297 comments

[ 2.7 ms ] story [ 280 ms ] thread
Adding a phone number that people KNOW about can make it LESS secure. A workaround is to get a phone number that is only used for identity verification and not given out to anyone.
That sounds like a good fix, but a tall order for most people.
One way to accomplish this would be with, ironically, a Google Voice-type service (but associated with a completely independent email provider)
This can actually be problematic. I've found many 2FA services use text services with shortcodes which sometimes do and sometimes don't work with services like Google Voice. Back when I used Voice, my actual cell number was only used for identity verification.
Not really, there are phones out there that have two SIM-card slots.
A solution would be to not add a phone number, and store the password in a password database instead.
That's a good point. Though I think it would be challenging to have a phone number that no one knows which you also carry around with you.

It's possible if you use something like Google Voice for most of your regular calls, but you still need to make sure that the telco can't tie your name to your number…

This works as long as they don't insist on verifying you through that secondary phone number (this is the case for now for Google I think - if something suspicious is going on, they ask you if you want an sms with a verification code, or an email to a secondary address; but maybe not all services with 2FA make this optional).

It's not fun to have 2 phones always with you. But maybe the 2-SIM devices will become more mainstream soon, which can solve this problem.

You don't have to have a second phone (or even just a SIM card) with you, you can keep it at home.
The reason why they use phone in the first place is that you will always have it with you. The reason why you have your phone with you is because you use it to make phone call. Unless you are suggesting to buy phone that supports dual SIM cards, I think this idea is not very practical. Why not have physical TFA device instead (they are usually much cheaper and lighter than a phone)?
I don't think it's possible to make a Google account without a phone number anymore. It's really unfortunate, especially because I deliberately don't set up fallback contacts for my "alternate" gmail accounts, and Google keeps locking them as suspicious when I log in from a second location, and I need to "verify" with a phone number any time that happens (at which point I abandon the account).

I understand that they want to fight spam, but I'd be willing to spend 5 minutes doing captcha type activities in exchange for not requiring a phone number, and that should pretty severely rate limit account creation.

I think the main issue is that google doesn't accept certain senders anymore. As a generic thread about running a mailserver/mail service pops up here often.

That means users are shoveled into about one of 4 "acceptable" providers which have control of the entire market. They demand, full name and usually gender, mobile, alternative email and more.

So you get pushed into their information pipeline to stop "spam".

It accepts my personal mail server just fine. You need to support encryption, spf, and dkim but mail will flow no problem to gmail users in my experience.
Not mine, FWIW. Ten out of ten score on mail-tester.com, a clean IP that I acquired 15 years ago ... and further, gmail watches people daily remove my one-to-one correspondence from their spam folders.

And yet, most (but not all) new gmail recipients will not see my emails until they remove them from their spam folder.

Google does not want people to self-provide email and there is no incentive for them to do so.

dnsbl.info reports that 69.43.165.11, MX for mail.rsync.net, is blacklisted by ips.backscatterer.org:

http://www.backscatterer.org/?ip=69.43.165.11

I suggest fixing your SMTP server configuration [1][2] and maybe listing your IP on dnswl.org. (edit: I see you did the latter.)

[1]: http://www.backscatterer.org/index.php?target=bounces

[2]: https://web.archive.org/web/20140215064312/http://spamlinks....

That's the rsync.net mailserver and that's interesting, thank you.

However I was speaking of my own, personal mailserver, which is not listed.

Also - do we really think "big email" (like google) are using either of these (blacklist or whitelist) services ?

I can't tell you what goes on behind the scenes at Google, but I have resolved email issues to gmail by getting removed from blacklists.
Yep, I wrote one not too long ago:

http://penguindreams.org/blog/how-google-and-microsoft-made-...

I've been meaning to write a follow up after I met some MailChip devs at a conference. They told me at MailChip they have to slowly spin up new servers, sending e-mail through them slowly so Google registers their new SMTP IPs.

The other thing they told me: MailChip owns a /A, and can therefore separately out their servers from even being remotely related to any spammy subnets (common problem on 'cloud' hosting).

I'm wondering if I heard/remember that correctly. I mean, a class A is huge and would be crazy expensive. I've been looking through websites on ASNs and am trying to figure out how to verify that info.

(Assuming you mean MailChimp)

I don't know anything about how MailChimp operates, but a quick search turns up this blog post about how to set up SPF records [1].

From there, you can get a list of which IPs MailChimp authorizes as a sender; following the SPF include directive, you can see they specify two IPv4 ranges, both of which are in class C space, so it seems unlikely that MailChimp has their own class A for SMTP senders.

[1]: https://blog.mailchimp.com/senderid-authentication-for-your-...

It certainly could be an issue, but honestly even if it were possible to set up my own mail server, that's even worse for pseudonymity than a google account because ICANN records are public and I'd be the only one using my domains. It would make it much easier for some random person to uniquely identify me, which is a worse threat than Google identifying me by my phone number. This is one of those situations where anonymity loves company.

Also, the problem is not limited to e-mail. There are some non-email services from Google. I'd be perfectly happy to sign up for a Google account where you can't send e-mails, or where you can only send e-mails to people who have sent you e-mails.

> ICANN records are public and I'd be the only one using my domains

Several domain registration services and hosting providers offer to mask your whois information by making themselves the point of contact. Some include this as part of your package; Tiger Technologies does this as a free opt-in. Namecheap offers it as a paid add-on via WhoisGuard.

When is the last time you tried? I have created a gmail account couple of weeks back without providing phone number and recovery email.
I did it. Then they banned it.

Having my phone number or any other hard identifier is none of Googles business.

I did it recently, and burned myself, because I forgot my password and had no way of recovering the account. As far as I know, my account isn't banned, though.
I moved country, and had to wait to visit the country I registered in to get the account back.
They didn't ban your account for not having a phone number.
What else? I was creating this for Youtube videos for my son. When we were about to upload a video, it was already banned.
I dunno, but you weren't banned for not having a phone number attached to your account, because I and many others have accounts without phone numbers and are not banned.
It may depend on the time frame and geolocation. I tried to do this about 6 months ago.

I have also an old account that does not have a phone number and it is functional.

What I was describing was a creation of a new account.

I'm not Google customer support, but I'll repeat for a third time; you were not suspended because you didn't provide a phone number.
I think you've made your opinion clear. Why continue to try pushing it as fact? There are a thousand factors at play in spam/fraud/whatever detection, how can you possibly say with a straight face that you're certain the phone number is not a leading reason?
It may be that this persons knows something more that we do not (does not seem to be the case) or has very different experience.

I do not mind this. It is indeed possible that the cause of the ban originated from some other source as from entered personal details and sequence of actions.

It actually motivates me to create another experiment.

While this statement will be really buried, it reminds me that we still should be thankful that we can somewhat conceal our identity as a private enterprise can be much more unforgiving that the state.

From what I can tell from a few days ago, you can't create a new account without a phone number.
From just now, I went to gmail.com and created a new account without entering a phone number or email address.

I then went to Youtube and uploaded a video.

I signed out, then in again. Google asked for a number and recovery email, but let me press "Done" without providing one.

I'll sign in later from a different IP, and see what happens.

Edit: I've come across [1], which says a phone number is required to upload videos longer than 15 minutes to YouTube, or in some cases to upload anything.

[1] https://support.google.com/youtube/answer/171664

It's not my opinion, it is fact. There was a reason he was suspended, and it is not his phone number not being attached to his account.

Also, I didn't say anything about leading reason.

So perhaps you will care to elaborate this a bit more?
> it is fact

No, it's a hasty generalization[1] where personal experience is assumed to match other cases.

Of course Google could have simply stated the reason for the suspension clearly, if they weren't so reliably opaque in support and service management issues,

[1] https://en.wikipedia.org/wiki/Hasty_generalization

So who are you then? :)

But I am willing to create another more controlled experiment.

I'm concerned about your ability to control the necessary variables. For example, any one of your anti-tracking measures (you're big into Internet privacy, yes?) may be triggering the suspension.
My only concern in that point of time was giving out the phone number, as it will give Google an unique identifier without the ISP and state cooperation. As such I did not use any additional measures.

I am grateful of your comments as it will motivate me to give it another try.

Btw. in fact I do not use regularly any anti tracking measurements. I am only protecting the local businesses against their own stupidity.

I really would like to keep visiting my favorite supermarket regardless of their decision to include their video ads into the Youtube videos I happen to watch time to time. Some careless fools already lost me as an client, I would not like to let this happen again.

I have a google account without a phone number, but it's always been that way so they probably aren't going to ban me... I hope at least until I finish migrating
They could lock you out of your account and require your number before letting you log in again. Any day.

Happened to me.

They do that if:

1. You don't log in from a first world IP (the terminology from their user operations team), but previous logins were from them.

2. You registered from an IP in a country where they don't have access to sending SMS, but they go to a country where they have.

3. Bot detection algo flagged you, and bot detection algo are one of their crown jewels that they don't tell to support people.

Do you disagree with their right to specify the terms of use as to include a phone number, or do you just not like the rule?
I think that giving such agencies the power to identify unique individuals is not beneficial for the humankind.
It probably depends on your IP address, country and maybe something else. Some time ago I was unable to register on youtube without providing a phone number, and earlier I have registered a Google Account from Android emulator that was instantly blocked. Maybe it is because of spam, or maybe because lot of people are using the same IP address.
I've several children, and can no longer make Google accounts for their Chromebooks. All the phone numbers I have and control can no longer be used to register further accounts.

What happens to users that buy a new Android cell phone who's number has been burned by Google?

This is the time to get to know https://mail.yandex.com

Seriously, the interface is so much better than todays gmail, its astonishing. There is no spam either, and no ads.

The email account is not the issue; I run my own email server with all the fun that brings.

It's that the Chrome Books really need separate Google accounts otherwise, settings + notifications to end up replicated to all of them.

And yes, I have a greater than average number of children. I feel as if the only way forward is to purchase a google for business account, and add them all there :-/

Anyone have any experiences with their support?
Ironically you could create google voice numbers as a workaround
IIRC Google doesn't allow using Google Voice numbers for account verification (or other known VOIP number blocks).
One workaround is to use a number and then port it to Google Voice.
You should be aware that Google has minimum age requirements. I was not aware of this and my son disclosed his age to Google as part of setting up another Google service, which then locked out his account.

https://support.google.com/accounts/answer/1350409?hl=en

I switched to Fastmail after that.

Google's subject to U.S. law, they can't knowingly maintain a child's personal data without parental consent (which is a manual process). There are also further restrictions on the types of marketing they can do to children. It is fine if the product, like gmail, doesn't target children and they don't collect age info, but once they do know age they've got to either get consent (costly) or shut down the account.
That's okay with me and I wasn't criticizing Google, just stating what happened. My recollection was that I was able to get the account re-activated by providing a CC #, but once I was aware it was in violation of the ToS, I switched to a different provider.
I never put in my number into my Google account. Ironically, the only US number I have is via Google voice/hangouts. So they have it. It's just not associated. I'm not even sure if it would be allowed, as there'd be no way to use it as a 2-factor auth without actually being logged in.
I recently tried doing exactly that, and got back something like "This is not an acceptable verification number" with no further explanation.
I created one on Monday, without a phone number. I did provide a (@outlook.com) recovery email. I did not try to create a Google Voice number for it though and I think that does require a phone number.
Can Americans explain me how can you just do things like that by calling customer support? Wouldn't it make more sense to go and show your ID if you want to make changes like that?
(comment deleted)
In your call with customer support, questions are asked to verify your identity.

They aren't as accurate as physically showing your ID, however. Not that I'd want my ID digitized though.

>Not that I'd want my ID digitized though.

Not that it isn't already. Every state's DMV has it, and there must be some kind of database/API that allows law enforcement to access it.

Where would you go to show ID? In many places in America, the closest telco customer service office may be a 2 hour drive away. Everyone saves time/money by being able to do it over the phone; but unfortunately the customer service reps are usually poorly trained.
Training shouldn't really be a factor here. The software systems shouldn't let social engineering hacks work. Why is the customer service rep allowed to override whatever prompt ask for a PIN number? If this override is really needed it should be a higher ranking support member or manager who can do this.
for practicality, you should be able to set your customer service security preferences to tighten or loosen this.
What I recall reading over the last year is that:

- phonelines can be hijacked (this article)

- DNS can be hijacked in a similar manner

- SMS can be hijacked (for 2FA via text message)

I guess 2FA using an authenticator app is the way to go for now. Do you guys agree with the removal of backup phone numbers recommended here? Seems reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup codes generated though.

The problem with the backup codes is that I have so many now. Pretty much a list of codes for every account I have 2FA enabled on (about a dozen). If I actually printed them out and kept them in my wallet, my wallet would be overflowing by now.

Authy has been a great improvement over Google Authenticator for me. I primarily used it when I migrated phones for the upteenth time, but were I to lose my phone, I could also restore the database on my tablet in the meantime and use that instead. The prospect of doing so does leave me a little concerned, however, because my phone has full-disk encryption enabled while my tablet does not.

Put your recovery codes on an offline SD card somewhere safe in your house. I keep mine in a literal safe.
SD cards don't last forever. I've had 3 different cards seemingly randomly corrupt in different devices on me. I don't trust them to hold anything important for long.
Print them out on paper then. Paper stored properly will outlive you and any services you need recovery codes for.
I find it far simpler to make a secure backup of the authenticator QR code than it is to save all of the one-time backup codes.
I wish it were possible to print a sheet of QR codes for all your 2FA accounts in Authy. The in-app backup seems to work well, but an easy offline backup would make me a lot more comfortable.
I keep them in LastPass, along with the passwords themselves. That does make LastPass a single point of failure for me, but I know myself and know that I'm not gonna remember where I put all of my one time recovery codes.
Yeah, I'm also scared of LastPass being a SPOF. While LastPass does do a good job, no one is perfect, and the cost of having my account compromised is really high

I'm now leaning towards encrypting backup codes with a passphrase and putting the encrypted blobs in LastPass. I haven't actually done this but as long as I don't forget the second passphrase, that might work…

> If I actually printed them out and kept them in my wallet, my wallet would be overflowing by now.

It seems unnecessary (and easy to lose) to carry them around in your wallet. I print them out, and leave them in an envelope at my parents' house.

I recently turned on 2FA on a bunch of accounts (nine total) and ran into the same problem. My solution was to save the initialization QR codes and print them on a piece of paper (actually three copies, stored in separate locations). This involved a bunch of screenshotting and messing around in gimp and was in general a big pain. But if my phone dies, restoring my 2FA setup will be much simpler than using backup codes: I just have to scan codes; the account providers aren't involved at all.

(I do also keep a few backup codes for the most important accounts in my wallet.)

I know Authy can back up 2FA state to their own cloud, but it's unclear how secure this is: they let you restore codes onto a new phone with the same number, and apparently even to a brand new phone (https://www.authy.com/phones/change/). So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.

(What I'd really like is a TOTP app that let me back up its state into a single giant QR code or a small file that I could print out in hex and scan+ocr later.)

>So it seems like stealing a phone number would allow an attacker to steal 2FA codes stored in Authy.

You're required to set a password on your Authy database before you can start adding tokens to it. So when I transferred my Authy database to a new phone (had to send in the old one for a replacement), I had to confirm the password before it would sync to the new device. Authy also bugs you about once a month to confirm your password phrase to make sure you don't forget it.

Additionally, you can set a PIN that Authy will prompt you for any time you try to open the app. I have that set, as well, so that even if someone should get past my lockscreen, they can't reach my 2FA tokens without another PIN.

> You're required to set a password on your Authy database before you can start adding tokens to it.

That's not true. Passwords in Authy are for backup, which is optional. Backup synchronizes offline TOTP secrets between paired devices. Only the offline TOTP secret is encrypted; the token name is not.

"Authy Account" secrets, the ones created by the Authy API, used by Coinbase, Cloudflare, et cetera, are always stored remotely, and can be restored without-password to anyone with possession of your phone number and email account.

I wrote about this a little over here:

https://news.ycombinator.com/item?id=12603380

I did a similar thing except I converted the QR codes to unicode-art and saved them in a GPG encrypted file. It's probably not as safe as hardcopies in a safe, but it's more convenient (and it was fun reading QR codes out of a terminal window).

Authy makes me a little nervous (since it's closed source and I can't be sure exactly what they are doing), but at least they claim to encrypt the keys on the phone before they put them on their servers. They state on their site repeatedly that if you forget your encryption password the keys are gone and they can't do anything about it.

2FA requires a phone number (for google accounts)
It does not. I had TOTP 2FA only on my last work account and it was company policy not to add phone numbers for security reasons.
>Eventually, with the help of Google’s customer support and some ex-colleagues who still work at Google, Bob was able to get his account back.

I bet I know which one of these resources was more important.

I bet I know which one of those resources actually exists.
Google's Project Fi has great customer support. You can get someone via IM almost instantly and they also offer phone/email support. As a Fi customer, that would be my first stop if I was locked out.

Good luck if you aren't a paying customer though...

I pay for Google Drive, in part because it seemed like the closest I could get to paying for GMail, I don't suppose that counts...
>You can get someone via IM almost instantly and they also offer phone/email support. As a Fi customer, that would be my first stop if I was locked out.

if you were locked out of your phone (plan) & email, would you be able to contact them?

My wife is also a subscriber so I would still have access to support behind a login. Support staff are also quite active on the reddit site for Fi.
People give Google a lot of shit, but how about paying for service you want? If you do, you get http://imgur.com/a/Udvn6.
Okay, how do I pay for Google's search? 'cause Google keeps locking entire offices out of it because of "bot-like too high search volume". We're switching to Bing for months at a time.
I've also noticed that there's something very surprising about how Google has implemented their 2FA. When I log into Gmail from a new computer, it does not text me an authentication code and then lock me out of the account until I enter the code. Instead it lets me into my account immediately with only a password, and then sends my phone a notification that someone has logged in from a new computer. Ignoring this notification has no consequence for the logged-in computer. Convenient indeed, but this is really not how I expect 2FA to work, and does nothing to prevent an attacker from reading the contents of your emails or sending fraudulent emails with nothing but a password.
Uhh, are you sure? I've never seen it behave this way and that doesn't make sense. Can anyone else corroborate this?

Normally after you enter your password it immediately asks for the 2FA authentication code. There's only one button and that's to verify the code. If you try to go to gmail.com before entering that code it will make you start the entire authentication process over again.

That's not how Google 2FA works; you seem to have misconfigured something. When you actually have 2FA on (like I do), you must enter your one-time code after entering the correct password.
If I've misconfigured something, then it's news to me as to how. I've received 2FA texts from Google before, so I know that it used to work as expected, and I haven't been in my account settings for over a year. If something on my account has changed, then it's been out from under my feet without my understanding as to how.
I can confirm that that's what happens to your account when you dont have 2FA enabled. Can you double check your settings?
I'm on mobile right now, and I don't see a way to check 2FA status from within the Gmail app. I can confirm that I've had it set up correctly before, as I've received an authentication code from Google as recently as September 28.
You should be able to visit https://myaccount.google.com in a mobile browser to check your 2FA setting.
Aha, thanks, that does indeed say that 2FA is disabled. But I'm seriously baffled as to how it became disabled, as I absolutely enabled it previously and have been receiving 2FA verification codes via text since at least May 2015. Is there some way of accidentally disabling 2FA for Google accounts? I haven't gotten a new phone for years, and I've made no other changes to my Google account for as long.
> I'm curious [...] why Google doesn’t temporarily disable accounts so impacted until a human reviews activity.

Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in. Their business model is to achieve scale through automation and machine learning; which means not doing things that would require manual intervention unless absolutely required.

Explicitly, this means that for free services like Gmail, humans aren't involved. Ever. Try getting support for a Google product and you'll see what I mean -- there's not even a phone number to call or an e-mail address unless it's a paid product (and even then, they've got a less-than-stellar reputation for support of paying customers).

This is why last weekend I moved to FastMail. I've filed two support tickets since, and both were responded to in an hour or two. For the trivial cost of half a Netflix subscription, the most vital thing I have on the Internet is supported by real people.

It's hard to justify Gmail these days other than the frustration of migrating off of it.

As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.

> This is why last weekend I moved to FastMail. I've filed two support tickets since, and both were responded to in an hour or two.

Can absolutely confirm that.

However, there's place for both Gmail and FastMail. Just know what you pay and what you're entitled to get for that price.

For me the issue is transitioning from something like gmail to my own email. I've had the account for 12 years at this point.
I'm in a similar boat. I've used Gmail since its first year in operation. I started transitioning off it earlier this year, keeping it running as I've slowly migrated the vast number of web accounts that use my Gmail address as an ID, to use the new email address. With the benefit of hindsight I see that I should have registered my own domain and used that for all web registrations. Oh well. The final step will be to migrate my archive. I hope to be done by Christmas at which point I will strip all details from my account and then delete it.
Yeah, I procrastinated on this for years. What I did was:

- Created an email address at my own domain and forwarded it to Gmail.

- For the last year or so, started using it as my email address and changing accounts to use it as it came up.

- Signed up with FastMail and set up my domain's MX records to point to it.

- Still checking Gmail for stragglers to change over to my new address.

- Eventually will set Gmail addresses to forward, but didn't want to rush that so I remember to just make stuff not go to Gmail.

The hardest thing is getting used to folders again vs. labels. But FastMail has everything like filters and aliases and two-factor auth to an extent that... honestly makes Gmail look kinda basic.

The advanced features of Gmail were the most compelling reason to switch to it, but FastMail takes them a lot further.

Eventually will set Gmail addresses to forward, but didn't want to rush that so I remember to just make stuff not go to Gmail.

When I did this (from @gmail to @mydoman on google apps), I set up a filter to star/label anything forwarded from the old address, so I'd see an update was needed at the sending service/person. Perhaps the same could be done with FastMail.

It definitely can, but I feel that if I make it easy to automatically handle email on my old address at my new address, I'll get lazy about actually changing it. So I'll wait a bit to do that until most of my email is properly changed over.
For some people, email is not a big part of their lives, and it's probably fine to have a free service. But I'd argue almost anyone for whom email is a daily necessity, you should be paying for a certain quality of service. I mean, your email is the core of your online identity, and if it vanishes, such as the dozens of stories we've heard of Google terminating people's account without warning, it can be devastating to put everything back together.
> For some people, email is not a big part of their lives

Email is a big part of everyone's lives, who made an online account somewhere. Not to mention if they paired real identity and/or money to those accounts.

How is search in FastMail? And mobile clients?
I pair fastmail with postbox on mac, and search is terrific (because of postbox). Quite expensive though.

Also nothing as good on mobile. But fastmail search has been okay, I'm not too handicapped.

Search seems adequate for my needs. And it works great with any IMAP email client.

Actually the strangest thing I find amazing, is FastMail's endless scrolling being basically magical. I can scroll through over 2500 messages in a folder of mine, top to bottom, instantly. It's not paginating, it's not locking up at the bottom of the first 100 to stop and load more. It :just works: in their UI.

Hopefully NSLs will be eventually ruled unconstitutional in the U.S. also.
Not if we can't get past the he-said-she-said politics. People are voting for personalities over issues more than ever, and I don't see that trend reversing.

Dwayne Elizondo Mountain Dew Herbert Camacho 2020.

> As a side perk, Australia has no equivalent to a National Security Letter, and FastMail is able to hence notify me of any government requests for access to my data.

Unfortunately we've got something pretty close: ASIO can designate any of its activities to be part of a Special Intelligence Operation at will, which makes any disclosure of the operation or its components into a crime (10 years jail if it 'endangers' the operation).

http://www.abc.net.au/news/2014-10-14/journalists-face-jail-...

Interesting. Can other countries invoke it? Because I know the US can ask the Australian government for assistance, but I wonder if that assistance can qualify for being an SIO.
By all indications, use of this provision is extremely rare, nothing like the number of NSLs issued in the US. So it would be a big ask, but it could happen if the consequences of wide disclosure were 'extremely grave'.

For context, one of the motivating leaks was when there was a planned 5am counter terror raid, and someone in the state police leaked the who/what/where to a major newspaper, who had papers coming off the presses at 3am about people who hadn't been raided yet.

I get responses to my Google Apps support questions pretty quickly and I'm just using this for my personal family accounts, so I'm not paying them tons of money. I don't think it's really fair to say they should provide support for their free tier which hosts mail for a billion people and compare it to a service that hosts, what, maybe a million?
The problem is that the burden of responsibility Google carries for those accounts is huge. The amount of money, private information, treasured photos go over their systems... with no support?
> Because Google doesn't have humans reviewing anything unless there's a direct link to marginal revenue/cost avoidance attached to that interaction that can be priced in.

Google would obviously start losing money though if people perceived Gmail as easy to hack.

Right; so instead they've built their security model around assumptions that other companies' (namely telcos) account processes are secure. That way Google can say "it's not our fault; we can't do anything about it!"

It's called externalizing your costs, and Google is exceptionally good at it.

No one is perfect, but IMO when it comes to security, Google goes to great lengths to make stuff in the web secure, probably the most from all the bigcorps out there.

They are very aggressive about fixing TLS/SSL-related issues (finding and fixing vulnerabilities, deprecating old ciphers, promoting new stuff like cert pinning and HSTS, lowering SERPs in Google for non-https websites; they've also put in place means to detect and report fraudulent HTTPS certs, and many more).

Many of the top security researchers work for Google, and many of them even not on things directly related for Google's daily businesses.

If I'd have to say about some bigcorp that they don't care about security, Google would be the last on this list.

Google customer support is totally another pair of shoes though.

> Google customer support is totally another pair of shoes

Pair of shoes! Nice. I tend to say "why the face" a lot in our internal chat at work. Now I have another one (POS)

Also try "what the hat". Heard it from my 5 y.o. son.
just realized "another pair of shoes" is an idiom in my native tongue (in fact, it's "another pair of boots" to be precise)
> Right; so instead they've built their security model around assumptions that other companies' (namely telcos) account processes are secure. That way Google can say "it's not our fault; we can't do anything about it!"

No, they've built their model on the fact that for the vast majority of their users this will never be an issue. Maybe a celebrity, maybe an important target but the average user, never going to matter.

No, they've built their model on the fact that for the vast majority of their users this will never be an issue. Maybe a celebrity, maybe an important target but the average user, never going to be an issue.

Email is the gateway to almost everything else. It's used for account recovery as well as (wrongly) passwords and other sensitive information. Google Drive and docs would also be compromised.

It's actually a bigger issue that you would think.

I am not doubting that. I am just saying that the vast majority of people that use gmail will never have a case where someone wants what they have so much to go to the effort to social engineer their wireless company. Ntim but to mention that there is a bigger risk of getting your house broken into or a host of other things or identity theft. Plus this requires certain bad behavior and failure as well on the part of the phone company. [1] It's not clear how easy this would be for a normally determined hacker to pull it off.

[1] So we have two probabilities at work.

(comment deleted)
The alternative being ?
You know, you can see articles where people report social engineering attacks on Amazon customer service and extract a great deal of information from them.

Having a human involved is not necessarily a solution, can be another attack vector.

Nice binary logic there. It's an attack vector therefore it can't be a solution to customer problems. The issues here are orthogonal.
Just saying that, in this article telcos are the weakest link. In some other cases customer support has been the weakest link.
Isn't customer service the weakest link in both of those cases?
It's a great counterpoint because with a large staff you can never solve the human element. It's also corollary to the hacking approaches we see regularly employed: Send an exploit payload via email to everyone in the company and somebody is bound to open it. In fact in the security space they've moved away from even saying you can protect the front door and are more focused on detection and correction once an intrusion occurs.
Yeah, maybe human review is not the most scalable solution; if data analysis shows that certain patterns of behaviour are highly predictive of an account takeover, there are almost certainly product solutions for them.

I guess the real question is what the data actually show

How about "we'll review your request for $20". For recovery of email accounts and such Google could absolutely make a profit from that I feel and enable people to recover their accounts; they can surely scale a support system on that sort of funding.

Sure I can see problems with that. My initial feeling is people will thing that such support is a scam, but that at least shifts the position of Google from "we can do such support" to "we don't want people bad mouthing us so we're going to refuse to do that support even if it were prima facie profitable".

Like how I have more than enough information to get one of my old accounts back but their Automated Response Forms reject everything. Even the moderators on the gmail support forums rejected my claims as well and pretty much said "deal with it".
Same happens to me. I have the original creation email, my email is (was?) the backup email originally created. I know the date and time of creation of the account, and they still reject it.
If you don't have a recovery email address actively assigned, then you should be locked out.

That's what adding a recovery email is for: to deliberately weaken your account's security, in exchange for convenience.

If you disable recovery, then -- no surprise -- you won't be able to access your account if you lose access.

This post may seem unkind, but keep in mind that some people deliberately do not add recovery methods, in order to prevent secondary-takeover access; and that the above poster's request would fundamentally drastically weaken the security of those users.

Yeah, I can't get into two of my Gmail accounts even though I have all the information it asks for. It simply doesn't work. I just want to delete them too (not even sure if that is possible), because I refuse to use Google for anything now days.
>they've got a less-than-stellar reputation for support of paying customers

I've actually had surprisingly good support from the $150/month plan for their cloud products. They get back to me quickly and give good advice (with custom code samples when needed).

Same here; support on google cloud was stellar indeed.
+1

Have had multiple issues with Google Apps and GCloud over the years and very promptly received phone calls from support (that I didn't expect). I live in Fiji, and have a tiny small business account (~$30/m)

Out of curiosity, what are the residential and biz Internet connections like in Fiji? Low or limited/capped bandwidth?
Yep, I've had an email account with Google Apps in the past, which costs $5/month, and their customer support was amazingly and surprisingly good.

I just wish I could pay $5/month for my regular GMail account and be guaranteed the same level of support.

So I've heard, that it's difficult to get a human involved if you have a problem with Google's free products. The article says "Eventually, with the help of Google’s customer support and some ex-colleagues who still work at Google, Bob was able to get his account back." For the average person who doesn't have ex-colleagues who still work at Google, or who's name isn't Linus Torvalds, it will be far more difficult.
I keep hearing this, but here's my anecdote.

I signed up for AdWords a long time ago and created a test campaign just to see what it looks like, but never completed the process, so I didn't have a payment method entered.

Fast forward till start of this year, I created an AdMob account to put ads in one iOS game I have, and apparently as soon as I entered my credit card info, the old AdWords campaign started running and was taking $200/day. I noticed after two days and immediately stopped it and contacted support. They quickly got back to me, a person called me and explained that the issue was an error from their side, and they refunded me the amount. It took three weeks for the refund to occur, and during that time the guy called me at least once per week to keep me in the loop. I was surprised with this after all I've heard about Google's support. But I guess that's just one data point in the pool.

AdWords is "different" because if your account has an issue, they aren't getting lots of your money. So their support is actually pretty good with AdWords. The rest of their services, the support is pretty bad (such as Google Apps), and their free services may as well have zero support.
My anecdote: I was brought in to help with an AdWords campaign for an ecommerce site. I did some keyword research, ran some small campaigns to get some CTR and conversion metrics, then kicked off a bigger campain, pruning keywords as needed to ensure CTR stayed up and we didn't get a low CTR slap on the account which results in CPC skyrocketing. It was chugging along at a pretty good ROI. At that point I turned it over to the person who is named as the contact on the account with instructions on how to keep it running. A couple days later they got a call from someone at Adwords offering to "help", and they recommended turning on display ads. A few days of that and the CTR had plummeted, CPC prices had skyrocketed, and ROI tanked and the account was ruined - couldn't get a decent CPC due to the CTR hole that had been dug.

Thanks Adwords support.

CTR = click-through rate, CPC = cost per click
Adwords is the only Google product to have dedicated support staff… and they're working on commission. Of course they're going to haunt you until the end of the world.
This is my #1 biggest gripe with Google as a company. if you have a serious problem that needs immediate attention... oh well! Too bad. You have to personally know someone that works at google, or post a really long article on HN to get whatever it is fixed.
You're a product, not the customer. How well do we treat most livestock?

I recently realized Windows 10 is going the same way and unfortunately it's much harder to not use your OS than Google or FB, and impacts your ability to use other purchased software.

> it's much harder to not use your OS than Google or FB

I think the exact opposite. Using Linux instead of windows 10 is easy. But not using any google service can be pretty difficult. Good news, there are some initiative to "ungoogle" the internet, such as Framasoft.

What particular google services do you rely on that can't be replaced? I'm using fastmail for mail & calendar services, duckduckgo for search, firefox instead of chrome, sync rather than google drive.
I've had terrible experiences with duckduckgo. I really want to switch, but I've never been able to justify the costs. Every now and then I give it a shot but the results from DuckDuckGo just aren't there. Sometimes they aren't even in the ballpark of what I'm looking for, while Google nails it - what I want specifically is in the top 3, and the whole rest of the first page is related.

I don't know if this is because Google and DuckDuckGo require different phrasing of terms to do well and I'm just highly adapted to Google, or if it's something I can't help.

I'd suggest trying Qwant as well. Just remember, the way Google can give such good results is that they mine your life.
Just use !g, it's not perfect but it's fast.
Doesn't that just redirect you to Google's search results (encrypted.google.com), and thus makes the point of using DuckDuckGo in the first place unnecessary?
Try startpage.com, it searches Google anonymously so Google can't build a profile about you and place you in a search bubble.
I have a domain and a paid-for email hosting service that I use for my personal email. When I tell people this I often get looks of incredulity: Pay money?! Why not just use google? I must be mad!

My response is that I do not want an advertising company to handle my most personal correspondence. In my mind it really is that simple.

> So I've heard, that it's difficult to get a human involved if you have a problem with Google's free products.

Nobody claims it's difficult; it's impossible via official channels. You have to make a scene on Twitter, so obviously if you value your time and reputation you just switch providers instead of being "one of those people".

Yea, I've had a google voice number that I have used sporadically for my business for a few years and suddenly my account was just banned without any obvious reason. It was obvious to me that it was some bot gone wild on their end and was clearly a mistake. I tried contacting Google about it for months with no response. It was a number I actually needed for something important but was never able to recover it. I would have happily paid a monthly fee for the service if it meant I could at least get a response from a support email (ironically there's no number for google voice support). I even tried pleading with my adwords manager where I was spending a ton of money every month and she said she didn't known how to help.
Ug, that pretty much terrifies me. I have a google voice number that I've used (for free) since it was Grand Central, and rely on it pretty heavily.

Anybvody else seeing GV random revokes? I wonder what would happen if I tried a port-out for this number.

This right here is the quicksand you stand on with Google's free products. Starts out pretty innocuous. Hey, check out this cool new free phone product called Google Voice. You check it out, it's cool, don't really know how it might be useful but you play around with it and maybe use it for a side project or as a toy. Eventually, maybe years later, you find it may be very useful to your business. Great! You roll it out, slowly more and more things depend on it as you incorporate it more deeply into your services. Then suddenly, like a turkey on Thanksgiving Day, you're permanently cut off from your account without warning and without recourse. Now you're in a state worse off than had you never signed up for the service to begin with.
Google Voice numbers can be ported to Project-Fi. Porting to another carrier would almost certainly be more successful from that service.
This is why I won't rely on Google Voice for anything important - if they won't make it a paid service with some additional features, that means it's a cost center that could go away at any time.

Heck, I'd happily pay for Google Voice with the addition of fax capabilities (even if it was receive-only), particularly since my online faxing service was bought out by eFax (feh) and at the next renewal will jack up from $15/year to $85/year (bye!). I'd happily pay multiples of how much I was previously paying to be an actual /customer/ who gets that kind of services.

> if they won't make it a paid service with some additional features, that means it's a cost center that could go away at any time

Project Fi is a paid version of Google Voice with additional features. I doubt Voice will go away before Fi does.

Facebook is the same way - support, even when you do pay for something like ads - is nonexistent.
If I permanently lost access to my facebook account I'd probably be mildly relieved that I'm finally done with it. My google account though, I'd be in panic mode.
Interestingly, one of the features announced for the new Google Pixel phone is some kind of free live support, though they didn't say which Google products are covered. It is an expensive phone but if the support includes help with other consumer cloud products it might be worth the price of admission.
(comment deleted)
How did Verizon move his services to an iPhone 4? Does it mean the attacker had physical access to his phone?
call them up and say you bought a new phone. Give them unique serial number of the phone and tell them to transfer service to it.
No, they just change in their system the IMEI or ESN that phone number is registered to so all incoming calls and texts start going to the phone the attacker owns. It's just social engineering where you pretend to be the customer and tell them you need to transfer your number to a new phone.
This doesn't even take into account how inherently insecure are actual mobile networks. Human factor notwithstanding.

Using GSM? Your recovery code is sent essentially plaintext over the air.

Think you're not using GSM? I'll just follow you around until you are (say, if you go out of town).

Since I'm already following you around, maybe I'll just jam your 3G/4G for a minute. Save us the waiting around.

Disabling 2G on your phone is a shitty solution. I want to be able to receive calls/SMS even if it's insecure.

TL;DR:

My account -> Sign-in and security -> Signing in to google -> Account recovery options -> Recovery phone -> Remove number

By the time I have you (or anyone else) following me around to hack me, I've got way bigger problems than loosing my Gmail account.
I don't know.

I can imagine you saying the same thing about the case in OPs article.

The attack was targeted. The attacker knew your name, phone number and email address. The attacker went through some real effort to hack you (SEing reps, buying SIMs, burner iPhone, taking some risk).

How much further do you think they were willing to go? Not enough for a $200 plane ticket?

You have a problem the moment someone capable has targeted you. For the attacker, is just a matter of choosing the easiest attack vector. Today it was Verizon reps. Tomorrow it may get a bit more difficult.

What are the security implications of using my google voice number as a backup phone number to my google account (the same account)? I've been doing this for a few years, and its been very convenient. Basically, any time I need to log in with a new browser or device, using the number for two factor SMS gives me codes on all other logged in gmail windows, and on my phone.
I do this too, but it's circular. So there is a pretty significant risk of getting locked out entirely if your authentication tokens for your Google account expire on all devices at the same time.

Yes, that's unlikely. But if it happens, we're screwed.

A better option would probably be to set up two Google accounts with two Google Voice numbers and use them to cross-validate each other. I think I'll go do that now.

Kind of related, but any Googlers here? Can you please make Google send notifications whenever someone tries to log in to an account and is required to do anything other than typing in their username/password? I REALLY should know when someone is trying to respond to a 2FA prompt or answer my security questions or use SMS or email to reset my password... it's ridiculous that these don't all result in emails right now.
I work at Google (I don't work on this stuff though, so I'm basically just another random commenter.)

We do send an email when you log in from a new device. What would you do if you got an email about failed attempts to login / reset password?

I get notifications about that from Facebook sometimes. It is a bit unnerving to hear that someone is attempting to repeatedly log in with my email address, but it certainly prompts me to make sure my accounts are locked down well.
Do you have an email address that may be similar to others?

My work recently implemented a login process for customers and it was surprising how many user errors we had related to names/emails that were similar (so bob@gmail.com vs nob@gmail.com etc - these were not the actual addresses but you get the idea).

> login

> emails

There's your problem. If autocomplete didn't exist I'd go nuts having to type my email address, and clearly those people don't have autocomplete or they wouldn't be making mistakes. Just use usernames.

Unfortunately that was a management decision rather than technical decision!
Then nobody remembers their user name, I don't remember any of mine. If I didn't have LastPass I'd be password resetting on every financial account I have.
> We do send an email when you log in from a new device.

AFTER login? or before? I need to know when someone is trying to attack me, not when they've already succeeded. Otherwise what's the point? At least if I know beforehand that someone knows my password but failed OTP check then I can change my password, right? Why does Google not tell me when this happens? It's like common sense...

On the Internet? You'll get alerts that people are trying to hack you every single day. There are whole botnets that go around just trying to authenticate to everything everywhere using usernames sniffed from other hacks and every password under the sun.
I doubt they attack every single account every single day. At that point google should just ban the IPs doing that. Or at least turn of notifications for those IPs.

Anyway excessive notifications are a solved problem. You can limit the notifications to one every month, and you can allow the user to disable them. But I would certainly like to know if someone tried to login to my account, and I think it would make regular users more security conscious.

+1 same. Rssponses like the one you just replied to completely drive me nuts. If you don't think it'll be useful for me then let me disable it. Don't use it as an excuse.
In the last week my host has blocked 173 different IPs for attempting to guess passwords on SSH. And I don't even have psasword authentication enabled on SSH.

And this is on a nothing host. Almost completely anonymous and yet under constant attack.

Did you even read my comment? The most important scenario I just referred to was AFTER the password is typed correctly. Not before. I'm pretty damn sure botnets aren't going around entering my password correctly.
> We do send an email when you log in from a new device.

Which is useless, because whoever got access can just delete it or change your password.

They send emails to the alternate account.
Which is very nice as a family member who is the recovery contact for many other family members. Wish this shit could be turned off, I've never heard it help anyone (though I'm sure we can find a stranger on the internet who can testify how useful it was for them).
Use rules and labels to bypass your inbox. I use it in the same manner as you and it has come useful to recover their passwords.
> We do send an email when you log in from a new device.

Which is a non-optional pain in the butt if you don't store cookies. Every login is a new device. Twitter does the same, I got so tired of cleaning up my inbox that I rarely log in anymore without a good reason. (I already didn't log into Google without good reason so that didn't change.)

Why wouldn't you store cookies?
From the biggest ad network in the world? The real question is: why do you?!
So that I get ads for microcontrollers, FPGAs, and PLL synthesizer chips, and not fishing supplies, groceries, or feminine hygiene products.
As a Project FI user, not an option unfortunately.
Yet one would suspect that Google, being both your telecom provider AND your email provider, would be less vulnerable to social engineering targeting one of their two services by means of the other.
Huh. I wonder if the author had seen this video https://m.youtube.com/watch?v=Q00OZ_Xk24w which describes a similar story and recommends a solution based on the same factors (2FA on a number no one knows under a fake name).

But anyway I don't understand why he thinks it's some kind of shocker that this makes it less secure. It's another access method. Recovery options are obviously attack vectors.

Does anyone know anything about the security with regard to using other providers (e.g. twilio or google voice) as a recovery number?

Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?

The specific flaw exposed in this story is not exploitable with providers like Twilio and Google Voice, because they don't assign phone numbers to devices with SIM cards.

Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.

Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.

The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.

> This pattern seems like something security software should be able to detect: a password reset with incomplete information, followed immediately by a change in recovery email, name, and two-factor-auth settings, coupled with a “my account has been compromised” help request is highly suspicious.

This series of events could easily occur in legitimate cases. Say you lose or destroy your cellphone. Since you only ever logged in via your phone you don't know the password. Your recovery email was attached to a service you don't use because you normally use gmail. I'm not saying this scenario is a good idea just that it's probably quite common.

As a software developer I often hear from well meaning users that are appalled that software didn't do-the-right-thing in some complex scenario that appears to have an obvious solution because the desired outcome in obvious. In reality, handling the corner cases is complex. Adding these obvious solutions to the code easily leads to even worse situations.

Yeah, I could believe that it would create too many false positives and in retrospect things do often seem easy.

Google and other service providers do have data to evaluate the benefit and cost of making decisions based on patterns, and they probably do.

But the benefits are to them and the costs are to us =P

That said, I have no idea how to do account recovery if you cannot trust the phone number.

At the very least, any change to the email address should send out an email to the old address stating "If you didn't make this change, click on this link to have your account frozen until you do a password reset."

It's silly to depend on an email for authentication, then allow the hacker to just delete the email address before they change the password. Giving the old address the right of first refusal defeats that kind of attack and should be dead simple to implement since the framework was already laid down for the "verify your email" step during setup.

Not sure but I think I have seen hotmail/live do this?
> This series of events could easily occur in legitimate cases.

I don't think so. Why, in your scenario, would they file a help request saying the account had been compromised? They might file a request with some other content, but not that.

Your general point is valid, but I think the OP has probably figured out a set of features from which one could pretty reliably tell that something was amiss. And all he's suggesting is that such cases get bounced up to a human.

If you lock the account because someone filled a help request claiming the account was compromised, then hackers could use this as a DOS.
..received a help request, along with all the other events (changed password, changed recovery email, changed phone number). Not just the help request.
Two factor auth using SMS us increasingly becoming a risky option. For not I have it on my personal accounts, but I'm considering changing over to Google Authenticator.
i always failed to see why adding a phone number would be somehow more secure. However, i also knew this kind of attack was somewhat common for German online banking accounts using SMS TAN because service providers were easily convinced to send a new (second) sim card to a new address they would never heard of before.
I always thought Google was trying to tie your gmail account back to a cell phone number so they could help end anonymity on the Internet. Or else give the information to the NSA or something. I'm trusting Google less and less these days.

At the very least, Google should not have come out in favor of a particular Presidential candidate. Corporations have become incredibly powerful entities, able to affect the lives of all their employees and many others. If they can't wield this power ethically, they need to be shut down or we risk suffering under fascism.

Don't understand the downvotes. Thought this was widely acknowledged.
It's widely acknowledged by the paranoid. The reason why so many services started requiring a phone number at signup is that it's an extremely effective anti-spam technique. Of course, the paranoid people aren't necessarily wrong either.
Recently my wife, without any identification, went to Tmobile and was able to have my account automatically canceled and added to a new joint family account.

She went with my knowledge, but TMobile never called to confirm.

After which my phone no longer had service, and I had to install a new sim card prior.

While she did this with my knowledge, I no longer have access to make changes to the account, until she adds me to the list of authorized people, and I lost all my voice mail.

It's very disturbing that she could do this, without any sort of checks and authorization.

Also, FWIW, my wife and I do not share a last name, and she did not provide anything other than my phone number to TMobile. She was a new Tmobile customer, and I was an existing customer, albeit on a very cheap pre-paid plan.

Yeah, a couple of years back, I went to a t-mobile store (I think it was on Broadway and Park Pl) to get a new SIM card; I'd lost it in Europe when I was on holiday. They gave me a new SIM card and let me pay cash without even checking my ID…
My mum had something similar happen with Verizon albeit as an act of fraud against her account. Her phone was working one day then mysteriously stopped working the next. She didn't think much of it, but as a matter of happenstance had picked up her bill a couple of days later to find that someone had managed to attach a new phone to her account (under a new contract no less!). According to the fraud rep, the switch took place in a Target nearby and was likely done without any identification other than the phone number. Eerily similar.
It's frightening how easy this is. Here's another example:

http://www.businessinsider.com/hacker-social-engineer-2016-2

Out of curiosity, if this is done with the consent of the person whose account you're hacking (as in this example), is it illegal (considering that the corporation is also a party here)? More generally, in what circumstances can you lie on the phone about your identity without committing a crime?
Was there a documented and confirmed link through your banking details, like did she have the credit card that you paid for the sim with, or was she named on a joint bank account associated with your phone account?

I don't doubt that a telecom would do such a thing as you describe but have some hope that you're just not seeing the back end confirmation?

Nope.

I paid for my t-mobile through my personal account.

I would have hoped they would have at least called the number and get confirmation first, prior to switching things over.

Similar thing i experienced with Rogers Wireless in Canada recently.

wife and I had separate accounts. i logged in with her account to the rogers account site and added my phone number to her account with a few basic details that are on every statement sent in the mail....

I had a joint account with my wife as a owner.

then my work had a corp plan with rogers, so wanted to switch to that, but since I am the employee, i had to be the account owner.

this isnt actually so simple.

they had to create a net new account with me as owner. and re-assign the phone numbers to the new account.

when i called in to their account support line, they asked for my 4 digit PIN. I said i have no idea what it is, the guy in the store just punched some numbers in when he setup the account and never told me.

they were okay with that and proceeded to ask me some details that are on my mailed statements....

Then they said they needed the account holders permission. --i was at work, my wife was out of town, i didnt feel like bothering her.

i said "hold on one minute, just let me get her". i put the phone on mute for 30 seconds. unmuted and changed my voice slightly "Hello? Yes i am fine with my husband taking ownership and transfering the numbers"

"she" then passed the phone back to me and the rep proceeded with the transfer.

I used to work in telco (in another country) and it's a difficult line to tread. 95% of customers have no idea what their 4 digit PIN was so you have to identify them other ways, and not being able to access their account is the kind of thing that pisses even legitimate customers off (which is why it's so easy to take advantage of).

Our company's policy was "if they don't know the PIN you have to connect them to the call centre and have them verify for you" but customers are rarely impressed to be handed a phone to the overseas call centre.

I know I got it wrong at least once.

Is anyone aware of repots on the comparative level of security of the various cell providers? I'd be interested to know how providers in various tiers of scale like US Cellular compare to TMobile and Sprint compare to Verizon and AT&T.
I recently had to regain account access to an employee's company provided phone on T-mobile after misplacing the password and PIN. If you know the phone number and can guess one of the numbers they recently called, you're in.
The phone companies have horribly bad security practice. I once had a phone number taken over by someone. When asked, the phone company just said, oh, someone called in and wanted to take over the billing of the account, so we let him. WTF.
>Eventually, with the help of Google’s customer support

That he was able to contact someone at customer support for his Gmail account was the most amazing thing in this article!

> and some ex-colleagues who still work at Google,

:( That's why

SIM swap fraud has been common in South Africa for years, and bank accounts were being cleaned out before the cell networks tightened their procedures. Yet I've started to see reports of similar scams in the developed world.

I'm surprised that anyone is surprised by this. Perhaps the time has come for a more global approach to security.