Ask HN: Is Google security really this stupid?
I just woke up with a bunch of emails from Google saying that (I only received because that account still had forwarding to my main address):
- New chrome sign in from Vietnam
- Your password changed
- Your security question was deleted
- Your recovery email address changed
- "Lansiran keamanan untuk akun Google yang tertaut" (suspicious activity)
So, probably this guy got my password from an unsafe website (I'm not even sure about the password as I only used as a forwarding email to my main email).
What really surprised me is that:
- all recovery is based on things the attacker already changed
- Google, a company that makes self driving cars, seems to use zero AI to detect fraudulent behavior? They don't even seem to consider the variable "time" to recover the account? Come on guys, I'd have to use my security email from before the time I was hacked, not the current one! Don't you have a list of my last security emails?
- Google has my every location since I had an Android phone (almost 10 years?), Google knows where I live and work. Google parses emails from airlines for a few years now - I really expect they to use this information if my main account ever is hacked, eg, "this guy didn't buy a ticket and is logging from Vietnam now?"
- You can't prove that an account is yours by alternative methods such as:
a) I have thousands of emails from the hacked account in my main account. Just ask me to list one of those.
b) My main account is/was a forwarding address for the hacked account !!1!
- Also you can't really fill a simple form, to say that the account was hacked. The account recovery just ends in "Could not verify this was your email".
Of course, I don't care about that Google account - I only worry that its an entry point for hacking another services that are important. I'm a little scared that now he is the only person (other than Google) that knows that "fake account" and my main account are the same person.
Anyway, very frustrating. If this was on my main email, and it was a money grabbing scam, I'd probably be tempted to pay it, because otherwise I would be utterly f*ed.
8 comments
[ 4.1 ms ] story [ 25.8 ms ] threadWait, so you're expecting Google to implement a broad security policy where any recipient could claim the sender's email account by just listing the subject/contents of the emails they've previously exchanged?
If any of your suggestions were implemented and became part of Gmail's security policy, what are the chances that the attacker who (a) knew your password, (b) knew the answer to your security question, (c) went through the process of changing both, (d) switched the recovery email address (in other words, kinda knew what he was doing and seemed to have an experience with things of this nature) would competely and utterly forget to (f) send himself a bunch of emails, (g) set up the compromised email account as a forwarding address for an account of his?
I believe they do resort to additional verification methods if the location is suspicious, but in your case in absense of 2fa the only additional verification method seemed to be the security question. How secure was it? Are you sure the attacker didn't compromise your original recovery email account?
How would you list it? Subject line? Would I have to match the text exactly? Because I couldn't do that, but the attacker who sent me a nice email as part of the attack probably could.
> Come on guys, I'd have to use my security email from before the time I was hacked, not the current one!
This comes back to the question of how to differentiate between legitimate and illegitimate use. What if your recovery email address was compromised and you changed it, should it still be possible to use the old compromised recovery email address for recovery?
> Google, a company that makes self driving cars, seems to use zero AI to detect fraudulent behavior?
Google seems to ask me for my 2FA whenever my login seems odd (another place, another computer, ...) and emails me about the new sign-in just as it did for you. What would you want them to do when they detect fraudulent behaviour?
If Google were to use AI to somehow block user sign-ins their support, if it exists, would be flooded due to edge cases.
Yes, I'm more worried because its so ancient that I don't remember what it is connected to (in the sense of having information that facilitates a hack).
In the first years of Gmail I made a lot of fun accounts, that I have since forgotten about...
> What if your recovery email address was compromised and you changed it, should it still be possible to use the old compromised recovery email address for recovery?
Good point, had not considered that..