Tell HN: Google requiring phone number to log into Chromebook
Long story short: bought a couple of Chromebooks over the years (as they're nice multi user machines), created Google accounts on each but never gave a phone number. Now after years of use, Google pops up an "unrecognized device" roadblock AFTER I enter the password to log in, with the message "enter a phone number to get a text message with a verification code".
There is no mention of suspicious activity. The only trigger I can think of is a recent modem reset that changed my Public IP, and my new IP doesn't appear to resolve to my old physical location in Google's geoip db.
Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers? I don't even understand how giving them my phone number proves anything as I definitely did not ever give them one previously.
Unfortunately burner phones are not available in my country, so that's not an option.
201 comments
[ 2.9 ms ] story [ 253 ms ] threadand such services are usually blacklisted
Was time to get rid of this pos.
One of the reasons I use Linux on my MacBook.
https://news.ycombinator.com/newsguidelines.html
Off-topic, out of curiosity: what distro are you running on the MacBook, and how's that going?
When it asks if you have an Apple ID (which can be any email address) there is a skip button in very plain language on a very uncluttered screen where it is very easy to read.
And no, it never asks for a phone number. You are free to add one later though if you choose. But the OS doesn’t want it or use it...
The only place I can think of where you can put in your phone number is the Messages app, which is not even part of the OS.
You would do this on your own initiative by the way, not requested by the app or by the OS. Putting your number into that allows SMS messages to appear on your computer.
Not to mention that I created both a custom question and answer with randomly generated strings that couldn't possibly have been known by anyone else, which they confirmed as correct during the lockout and still are demanding a phone number to 'verify'. I mean, really now, how on earth would giving any random phone number further verify I'm the account holder when I already know the correct randomly generated password, secret question and secret answer.
Gmail has similarly locked out various accounts with this despite no actual suspicious activity and having a completely unique password. It's a transparent effort by all these companies to gather more user details.
It is a trap. Register a new account and it will be locked in a few days. It started at the beginning of this year before Putin's "election". Pretty much all Russian websites that bend over to Kremlin are requiring a phone number and real name now.
I'd also like to understand how this is possibly useful?
In my case I was travelling, so had no option but to enter the number of the nearest available random person willing to lend me a phone for the purpose, with no idea what it would be used for.
It is cynical to suggest it's to boost their network of connected phone numbers, but I can't think of a better explanation?
Adding it to existing accounts, though, makes less sense to me. Retroactively checking that an active account can cost proof seems like the most intrusive way of doing this, particularly as part of OS login - at this point you have so many signals that you should already be able to detect the user is a spammer or not.
If anything I think it's the opposite --- dedicated spammers have shown they can farm resources like accounts of various types, so phone numbers aren't out of their reach. It's the casual users who don't want to give away their phone numbers or setup a throwaway one which will be turned away.
They're doing it on Chromebooks because you're using Google's services. A Chromebook is just a Google Cloud Computer; users aren't expected to use one without using Google's services too.
Nope you are not crazy at all, that's exactly what they are doing. It's the same pattern in practice of online banks that are demanding you give them an SMS capable phone, it's so that they can in the backchannel identify you through AT&T, which is really teh corporate face of the NSA (don't argue with me, 33 thomas st. nyc), and the implications there is that they have many things tied together in fusion centers so they can use something like palantir to instantly profile you when you put in that number and it draws in via their backchannel apis your bank accounts into a single view along with your other information, like medical, civic, etc that's literally what fusion centers do. It's all hooked up for THEIR convenience, and its all keyed off now on google's gaia_id. They tether your phone number(s) to gaia_id and voila all these data sources get drawn in....it's all about the convenience to the five eyes/nato people to force you to use their free sandwich stuff and get everyone tied into the central hub of services that is google
So I agree with others: don't use a chromebook. I have an older friend who needed a laptop for work and I made the mistake of getting a chromebook. The f*cking thing didn't do TKIP correctly in WPA2 so it didn't work with my wifi without making major changes to security in a tactical frustration that made ME look like I didn't know what I was doing
It was a G d nightmare, but needless to say I will NEVER use a chromebook again, esp after hearing your issue with the phone
Just get a refurb lenovo from tigertits or newegg and put linux mint debian edition with xfce on it. The end
Whats your "stack"? are you running linux and avoiding google services entirely - or using and mitigating their tracking?
FYI, no you do not have to.
> You are not required to have a social security number to open a checking or savings account.
Source: https://www.consumerfinance.gov/ask-cfpb/can-i-get-a-checkin...
Its a fact and works exactly as he described.
Also the term conspiracy theory was created and popularized by the CIA as a function to install into the general population as a protection mechanism against their own true and active operations, which as stated, are treasonous to America and American citizens.
A useful tool for you might be to become self aware of your use of the term “conspiracy theory” and whenever you find yourself reaching for it as a knife, to instead reflect on the issue and to genuinely and independently compile a response to the topic at hand using basic logic, reason, and available known prior actions of the organizations that would profit from discrediting the topic.
Good luck.
This is not true. The term is older, dating back to at least 1870, and was used then much in the way it is now [1]. The idea that it was coined by the CIA is an urban legend.
[1] https://www.csicop.org/specialarticles/show/nope_it_was_alwa...
I'm not sure if your Google account is tied to a Gmail address (it doesn't necessarily have to be), but I would advise anyone who uses (or must use) Google's services to use an email address from another provider so that if you lose access to the Google account, your email also doesn't disappear with it. Further, disentangling oneself from such providers and going with those whose business depends on your monetary support may be a better choice (where feasible). I also get that these suggestions may sound absolutely ridiculous.
[1] https://github.com/dnschneid/crouton
[1] - https://wiki.galliumos.org/Hardware_Compatibility
Imagine those teens at school, that bought Chromebooks because they were more affordable, and now getting pried on like this.. :-( It is this generation that is going to lose the idea of privacy and suffer from these piece of shit corporations.
It's almost like watching a movie.
That's apart from what other posters explained. That in a lot of countries you can't just get a sim from a kiosk, or a vending machine without proper identification.
They’re on most of the phones in the world, and have access to all the billing records associated with your phone number, as they’re a cell phone service provider. They’re asking folks who they think might be abusing the service for this information, so they identify themselves in a way that Google can report to law enforcement.
The idea they’d need you to tell them this information so they could use it is kind of laughable.
This is an anti-spam and anti-abuse requirement, not because they need you to tell them your phone number.
Any means of backing up that statment? Specifically, why are anti-spam measures needed to access a device?
They’re on most of the phones in the world
So what? A lot of people, myself included, will never, ever use an Android device. Especially since they don't trust Google one yota not to completely violate their privacy. In terms of the discussion this is a red herring.
and have access to all the billing records associated with your phone number, as they’re a cell phone service provider.
It's here, where your comment gets outright ludicrous. From [1]
When the mobile device is turned on or is transferred via a handover to the network, this new "visited" network sees the device, notices that it is not registered with its own system, and attempts to identify its home network. If there is no roaming agreement between the two networks, maintenance of service is impossible, and service is denied by the visited network.
The visited network contacts the home network and requests service information (including whether or not the mobile should be allowed to roam) about the roaming device using the IMSI number.
If successful, the visited network begins to maintain a temporary subscriber record for the device. Likewise, the home network updates its information to indicate that the cell phone is on the host network so that any information sent to that device can be correctly routed.
There is NO, whatsoever exchange of subscriber information, safe for service information required for billing. Pretending that "Google can associate billing records with your number" doesn't pass the smell test.
The idea they’d need you to tell them this information so they could use it is kind of laughable.
The idea that the ilks of Google, Facbook and all those dodgy add tech brothers and sisters would not abuse any means possible to violate your privacy is laughable.
[1] https://en.wikipedia.org/wiki/Roaming
How about to law enforcement?
When it's available electronically, everything changes
Which is why Google is asking for a phone number here, they think the account is likely abusing a service, and they want to identify who is using it.
Those students are being tracked regardless of whether they provided their mobile phone number. ChromeOS is an entire operating system that tracks you from the moment you sign-in with your Google account.
Sure, you can use a guest account, but you won't be able to save anything because the entire OS is "cloud-based".
People rush to Google's defence and say that Google doesn't build ad or marketing profiles from student data. But even if the online activity from students is aggregated or detached from individual accounts, that still means Google holds the personal online behaviour of millions of students. They can now poke and interrogate that data in ways that even they probably haven't fully grasped. And as we've seen from Netflix and Spotify, aggregated data still lets you pull out precise details and behaviour from "anonymised" data (a meaningless term).
Tracking is so pervasive and so normalised that no-one even bothers to ask: why should students be tracked in the first place? Tracking online behaviour is in Google's DNA and no-one does it at such industrial scale.
The hypocrisy of the tech community who have nothing to say on the privacy implications of ChromeOS in schools is hard to understand.
Like when I search for a three letter acronym, google knows that I’m an engineer, and I see links for results about computer hardware, and not about a Jewish Torah studies group with the same TLA.
Google makes those models for individual accounts, which is why google can tailor results so well to what you’re looking for right now.
Also remember any form of 2-factor is better than none. Yes, GSM can be hacked and yadayada.. but even one extra factor always slows down. See even a senior Mozilla dev got hacked without 2FA: https://www.theregister.co.uk/2017/08/02/chrome_web_develope...
Yes it does. The normal Gmail interface I get now has a forgot password link which is by default activated after I enter the username. I have to explicitly jump over that to continue entering the actual password and thus to my mail box.
That’s finished now.
I want my machine to be my machine.
Google can F off.
Anyway that has put me totally off using gmail. I rarely have a phone too, so using a phone number for secondary authentication is a PITA.
And there are more, no point in sticking with the big G.
(I am hesitant to give American companies my personal information because they are not beholden to my country's consumer laws).
Some people are posting here saying they got in using a stranger's number so I still don't understand how providing a number proves who I am.
The worst occasion I've ever had was the one time I was traveling. I was getting by with only wifi and, naturally, didn't have a phone number to confirm my account with. I didn't have a number bound to my account, either, making the whole process pointless.
How did I get into my account? I asked a random guy who walked by if I could login to my email on his phone (since at that point I'd left my wifi area and couldn't login with my own device). It was essential that I check an email at that point, so I didn't have a choice. It was anti-security--I literally gave full access to my email account to some man I never met before in a different country.
Google needs to stop pretending it's some security measure. It's not. It's data harvesting, plain and simple. I just wish they'd admit it.
He might not had an account then, but could create one in the future. So now if either of you messes up or does anything even remotely suspicious (in google's eyes) - say goodbye to your account.
pet: answer school: answer friend: answer
Further, they're often a sign that a human employee providing support can override and manually authenticate a user. Whether or not that is really the correct user. Treat your entire account with them accordingly.
There are a few things that make me wonder if I can trust a company. Security questions, stupid password restrictions, sending me a password in plain text via email.
So I started making up birthdays but would have problems because I didn't remember them. So now I just use the epoch, which I think somebody here suggested.
I would mainly recommend posteo.de because of what the company stands for and its cheap pricing. Other options are runbox.com and mailbox.org. All these providers support IMAP too. So you can use any email client on any platform, or the web interface, to access email.
Protonmail, recommended by some others here, doesn't support IMAP for free accounts (so you can't take your mail out easily if you want to move elsewhere). For paid accounts, it has a "bridge" software that needs to be installed and running. This is available only on Windows and Mac. For Linux, the FAQ [1] still says at multiple places that it'll be available in "early 2018", while we're already nearing the fourth calendar quarter of 2018.
[1]: https://protonmail.com/bridge/faq#c8
It’s an anti-spam, and anti-abuse measure. So they’re not giving away free resources that get used to harass their users.
Why would Google need you to give them your phone number to associate that with you? They’re on many of the phones in the world, someone you know has already done that for them, or you used your own phone to do the same.
Unfortunately, Google doesn't seem to have the best staff. Or even good staff.
But it's Google. I could name at least 12 datapoints to check wether it's still the same user it was for 10 years on top of my head. Starting with "still using the same device" going to probably things like "typing style", given how sophisticated their AI is.
There is really no excuse for Google's ADD and implementing half-assed features and stopping to support them 2 months later...
This usually means Google suspects you of doing something that might be abusive.
In this case: re-activating a dormant account that was in a data dump would be a safe bet.
I have effectively lost access to them because of google.
I know this because I have a friend who's prone to getting himself locked out and I have become his personal tech support guy (not willingly).