302 comments

[ 2.8 ms ] story [ 279 ms ] thread
Silicon Valley has a systemic customer service problem. The price you pay for "Free" services.
I think the common wisdom dictates that since we aren't paying, we aren't the actual customers. I'll bet advertisers have great customer service.
Article author was paying for some of it.
That's less common wisdom and more of a catchy but dumb meme. There are all sorts of things you can buy that have crappy-to-nonexistent customer service.
I think there can be several reasons that a company lacks good customer service. One might be lack of competition. Another could be that they don't see their users as customers.
> There are all sorts of things you can buy that have crappy-to-nonexistent customer service.

But that doesn't contradict the point of the comment you were replying to, does it?

Edit: You should reply instead of just downvoting.

Sure, but even Comcast isn't as bad as Google; not as much depends on Comcast, and Google has mountains of p[eople's key life-altering data, yet it is nearly impossible to speak with a human that has any capability to effect a change.

As with every generalizations, there are exceptions, but they generally only prove the rule.

I was thinking more along the lines of manufacturer's warranties, which are often hard to actually use. Or Teslas being in the shop for weeks due to an unavailable part.

Customer service has more to do with company-specific culture than what you actually paid. There are good and bad examples in every industry (or even with the same company).

The hack was the fault of T-Mobile though. He pays for that.
He was paying for all those services (except Twitter and Facebook [which was ok]).
His cell provider was the problem, and that is a paid service. They never should have given someone else a SIM, they are absolutely liable.
Recently I discovered that Facebook has a policy that no one with pending misdemeanors can be hired if they are just a contractor. We recently had to turn away a 23 year old combat veteran who had deployed to Afghanistan because he had a pending Class C misdemeanor. That’s a max fine of $50 for the state this was in. All for a $16.50 an hour job.

The amount of indifference to suffering by people in the corporate world today has gotten...I am not even sure what the word is.

Are you sure you are commenting in the right thread?
The article did mention that their Facebook account was the only one that wasn't compromised.

> Through all of these hacks, it was interesting to find that Facebook was the one reliable and secure service under my control.

Perhaps their comment was attempting to provide some anecdotal data in an effort to explain why the author's Facebook account remained secure.

Though I agree with you in the sense that it's far more likely that they simply commented on the wrong article. :)

This is a good place to remind everyone of Google Takeout [1]. Back up all of your data. Don't let this horror story happen to you.

[1] https://takeout.google.com/settings/takeout

Thanks for reminding me... again... about this. Why haven't I backed up my gmail data yet? It has been years since I realized I have to do it. Why haven't I done it?
Because it's not easy to automate.
Gmail alone is easy - use POP in a mail client, set it to mark stuff read, leave it on the server etc https://support.google.com/mail/answer/7104828?hl=en
I'll agree that POP is pretty easy and worthwhile here.

One caveat: I'm not certain that it's identical to what Takeout provides. I downloaded the mbox file via Takeout and the Takeout version was a fair bit larger than my Thunderbird mbox file as I recall. Maybe Thunderbird stores the emails more efficiently than Takeout? I should examine this more closely. As far as I am aware there are no missing emails in Thunderbird, though I could write a script to be certain.

Edit: Seems that I misremembered. The Takeout file seems to be appreciably smaller than what Thunderbird has, but in line with what Gmail reports at the bottom. I guess Thunderbird is actually less efficient than Gmail. Attachments might explain some of this, as I deleted some attachments in Gmail that I kept in Thunderbird.

Attachments?
(comment deleted)
The takeout file might be compressed too. Most mail clients don't bother to compress anything.
Yes, it was zipped, but I was comparing uncompressed. I've now checked. There's about a 500 MB difference for about 10 GB of emails. So not too bad, but appreciably different.
They now have a feature that lets you schedule it to run every few months. You could probably automate the download from your email client.
(comment deleted)
`gmvault` in a cron job works pretty well...
Check out Mailstore Home
Thanks for the reminder--I've done it several times in the past, but it wasn't a scheduled thing at all.

There's a new checkbox in takeout that lets you schedule a backup every 2 months (and then presumably you'll get an email when you need to download it).

Does anyone else have issues with takeout failing with "unknown error occurred" if you use the default of selecting all products? I have to manually create multiple takeout archives (one for gmail, one for photos, one for location history...)

Absolutely! Always fails. I didn't know about the alternative you mention...thanks....
Works fine for me with select all. Maybe it was a temporary thing.
My previous experience (years ago) was that it actually gave me incomplete backups... which is.. insane and frustrating. Hopefully that’s fixed now.
I was just about to set this up to automatically put everything in my organization's Box every six months, but:

> With access to your XXX@YYY.ZZZ Box account, Google Download Your Data can:

> Read and write all files and folders stored in Box

Nope. Download link it is.

To be clear though, unless Box does actually offer a finer-tuned 'write to specific dir' access control, that's not nosey Google's fault.
(comment deleted)
I believe Google has some kind of service you can turn on where you will pair it with a U2F token like a Yubikey or their Titan key. At that point, all other forms of login and password recovery are turned off. In theory, that should stop the SIM-swap attack.

See: https://support.google.com/accounts/answer/7539956?hl=en

I use Authenticator, which should also stop a SIM-swap. However, I've noticed that many services seem to require activating 2FA via text message in order to activate authenticator. Has anyone else noticed that?
Quite a few do require you to have at least two second-factor methods set up, although I think for me only one has ever insisted on setting up phone / text 2FA. If you don't have a spare phone for TOTP or a Yubikey for U2F, phone-based might be all you can use (considering a surprisingly small number of 2FA supporting sites seem to implement recovery codes).
The point is that, while there are dangers, TXT 2FA is leagues better than not having anything at all.
Unfortunately, Yubikey at least basically only works in Google Chrome, so if you actually want to use your account you have to use methods other than the Yubikey.
You can use it in any browser. You have to register it in chrome. Crappy, but not a line in the sand I'm willing to die on.
Conventionally, one metaphorically chooses a _hill_ to die on, and lines in the sand are only crossed or redrawn, not died on.

The insistence on using Chrome is arbitrary and I don't like it. The use of U2F rather than WebAuthn at least has a technical justification (older Android devices can't do WebAuthn, and while it's backward compatible in the sense that you can use a WebAuthn authentication having signed up with U2F, vice versa is not possible, so old Android devices would have a confusing UX behaviour) but the insistence on Chrome is just arbitrary lock-in.

I won't be dying on that hill either, but it does suck.

> The insistence on using Chrome is arbitrary and I don't like it.

Supposedly this limitation is because Firefox doesn't implement the JavaScript calls that permit a U2F-calling site to know the type of U2F key being used and Google wants to enforce, when enrolling for ATP, that at least one of the two keys being enrolled can be used wirelessly (Bluetooth or NFC).

I don't agree with it either but will only truly be mad if/when Mozilla implements the requisite call and Google still blocks enrollment without Chrome.

You'd think Ubuntu chromium-browser might be acceptable for Google U2F setup -- but no, not when I tried a couple of months ago.
Worked for me. :(

What error did you see?

Ha! That was an amusing mix of phrases. You got what I meant though, and provided some color. Agreed on it sucking.
The industry needs to learn that sms 2fa is not secure because getting a sim for someone else is so easy. And this happening in every country.
I would say that for the average user sms 2FA is secure enough.

P.S. I might have a different perspective as where i am from, there really aren't important services (banks etc.) that are using sms 2FA. Mobile operators doesn't ship SIM cards over mail, you can get a new SIM only in person providing ID (or PIN/PUK in case of prepaid cards). Probably my country is just too small market for these kind of attacks so i feel secure enough when using sms 2FA.

It wasn't secure enough for the author of this article.
Not really an average person isn't he?
How is he not an average person, as far as security goes?

1) he didn't use a password app

2) he thought google drive was a safe place for his stuff

3) he thought google drive was a secure place for his stuff

All three things, which I would bet are fairly common assumptions (the last 2 are certainly part of Google's marketing!), turned out to bite him.

He is a public personality and in that role has been related to Bitcoin. And he also has his phone number and email publicly visible on the internet.

https://gizmodo.com/a-tv-anchor-tries-to-gift-bitcoin-on-air...

It seems like this only happens to people who have poor opsec about their email addresses, phone numbers, and are publicly related to the cryptocurrency movement. I mean, I'm sure it happens to other people, but that's the only case I've ever heard about.

I would personally be wary about publicly listing the email I use with my bank, or my phone number, and I've done what I can to scrub the internet of these values. If you have to be publicly reachable through a medium other than Facebook or Twitter, have a separate email and phone number through which you conduct your serious personal business. But most people do not need this kind of public reachability, or else have it through work. For those types of people, it would behoove them to keep their profile small.

Before the identity theft occurred, what about the the author made him particularly "not average"? Being an early twitter adopter or something?
I wouldn't call a writer for ZDnet who probably has a very public persona an average JOE.
A writer for ZDnet might be a public figure, but to call him "very public" seems like a stretch. There are probably millions of people as public or more than him.
Depends on what it’s protecting, for example banks using it isn’t, as it’s a common enough attack vector it’s appeared on consumer programs on TV fairly often and they had to introduce a law to allow people to be refunded in cases of sim swap.
You're saying that you're safe because you're not an interesting target. People tend to agree that security through obscurity is not a good strategy.

As for how hackers can swap someone's SIM, consider:

- Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?

- What about hackers bribing an employee?

SMS 2FA is fine. 2FA adds another layer on top of your password. The second factor doesn’t have to be particularly secure to make you safer.

The problem is SMS account recovery, which is a really bad idea.

> The problem is SMS account recovery, which is a really bad idea.

The problem is that a lot of services tie the two together. Often one implies the other. Even if it doesn't, though, it's also easier to social engineer -- "look! I have access to the 2fa phone number! I just can't access my password manager!"

I'm not sure I've ever seen SMS account recovery.
Google has sms account recovery.
Companies do that, but they shouldn't call it 2FA at that point as it is no longer a _second_ factor: it has become the primary factor.
In times like these, I am glad to live in a stone age country like German, where it is near-impossible to get a new SIM without going to the store in person and presenting a government-issued ID.
Sorry but you are wrong. Today was news on heise that clearing bank accounts by replacements and transfering the money to some popular new banks like fidor and n26 resulted in a temporary ban of a small bank to transfer any money to these banks. It‘s happening here too ;)
Does the 20 year old minimum wage employee working at that store know how to spot a good quality fake ID card?

What about hackers bribing an employee?

Or a country like Sweden where you have to authenticate customer service through 2 FA using an application connected to your bank account, where you input a password or fingerprint.

And then the change only happens after you confirm a text message sent to your phone asking you to approve the request.

I certainly didn't appreciate how much SIM cards are the keys to our modern lives until mine got stolen. Interestingly, my thieves took a different tack: they actually stole the physical SIM card! You might ask how this could happen: I was traveling internationally and had a friendly guy at an official kiosk in the Heathrow arrivals hall swap out my SIM card for a local SIM. He palmed my SIM and gave me back a dud without me noticing. He then shipped it back to Atlanta where collaborators used it to blindly called credit card support numbers. Some of these credit card numbers were hits — places where I had existing accounts and where they recognized my phone number. They social-engineered their way to get the CC companies to divulge more information about me — including the CC numbers themselves — allowing them to increase my credit limits and open new cards. They then went on a $40k shopping spree.

Of course I didn't notice until I came home. The dud card he gave me worked for 24 hours (I still don't understand how). And even after it stopped working, it took me quite some time to piece together everything that happened — I didn't realize that the SIM card I had wasn't mine for quite some time. Fortunately they did the equivalent of an identity theft smash-and-grab. It was relatively easy to identify and reverse, and they didn't compromise any tech 2FA services.

Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.

tldr: Don't let anyone ever touch your SIM cards.

> Interestingly Heathrow police didn't care as the "theft" was only a $5 SIM card and not a "high enough value item" to warrant investigation.

What about the part that's "being a part of a criminal conspiracy to steal $40k?" I guess that's not something for the airport police to deal with though.

Ayup. Here's what I got back from them:

    In light of the extended Fraud on your account, I believe
    that due to the 7 day lapse between you collecting the SIM
    and returning to the USA, then your details could have been
    compromised anywhere. In all probability, this occurred in
    the USA as this is where the accounts have been set up and 
    believed the fraudsters would have had to have been in order
    to benefit from the crime.
 
    The fact that you bought a SIM card in the UK is purely
    circumstantial I’m afraid, therefore we would not 
    investigate this further.
Of course I was shouting "THEY HAD TO SHIP IT BACK TO THE U.S. FOR IT TO WORK" as well as providing the call logs documenting calls from the Atlanta region (where I don't live and hadn't visited), but it fell on deaf ears and I gave up. That response made me feel like a tin-hatted conspiracy theorist, though: yes, I am certain I was defrauded through an international criminal conspiracy.
I understand your frustration, but I also think they have a point.

What you're telling us is all based on your educated guesses as to how they might have pulled this. There are things that feel a bit weird and I'm guessing you have no evidence to prove them, such as the scammer shipping the real SIM back to Atlanta in time before you realise the issue.

How did you realise the SIM card you were handed was fake? Couldn't it be that they instead duplicated your SIM whilst you weren't looking?

IMHO the police (or FBI or whatevs) in the US should conduct the investigation as that's were the fraud happened. They'll evaluate if it's worth it contacting their counterparts in the UK to move forward. However I also think it is good that you've given a heads up to the UK local authorities.

Do you remember what company was offering the local SIMs? I've seen mostly Lebara, but not in Heathrow...

Is SIM cloning still easily doable?
The SIM ICCID that I physically had in my hands upon return was different than the ICCID that ATT had on file for me. I also watched the dude do it right in front of me, but of course SIM cards are quite easy to palm. It was the "Tourist Services" kiosk and I bought a £20 Lebara card. He very kindly taped the ATT card down to the Lebara cardboard packaging, and I wasn't able to remove that tape without damaging it so I'm quite certain that it wasn't swapped elsewhere.

I did also report it to both my local police and the FTC and the FBI but never could gain traction as nobody thought it was their jurisdiction. I eventually gave up once my credit was repaired.

Just playing devil's advocate, the ICCID on file would also be different if they had managed to compromise your account and change the sim associated with it.
They also had the last-changed date (which was from when I set up my account).
That might be reasonable. It also makes the scam OP is guessing happened a pretty good criminal scam, since the police will refuse to investigate it...

I mean, what possible additional evidence could one plausibly have that the guessed scam is indeed what happened?

Which is the scary thing about all these SIM-theft things. It clear happened, there's really no way for the victim to know how/where/what/when/who.

It certainly took me quite some time to put all the pieces together — and I'd wager very few folks defrauded like this are able to realize exactly what happened.

I do wonder if it's still happening...

Anyway, thanks for sharing. This is not exactly an obvious fraud.

I think one way to prevent it, aside from remembering to not let your SIM off your hands is to mark/paint your SIM and make it unique and easily recognizable.

Then you can deal with it immediatelly, even if you forget the rule to not give your SIM temporarily to others. (You'll probaly not forget, but people who may not have your experience and still want to protect themselves against this, may.) Also the attackers will not probably attempt to swap unique looking SIM in the first place.

Other ways are to use phones with 2 SIM card slots or simply use a local carrier with decent international roaming support or (of course) carry a paperclip to just do it yourself.
fun fact about sims. they run a java operating system which can be accessed via binary SMS messages (apdu messages) - invisible to your phone, with the right sim pin, they can get filesystem access in this 'os' and steal your private keys and phone identification numbers, effectively allowing them to mitm / clone your phone and calls/sms etc.

that being said it's just plain silly how important these crummy devices are, and how little information and warnings they come with.

set a good sim pin, that will save u from this type of trouble. of course, it won't save u from physical phone / sim access.

Is this true in say an iPhone? I don’t think there’s even a way to set a sim pin?
How did they get your 4-digit PIN? Don't you have to enter it on every reboot?
Phones' PINs aren't connected to SIMs. I have to enter my PIN on reboot, even if I removed my SIM. Putting the SIM in a phone without a PIN results in nothing being required.

Edit: Thanks for correcting me- I guess my SIM does not have a PIN.

A SIM card has its own PIN, completely independent from the phone's pin. If I put my SIM in someone else's phone, it will ask for my PIN, even when they don't have a PIN set.
SIM cards themselves can have a PIN attached to them too, usually with a lockout after 3 unsuccessful attempts. The card is supposed to be secure against tampering, but since it's running an OS which receives very little scrutiny and runs lots of legacy tech, there are likely all kinds of exploits to reset / root the SIM and bypass any PIN protection. It's still useful against casual theft though.
While there have been a few very scary hacks that could compromise a currently-unlocked-and-running SIM, I don't think there is anything you can do to a powered-down SIM without the PIN.
SIM PINs aren't enabled by default on iPhones and are independent of your device lock code.
It's not an iPhone thing. It's entirely on your carrier whether or not to enable it on a new SIM.
Is there some mobile provider that has a way higher standard of security? Something like "Cloudflare for SIM"
No.

The issue is partially that while social engineering countermeasures that could help prevent sim swaps could be helped by better training and more rigorous security checks, there are actually bad actors who are employees of the carriers who can be paid off to switch SIMs.

I noticed that author assumed he couldn't call 611 and took how long to contact via alternate phones.

I'm pretty sure 611 works without a SIM card.

no sim is no calls or sms. however, an inactive sim is allowed to call 611 (or provider equivalent) , 911(or local equivalent) and a few such emergency numbers generally. You do need the sim to be in working order and in the device. but it does not need to be activated.
How would the phone know which network to 611?
I would expect it to work for a carrier-branded device even with no SIM card, unless the device has been flashed with a stock firmware from the OEM.

For a non-carrier-branded device though, perhaps the presence of a SIM card is required.

Google Fi requires you to have access to your google account to port or sim swap your number. So if you have real 2FA you should be safer.

I just had my AT&T sim swapped two weeks ago. According to police, the sim swappers are insiders at the telcos or have compromised corporate credentials and are logging into the telco admin portal and processing the swaps themselves.

I’ve now switched to Google Fi. I’m banking on the assumption that Google doesn’t keep an admin portal open to the internet and that they don’t give sim swap/port access to employees that aren’t paid well enough to be willing to take a small bribe to swap the sims.

Anyone who wants to defend themselves, consider using U2F where you can and Google Advanced Protection. I just recently picked up a bluetooth security key because one is needed to log an iPhone into an account using advanced protection; there is no SMS backup loophole. The Titan key bundle comes with a bluetooth and USB key, which is enough to get started, though frankly you probably want a couple additional backup keys too.

https://landing.google.com/advancedprotection/

(The usual disclosure: I work for Google, but not on anything related to this, only speaking as a user.)

Why doesn't Google get rid of SMS recovery completely? It's a huge security flaw that can be easily exploited.
I have no idea what the pros and cons are and certainly can’t speak for why. However, I think the existence of the Advanced Protection Program is definitely acknowledgment that the SMS backup is not secure enough for everyone.

The thing is, not long ago I had no issue recovering my account if it got compromised. I think attackers today have gotten better at finding ways to beat the system. One thing I’ve seen, albeit I don’t know if it works on Google accounts, is enabling high security after stealing an account, effectively making recovery very hard.

Though, I can’t really speculate on if that’s what’s going on here.

Probably because the more barriers you put in the way of scams, social engineering, etc. the harder you make it for people to legitimately get back into their accounts and the more likely it is that you'll instead read stories about how someone "forgot their credentials and lost access to everything in their account and Google won't do anything about it."

No opinion on SMS specifically but there are tradeoffs.

It would be more just if people losing access to their accounts were those that lost their credentials rather than anyone that has a SMS number tied to their account. Other approaches to account recovery could be explored but none of them should involve SMS.
Google is a pain as there's no way to talk to a human. I have lost access to an old Gmail account as my phone broke. Without authenticator I can't get in. I can't set up authenticator anew because I don't have the password anymore. I still have same phone and plenty of emails - just no way to get in.
When you set up 2fa with Google they give you a set of backup codes you can use to get back in case you lose access to your phone/authenticator. It's important to store those somewhere safe.
It depends on your threat level. If you're just trying to avoid phishing, it's great, something like 99.9% effective. However, if you're worried you'll be targeted, where someone will go through the effort to do this to you specifically, then it's not a good choice.
2FA does not fully protect you against phishing. The attacker can just passthrough all credentials including your 2FA code. It limits the attack to a time window and any further security sensitive changes that require 2FA may be protected unless the user naively re-enters their code.
U2F/ WebAuthn credentials can't be passed through.

Or in more detail, the credentials aren't human readable and are per-FQDN, so when you visit badguy.example thinking it's goodguy.example, your Security Key will cheerfully hand over valid credentials for badguy.example, but there is no way to give them credentials for goodguy.example because that's not where you are.

Hence that 100% score on Google's page.

Meant to say TOTP or SMS 2FA.
When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it). However, once you've defined an alternative 2FA method (Google auth, u2f key, etc) then you can remove the SMS method completely.

Believe it or not banks are really bad at security. They are so bad at it that they don't even realize how bad at it they are. But the banks all copy from each other so "what the other guy is doing" is more or less their justification for what they do. Most of them have little to no idea why they do what they do for IT security, they just do what the Computer Security for Dummies book says to do (walk through the IT security department at any big bank and I bet you there is a dog eared copy of that tome on every desk)

Synchrony is one of the worst offenders, they won't even let you change your password without doing SMS verification, and their source of phone numbers is a Transunion skip trace database (which you can't change or remove any information from), so getting past Synchrony can be as easy as filling out a contest form at a mall, waiting for the phone number to appear with Transunion, then choosing that phone number to do SMS verification. It might take a couple months but payoff can be huge.

My hero at the moment is Capital One, they allow you to do e-mail authentication instead of SMS, and their iOS app also doubles as an additional factor (one requiring you to enter your password or use touch ID to use).

I was also extremely happy to find that the brokerage Robinhood offers Google Auth as a second factor. E*Trade also offers 2FA but a proprietary token w/ lcd display (which they happily charge you for).

My trick has been to give banks a false phone number that rings busy forever. That does effectively keep me from using banks that require SMS authentication, but there are more then enough that either offer other methods or drop their SMS requirement if you list your mobile number as your home number (indicating that its a wired phone and can't receive SMS). That doesn't keep my Synchrony accounts secure but there are enough protections around credit cards that my liability would be $50 at worst, with Synchrony having to eat the remainder of the loss.

> When you first enable 2FA with Google you have to do SMS (at least that was the requirement last time I did it)

I don't remember that ever being the case, either when Google first launched Google Authenticator and 2FA (when I pretty soon after set it up) or when I later went through the setup process for my work account at my current job (a couple years ago).

That is awesome then! It was a lot of hassle for me to find a phone that accepts incoming calls (and wouldn't come back to me) so I could get past the first step - though to Google's credit the number I used never showed up anywhere so they didn't try to sell me out.
I've just checked and Google now allows the removal of SMS based 2FA if you have an alternative 2FA method configured.
U2F keys are great but I look forward to the day when they’re more widely available outside the US. And I’m still waiting for my replacement from Feitian for the recent vulnerability. Not to say you shouldn’t use them, but... they have their limits. Particularly Advanced Protection which forces you to use Google’s browser in many situations and disables API access so I can’t use the API to get my own data, only Google’s official apps and a small exception for Apple’s.
Yeah, Chromium is needed to add keys, which effectively means you can’t enable Advanced Protection without Chromium. I personally ran into this wall. I acknowledge that this sucks, as a person that intentionally only uses Firefox, but to be clear logging in and most other operations work absolutely fine with Advanced Protection.

Does it really disable all API access? I thought it only blocked certain OAuth scopes, but to be honest I haven’t really tried.

I was able to login to a NVIDIA Shield, but only by resetting and bootstrapping off a spare Android device (!!!) because U2F keys are broken on Shield. Interestingly, my Samsung TV remains signed into Youtube, which is kind of odd now that I think about it.

Youtube/YoutubeTV seem to be walled off on 2nd factor auth. I've been able to log into both on browsers w/o 2nd factor and then get prompted when logging into web gmail.
Seems like Firefox U2F is just disabled by default: https://www.yubico.com/2017/11/how-to-navigate-fido-u2f-in-f... (tl;dr: Open about:config, search for u2f, enable)

With that done, GitHub prompts me for my key. My Linux office workstation is missing the necessary udev rule, so I couldn't test more. (Funnily, pressing Cancel caused them to send me a SMS, so their 2FA is practically worthless).

Oh yeah, I’ve set all that stuff up already and I am able to login; NixOS makes it mostly pretty easy.
I've run into strange interactions where adding a key is disabled in Firefox (even with the security.webauth.u2f flag set to true), but once one key is added, you can add subsequent keys no problem.

This is how Github worked for me - I think it's just a mis-match in the code checking for U2F functionality...

I think adding the key use a different mechanism - there are two JS interfaces for U2F, and FF only supports one of them. TBH I've added my key to GitHub with chromium, but have since moved to FF; so that might be what you're seeing with GitHub.
Why not "defend" yourself by not relying on gmail? It's not exactly the first time this has happened.
What’s better? Serious question. Very few companies spend as much on security as Google. You have to do your part and configure something like Advanced Protection, but if someone’s going to go to all the effort listed in the article, which provider would be a better bet?
It's not like email providers get hacked all the time. Individual email accounts do get hacked.

Find an email provider that provides decent support, i.e. you can call and talk to a real person. Make sure they support 2FA (ideally the non SIM variant). Also recovery tokens that you can write down and stuff like that.

Personally I run my own mail server but I understand that's not everybody's cup of tea.

Absolutely, if you want. I am not advocating to use or not use Gmail or other services. But also be sure to use U2F on whatever you can, be it Fastmail or Proton Mail or what have you. I think Proton Mail is still working on their U2F support today, though.
FastMail has humans respond to all support tickets. Imagine being able to recover your email without spending 5 days talking to a google form?

source: I work at fastmail. It's cool.

At the end of the day, there’s a lot of differences between the many webmail offerings. The apps, the support, the feature-sets, etc. If you have gotten used to things like the nuances of Gmail filters, switching anywhere can be challenging, I think, and the same could be said about the reverse. I’ve been considering using both Gmail and FastMail simultaneously for a while, especially for custom domains. Also, JMAP is cool.

I am mostly just suggesting that folks who read stories like these and fear similar predicaments take the time, effort, expense, etc. to properly secure whatever accounts they have.

Thought experiment: if someone steals an account with no 2FA, enables U2F and other security mechanisms, how will support verify who truly owns the account? Or the reverse: user enables U2F and someone calls in and tries to claim the account was stolen?

Having humans make judgements is important because the real world is complicated and people are imperfect, but using U2F in the first place can save you a huge headache, no matter what services you use. If support can just flip a bit and disable U2F, it isn’t very useful for the same reasons accounts get hijacked to begin with.

I mean, i think you answered the question yourself. History of account security details, things like login logs, IP addresses, when things were changed, payment information, etc can corroborate the story a user is trying to tell (ie, my account got stolen), or refute it.

And those things? It comes down to having strong process rules and having intelligent life forms make the decision.

Is there anything specific to Google about this? Could it be the same story about another email provider?

And if not then why not? Is it because Google is a bigger and more obvious target or something specific they are doing badly?

If you think people should switch then these are the kind of questions you should answer.

A smaller, paid provider may make it easier to get someone on the phone to resolve problems when things go wrong. Having better support than Google would not take much.
"Getting someone on the phone" is a big reason these kinds of problems happen in the first place. The reason Google doesn't do that is because they would be too big of a social engineering target, and couldn't possibly be secure in the face of that at a reasonable cost.
The article doesn't say if the user had two-factor authentication set up. I guess it's implied they used SMS as the second factor.

This would happen with any email provider.

So the fix isn't changing email provider, it's using a more secure second factor, e.g. U2F.

Right, but at least with a different email provider it's infinitely more likely to get actual support if this happens.
"I don't remember my password and I have a new phone, can you help me" is precisely how attackers do sim swaps in the first place.
Or use your Android phone as your second factor.

https://security.googleblog.com/2019/06/use-your-android-pho...

That’s a great idea and would’ve saved me some time. Sadly, I had ordered and received my Titan kit before even realizing I still had an Android device, less that I could use it to bootstrap my iOS device...

I hope Apple some day supports NFC or maybe even USB U2F, both things Android has supported on phones for a bit.

This unfortunately is useless. Account recovery will still allow the hacker to use the phone number that has just been swaped to logon to the email. The weakest link is what matters and in this case you are just putting a bigger door lock on the front door while leaving your back door open.
Once you've configured a security key on a Google account, it's entirely possible to remove phone-number based account recovery -- and strongly recommended for at-risk users. See step 21 et seq. in the Tech Solidarity security guide for people working on political campaigns:

https://techsolidarity.org/resources/security_key_gmail.htm

For no particular reason, Google does require you to temporarily configure phone-number based recovery while configuring other 2FA options -- but once they're set up, you don't need the phone number anymore.

What is your contingency plan for when that physical key is lost, stolen or damaged?
I have two. One stays with me, the other in a safe.

Which is legitimately a pain in the ass to register, manage, keep in sync, etc but I only use it for a few very important accounts--Google being one of them.

I have about six, one in each computer I regularly use.
You should have emergency backup keys as well printed on real paper. I have a set stored with our important files, and another in my nightstand. Having my phone stolen would be a damnable inconvenience, since that is my second factor -- although not via SIM, but via Google's in-app authentication. But it wouldn't be fatal.
I use andOTP, which is compatible with Google Authenticator and actually allows backing up the private keys (one of the key missing features of Google Authenticator, though maybe they've fixed that).
Multiple physical keys in multiple formats stored in multiple places. I've got a few security keys: one on a keyring, one in a locked file cabinet, one locked in a safe. Backup codes are printed on good quality acid-free paper with good toner and then are put in acid-free envelopes or laminated, stored in a safe at home and a trusted family member's house.

I'm far more concerned with an attacker from the internet or destruction from a fire or natural disaster than someone using my computer at my home who happens to have my username/password combination as well.

(comment deleted)
This is the first thing I thought of when reading that. For sure, Google's lack of real support for fixing things when someone does steal enough 2FA creds, like phone number, is a drag. On the other hand, it appears that setting up Advanced Protection probably gives you a much harder to hack account than any other provider could do.
> I had backed up a ton of personal information on Google Drive. This included tax returns, account passwords for my wife in case I died, personal documents and spreadsheets, and just about everything I had paper copies of at home.

I guess the author learned that lesson, but… please don't. Backups in the cloud are fine, but such sensitive information has to be encrypted. Ideally with a 6 words diceware password or so.

And if it is meant for your close ones to recover if you die, write that password down, and lock it up in a couple homes you trust.

In many asian countries they recycle telephone numbers quite frequently, some providers as often as 3 months.

Perhaps it would be interesting to get a few pre-paid SIM cards and see if it there is any Google accounts connected to them?

Moving your irreproducible data into cloud storage is everything but a backup.
The fact that ACH is slow is a feature not a bug. Remember that when people want to speed up money transfers.

> After a couple of days, our bank reversed the $25,000 charge and told us that the fraud department caught the ACH withdrawal before it was fully processed so that neither my family nor the bank lost this money forever.

Instant transfers work fine in countries where banks do their job properly.

Mobile phone numbers shouldn't be used as a second factor, much less as a way to fully recover online credentials to your bank account.

You're probably right. You definitely shouldn't be able to recover your online credentials then immediately transfer out all the money.
But also, the US regulatory environment is very friendly towards individuals when it comes to fraudulent electronic transfers, regardless of how quickly they execute.
A few suggestions:

1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.

2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.

3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.

4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.

6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.

> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

That's possible?! I only ever change password if I suspect it might have been compromised. Now if a service allows to use old passwords, that's quite a bummer and makes password change meaningless.

> Call your cellphone carrier and ask to set up a password/PIN

Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is presented to the CSR in plaintext (as they verify the pin over the phone verbally).

I'd assumed they'd transfer to some pin-capture applet to verify, but nope.

> Use an authentication app, such as Google Authenticator

If you decide on Google Authenticator, make sure you scan the barcode with 2 devices (say, your tablet and your phone) to back up that credential. Or just use Authy.

> scan the barcode with 2 devices

You can print out a copy of the barcode and keep it somewhere safe. It's a little bit scary as that barcode is a super powerful extra key but, you will have a key that will work and not be reliant on any device to store it.

There are plenty of TOTP apps (besides Authy) that support backing up the code generation keys. I use andOTP, for example, which supports backing up locally to the phone's internal storage (and optionally encrypting that backup with either AES + a passphrase or a PGP key if you've setup an OpenPGP provider on your device). 1Password's iOS (and Android?) app also supports TOTP.
> Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.

What is really infuriating is that it is not required for BestBuy-type authorized resellers that hook directly into the system.

> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.

This is what I'm worried about, if I don't have a phone number on a gmail account, won't it make it harder to get access to that gmail account if I am locked out. Even though there's obviously a bad security loophole with just having a phone number on your account as a recovery option, is it not worse to be locked out of your account with no way to get in?

Even if you go through the g.co/advancedprotection onboarding process, they still say account recovery is possible and that it would take 3-5 days extra. Granted, it's not easy, but it's much easier to buy security keys and put one in a safe deposit box than it is to try to get every carrier to be nice to you and not SIM-swap your account.
> 5) Ask yourself, what will happen if you lose both your laptop and your phone at once?

Yes! For example, if you're robbed on your way home from work, and they take your laptop and your mobile.

> 2) Consider your phone number and SIM card insecure.

Your phone number is an obvious attack vector. I think having a dual sim phone with 2fa dedicated number that is not publicly associated with you, possibly with the carrier that has it's security in order, would decrease the odds of getting hacked.

This is why I don't use Google for anything of importance. No customer support = I am not using it for anything of importance. Consider it a 'burner' service.
And this is a tech journalist who has friends at Google. The average guy on the street is %%%%'d in this new world.
This is why I would like to trust my digital identity to my bank.

They have enough local, physical presence so that I could show up in person and prove who I am. Also the personnel is already familiar with checking the identity and hopefully less suspectiple to social engineering.

2FA tokens and codesheets without SMS backup are secure, but bit tricky to manage. Takes some effort to distribute to different, secure places (think if house burns) and some regular checks to verify backup tokens are alive and codesheets not lost.

My good bank has no physical presence whatsoever. I mean, I presume they operate a call centre somewhere, maybe in Scotland, but I've never seen it.

They can reach out and cause things to happen at a distance, but I don't want that used to authenticate me. They used it when I had lost my cards, to cause me to receive a bundle of cash so I could get on with my day just paying cash everywhere.

I have a specialized OTP device with a chiclet keyboard, and a password used for normal stuff. When I do something serious, like the time I bought somewhere to live, I call them to set up the transaction, then a different random person gets assigned to call me back and verify the details - this way if one employee goes rogue they can't empty my account by claiming I called them. They have a password for me, and the second employee uses that password so that I know it's really the bank calling me.

I would like to know more about this bank!

What bank is it? How did you find it?

I've not heard of features similar to this, especially the last part about buying a house.

It's First Direct https://www1.firstdirect.com/

It's a Telephone Bank in the UK, launched in 1989 and I became a customer a year or three after that. Because it doesn't have any branches its call centre staff have to be trained to handle absolutely anything - if they can't fix it then it won't get fixed.

I found it because my father used it, I have no idea why, he was not ordinarily a man to favour technologically sophisticated solutions, he never owned his own email address for example. Maybe as a working man he found it frustrating that other banks were closed after hours? First Direct is never closed, it operates 24/7. I have used other banks for some things, but I've always kept accounts with First Direct because of their truly extraordinary customer service hence I call it the "good bank". I actually know one of their Founders and apparently that commitment to customer service was key to their original vision for the bank, he led a strategy session for the start-up where I work now and it used that vision to give us a worked example. He was Chairman at another start-up I've worked for too. Small world.

For the buying a home part I do mean that I bought it outright by the way, there wasn't a mortgage or anything like that - so that's a lot of money, let's say six figures. I presume the precaution was triggered by the fact that I wanted to move this large sum (almost all the money I had) to an account I'd never sent any money to before. Sounds almost exactly like a scam.

I would _like_ to believe any other bank would have similar protections - but of course I don't buy a home every day, so I have no other examples to compare, and most of my contemporaries have a mortgage so the very large sums aren't involved.

The password when they call me thing was nice, to be honest they didn't proactively set that up. I suggested it off-handedly one day and they were like "Of course, yes, we can set that up". I presume it's not custom, just they didn't explicitly advertise it to me as an option. That happens a lot, I didn't want contactless on my new card recently, and they were like "Yup, of course, done. Replacements for this card will also not have contactless until you call to change that".

(comment deleted)
Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.

Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.

Security is only as strong as the weakest link, and SMS is very weak.

The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.

Overall the situation isn’t great.

I would recommend saving the recovery codes in a password manager app (that is not your browser)
> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.

You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.

(comment deleted)
I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.

It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)

In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.

I still have my Google Account recovery codes in my wallet that I first generated in 2011.
Better not lose your wallet!

When you’re at Google scale, all of these methods have real world flaws.

No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.
It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!

So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.

Since becoming aware of my own problems with google (they truly could care less about their users data) and reading stories about previous incidents of swapping SIM cards.

My solution to all of it is literally just 2 emails. Both 2fa. Recovery exists but the numbers and emails are unknown to the world beyond Google or m$ servers. And those don't get used to register anything ever. I park my recoveries then use my main email as my most public one. Everything else is registered and recoverable on the second email that also isn't publicly known unless one of the services I'm attached to gets their data leaked etc etc etc....so even if they did successfully swap my SIM they can't get anything else.

TMobile got hacked a few months back and around the same time my personal debit card that stayed in my wallet the whole time and I don't ever use in public literally for that reason. Got charged. They tried to empty it all. I pressed and pressed the only thing they could do for me was ask for a specific code. Verbal 2fa. I think if I remember correctly none of the data showed up publicly anywhere yet not sure about the specific incident I just thought the timing was weird.

If that's the best security TMobile has and that's all their customer support has to offer us. They have failed as a company in my eyes. And it will only get worse not better as more middle managers get their cut of the security upgrades that they will partially and incorrectly implement.

Of course they won't lift a finger your not a Kardashian

In India to port a sim you have to first send a sms and would receive a verification number which is valid for a month or something.
Google Authenticator is a huge question.

While there is apparently a desktop interface, if someone gets access to my phone, they have the live access codes right there. When the SIM is stolen, can the authenticator also be accessed with the new location of that identity?

The process for moving Authenticator involves receiving a six digit Google code on your phone -- which was just effectively stolen with the SIM...

While Google may have built in protections, they are not obvious at this point to me, a casual user of Google Authenticor.

Does anyone have any more information to keep this more secure?

Last time I switched phones I had to set up GA from scratch, re-scanning the seeds on every account. The initial SMS code was just to attach an authenticator to a new device. Someone compromising your phone number shouldn't be able to get access to your codes, they would need the physical device.

Also note that there is no official desktop client, anything that claims to be is 3rd party and wouldn't be connected to your current codes.

Google really fails hard in the face of providing support when issues like this occur. The average person has to try various automated account recovery options which, as in the author's case, are readily changeable the moment the account is compromised, rendering them somewhat useless, and then users are out of luck.

It's a situation that is mind-boggling. Users as asked to place a significant chunk of their digital lives in the care of Google, it is unbelievable that they fail this badly. It's useful to note than it's not a situation that business users face. People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users? I would gladly pay for that level of support and security. For that matter if there were some way of converting my personal account over to G-Suite I would do so.

I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.

> People who pay for G-suite have real support, even ::gasp:: telephone support. Why on earth does google not offer this to consumer users?

I know people are getting sick of this phrase, but I'm going to repeat it here anyway because it answers your question perfectly: why doesn't Google have customer support? They do, but if the product is free, you're not the customer.

As you note, Google does have real customer support for people who pay. The other people are not customers, they are advertising targets. Why waste money on support for them?

Google One advertises real support for consumer users... but it turns out they can't really so anything but read support docs to you.
Is this a reference to something? I haven't heard much about Google One's support good or bad.

The concern I'd have with G-One is that if you lost access to your account, you also aren't a Google One customer, and the support likely won't assist you. Creating a chicken/egg situation.

Yes, there should be some support for non-paying users. Even if it comes at a cost, like a flat rate incident fee.
Not a reference to any story, just a few personal experiences. I had various issues, and they couldn't escalate anything to actually fix them, they just read support docs back to me. It's not like the paid support that gsuite customers get (although I'd be happy to pay more for that if I could).
I didn't realize, I apparently was automatically made a Google One user when they created the program because I pay for a bit of extra Drive storage. I'd really like to hear stories from people who have had a hacked/stolen account and the support Google One provided.
As someone using G Suite for personal purposes I'm glad to pay for support honestly (+ the peace of mind of being mostly in charge of my data, not having it be mined for whatever purposes).
> Why waste money on support for them?

On the other hand, a paid edge case support option for otherwise free services would be a win for both sides. If only the long term projection of the resulting incentives would not be so ugly...

This is why I panicked when they announced they won't sync Google Photos with Google Drive anymore. With the sync, I can setup one of my computers to constantly download the photos and then copy it onto a local backup and an online backup. If my Google Account gets locked - I'll just copy the photos into something else and move on with my life. They removed that saying it's confusing to users - all the while it was an option users had to go explicitly enable.

I switched to iCloud which supports the download feature.

How is your solution different from uploading to Google Drive?
Editing, search, organization, sharing and viewing tools. Google Photos is a fantastic UI for that - provided, the pictures actually live in my Drive.
Would you mind elaborating on your iCloud setup to handle this please?
In case you own an iPhone, it's given to you the option to backup your photos to your iCloud account (Apple service bundled into the phone).
The most common way to do this is to have the Photos app on MacOS set to "download originals," then use whatever backup solution you like best. I highly recommend setting this up. Last month through some sort of iCloud glitch my fiancé lost almost all of her photos from before the beginning of this year. We've escalated it to their highest tiers of support but the photos are gone. Redundancy is important, and even the best providers aren't foolproof. It was devastating to lose all of those memories.
This is how I do it too, then backups are done through Arq and Amazon. I consider Google Photos as a “share / social” area. I would never entrust masters with Google.
I should go and backup my photos asap then...
Thanks. Currently I do this:

Phone -> Dropbox + Google Photos (automatically)

Card-based cameras -> Plug in card, Dropbox + Google Photos pick up new photos

Backup 'server': Local synced Dropbox folder -> Local + Cloud backups

I couldn't see how to add iCloud to my existing syncs / backups. When I looked at it, I couldn't be sure it would keep photos on my phone long enough to allow Dropbox and Google Photos to pick them up. It's good that it's possible to get the originals over at a MacOS machine. Might be worth exploring then.

(comment deleted)
FWIW, I use syncthing for this exact use case.
SyncThing is fantastic, it's really solid and always just works.
> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this.

I can just see the people raging about this on social media now.

“Google charged me $50 to fix an issue with my account!”

“Google won’t give me any help unless I pay them! Extortion artists!”

Etc.

Make it something you can pay in advance, then.

For a fee, you get marked as a high-risk/high-value account, get the recovery service and risky factors of authentication get extra scrutiny, etc.

You can get extra security from Google for free. https://landing.google.com/advancedprotection/
Not exactly free, because you must buy a couple of hardware tokens. Fifty dollars when bought from google. But free besides that.
They'd probably get bad headlines regardless of whether or not they required an in-advance subscription:

- Don't allow upgrading after a problem arises to get premium support: "Google won't let me pay to fix my account"

- Allow upgrading after a problem arises to get premium support: "Google extorting me to regain access to my account"

Sure, people would complain. But they complain now when these issues happen. I'd rather a scenario where people complain but the problems are getting fixed. It's not completely unreasonable that Google offers low/no support for free products. It is unreasonable that they don't have any way to pay for help when there are serious problems.
g suite is awesome for personal accounts. One of the few non abusive services that google offers.
It’s $20/year to get 100GB of space for GoogleOne. Worth it so that you have a paid account with support options.
The author mentions that they are a paying customer.
Google One has support, it's pretty much the only button in the UI when you go there.

EDIT: actually it looks like the support might need to be reached from within the account, so that's still a major problem when you can't get in at all.

I believe Google does offer support to consumers via Google One (where available), it’s priced very reasonably too.

One of Google One’s selling points Google advertises is phone based access to Google experts.

This kind of stuff is horrifying to me and why I willingly pay the Apple Tax. At the end of the day they have stores full of humans I can walk into and tell my sob story to and excellent telephone support.
That is fine but the scam started by reassigning the SIM; something not related to Apple. I am not having enough criminal fantasy but in your Apple World you live in a monoculture...usually this makes it just easier for intruders to make problems.
I don't believe it works the way you think it does:

https://support.apple.com/en-us/HT204921 "If you need more help, contact Apple Support. While we can answer your questions about the account recovery process, we can't verify your identity or expedite the process in any way."

> I would even not mind something like one-time payments for support calls, for example pay $50 for a service call to get assistance in a case like this. I just can't fathom the "no support" model at all.

Have you considered alternatives that do offer support?

There’s also another bad side effect of Google. Google makes and gives away stuff for free and one of the reasons they do it is because they run a lean operation. They don’t provide any kind of support. Let’s say someone want to start a new company that provides all the same features of Google and provide solid support - there’s no way they can do it for free. Or even if it’s a reasonable price, people are going to pick free anyway. Except those of us who care. Just the fact Google and Facebook gives it away from free, in a sense, kills any possible paid service in the domains they operate. IMHO that qualifies as anti-competition and anti-trust. But the laws aren’t designed for this scenario at all.
> kills any possible paid service in the domains they operate.

I can think of paid services that compete in the domains google operates in. Fastmail is an easy one.

Buy a domain (12+USD year depends on extension) + G-Suite (around 4-5USD/Month) and that's it. As a bonus, you always can swap your email provider without changing your email address.
Don't use an sms/voice phone number as part of your 2-step verification in Google.

In the past, I did use a verizon landline phone number as Verizon had the ability to "lock/freeze" that number from any outside changes, but I got rid of my landline a while ago.

Also, print out some backup codes and stick it in your wallet.

I have no idea what month and year I created my google account, and google doesn't seem to make that info available to you in a simple manner.

> Also, print out some backup codes and stick it in your wallet.

The idea of backup codes is good. Putting them in your wallet reduces your security though. Depending on the value of your accounts, you give a (physical) attacker everything he or she needs to compromise you.

If you are going to keep these things on your person, consider protecting them with a hand-written cipher. Example: https://www.schneier.com/academic/solitaire/

This is a good reminder to never entrust Google with sensitive financial records and documents. Sure, the cloud service is a convenience, but, if a hacker accesses your account, it doesn't take much to download copies of those documents and use them against you.
Don't use 2FA, if the 2nd factor is anything mobile-based. Use strong passphrases, and type them when you need access to the assets they protect.

There is the concept of "security VS convenience", a trade-off you make when using secured assets. 2FA is convenience just as much as it is security. By having SMS as a method to reset a password, you reduce the attackers workload from cracking a difficult password to "compromise your mobile phone physically or electronically". I trust my passphrases much more than my mobile device and/or carrier.

This doesn't make sense. Why not use both 2fa AND a strong passphrase? To get to the second factor the attacker still needs your password. There is nothing that says you should use a simple password if you have 2fa configured.
Because they can do "forgot password" using the 2fa.