breach in everything you're involved in. If phone numbers and email addresses were kept separate, then the effect of the bad security at the phone company would be limited in scope to the phone account only.

      The lesson is that Big Data and specifically Google are evil for creating conditions where security breaches cause more damage than they otherwise would..

  3. Just say no. by DidgetMaster · · Score: 5, Insightful

    The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

  4. Account Recovery by bigfinger76 · · Score: 4, Informative

    Google no longer supports security questions for account recovery.

  5. Google is evidence that the internet failed by HBI · · Score: 3, Interesting

    The whole goddamned point was an online network not controlled by a big telco or the government. And here we are - controlled by monopolistic entities and/or governments. I'm so relieved it isn't a big national telecom monopoly (not).

    Through the combined efforts of criminal activity, rogue states and a failure to just fragment the network, large monopolistic entities now control communications in a way they hadn't since the advent of public internet access. You can't run your own servers, at least if you don't want to play whack-a-mole with constant threats, paramount being the DDoS that you have no power to resist yourself. The common protocols have been one by one exposed to be insecure. The price of sufficent infrastructure to provide an emulation of those protocols has risen to the point that individuals can't afford it. If you still are, you just haven't been attacked vigorously enough yet, or you're already compromised and don't know it.

    The problem is the money. None of this would be happening if it weren't possible to steal money or commit fraud over the network.

    Disconnecting entirely sounds better and better every day. It's just going to get worse.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:Google is evidence that the internet failed by PvtVoid · · Score: 4, Funny

      I obviously have more familiarity with the situation in the mid-1990s than you do.

      Not my fault I've been in cryo-freeze since 1989. How did the Quayle Administration work out?

  6. Account recovery is ALWAYS the weakest link by green1 · · Score: 4, Interesting

    It doesn't really matter what that is, but if there's a way to "recover" your account, then it's by necessity, a way to completely bypass any other authentication you had. The more ways to recover the account, the more attack vectors there are.

    It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway.

    If I need a password to access the site, at least it's only one thing to remember, and only one point of weakness for an attacker.

    So the big question is, which is more important? the ability to recover an account you've been locked out of? or the security of knowing nobody else can either?

    Of course companies can really screw this up too. For instance Tumblr recently re-set everyone's passwords and forced them all to use their recovery option because their password database had been compromised. Anyone who did not have a working recovery option was completely screwed, even though their account was otherwise more secure.

  7. Social engineering by bradley13 · · Score: 3, Insightful

    Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

    This is made more believable by the ranks of the clueless, who really do get themselves into weird predicaments. Sometimes there really do need to be exceptions to the security rules. But when? How do you tell?

    I have a cousin who could do this. Let him talk to you for five minutes, and he'll have you believing anything he wants. Venus is actually in a retrograde orbit? Obama is actually a white guy in black face? It almost doesn't matter how outrageous it is. Fortunately, he's not evil, so it's just a party trick: he convinces people of stupid stuff, then let's them stew in their juices until they figure out that they've been tricked. It's damned unsettling...

    --
    Enjoy life! This is not a dress rehearsal.