Ask HN: Is Google security really this stupid?

13 points by swah ↗ HN
This was very surprising to me - its not my main account, which has 2-factor security for a long time, but a 6 character, alternative email, from 2006. Those you created to sign up on dubious websites. I'm from Brazil and mostly use english. I never went to Vietnam.

I just woke up with a bunch of emails from Google saying that (I only received because that account still had forwarding to my main address):

- New chrome sign in from Vietnam

- Your password changed

- Your security question was deleted

- Your recovery email address changed

- "Lansiran keamanan untuk akun Google yang tertaut" (suspicious activity)

So, probably this guy got my password from an unsafe website (I'm not even sure about the password as I only used as a forwarding email to my main email).

What really surprised me is that:

- all recovery is based on things the attacker already changed

- Google, a company that makes self driving cars, seems to use zero AI to detect fraudulent behavior? They don't even seem to consider the variable "time" to recover the account? Come on guys, I'd have to use my security email from before the time I was hacked, not the current one! Don't you have a list of my last security emails?

- Google has my every location since I had an Android phone (almost 10 years?), Google knows where I live and work. Google parses emails from airlines for a few years now - I really expect they to use this information if my main account ever is hacked, eg, "this guy didn't buy a ticket and is logging from Vietnam now?"

- You can't prove that an account is yours by alternative methods such as:

a) I have thousands of emails from the hacked account in my main account. Just ask me to list one of those.

b) My main account is/was a forwarding address for the hacked account !!1!

- Also you can't really fill a simple form, to say that the account was hacked. The account recovery just ends in "Could not verify this was your email".

Of course, I don't care about that Google account - I only worry that its an entry point for hacking another services that are important. I'm a little scared that now he is the only person (other than Google) that knows that "fake account" and my main account are the same person.

Anyway, very frustrating. If this was on my main email, and it was a money grabbing scam, I'd probably be tempted to pay it, because otherwise I would be utterly f*ed.

8 comments

[ 4.1 ms ] story [ 25.8 ms ] thread
Compared to other web business Google takes security seriously. You might want to report this to their bounty program for a possible reward. Now that Google has linked accounts through their services, losing an account without being able to recover it is really bad, as the attacker would gain full access to adwords, statistics, payments, cloud api's, google search history, etc, and any other service that use the Google account, or the gmail email for password recovery.
> I have thousands of emails from the hacked account in my main account. Just ask me to list one of those.

Wait, so you're expecting Google to implement a broad security policy where any recipient could claim the sender's email account by just listing the subject/contents of the emails they've previously exchanged?

If any of your suggestions were implemented and became part of Gmail's security policy, what are the chances that the attacker who (a) knew your password, (b) knew the answer to your security question, (c) went through the process of changing both, (d) switched the recovery email address (in other words, kinda knew what he was doing and seemed to have an experience with things of this nature) would competely and utterly forget to (f) send himself a bunch of emails, (g) set up the compromised email account as a forwarding address for an account of his?

I believe they do resort to additional verification methods if the location is suspicious, but in your case in absense of 2fa the only additional verification method seemed to be the security question. How secure was it? Are you sure the attacker didn't compromise your original recovery email account?

Not the subjects - maybe they could run a comparison for the two accounts? They would see matching emails from 2006 up to 2014.
And if the subsets don't fully match because some of the emails were deleted either by the user or Gmail's own email retention policy? Or they match for some periods of time but not the others?
I agree that security method a) seems useless, but b) is still good if you take time into account. You know when the account was 'secure' and the forwarding address that was setup can be considered a safe way to recover the password if the user opts in on that (there is surely some use cases for the forward that I'm not thinking about).
> I have thousands of emails from the hacked account in my main account. Just ask me to list one of those.

How would you list it? Subject line? Would I have to match the text exactly? Because I couldn't do that, but the attacker who sent me a nice email as part of the attack probably could.

You chose to reuse the password and not enable 2FA. That's "fine" if you don't care about the account, however if you _really_ didn't care about the account you wouldn't be posting this, correct?

> Come on guys, I'd have to use my security email from before the time I was hacked, not the current one!

This comes back to the question of how to differentiate between legitimate and illegitimate use. What if your recovery email address was compromised and you changed it, should it still be possible to use the old compromised recovery email address for recovery?

> Google, a company that makes self driving cars, seems to use zero AI to detect fraudulent behavior?

Google seems to ask me for my 2FA whenever my login seems odd (another place, another computer, ...) and emails me about the new sign-in just as it did for you. What would you want them to do when they detect fraudulent behaviour?

If Google were to use AI to somehow block user sign-ins their support, if it exists, would be flooded due to edge cases.

> That's "fine" if you don't care about the account, however if you _really_ didn't care about the account you wouldn't be posting this, correct?

Yes, I'm more worried because its so ancient that I don't remember what it is connected to (in the sense of having information that facilitates a hack).

In the first years of Gmail I made a lot of fun accounts, that I have since forgotten about...

> What if your recovery email address was compromised and you changed it, should it still be possible to use the old compromised recovery email address for recovery?

Good point, had not considered that..