Google hacked account
Despite Google boasting of hiring the best engineers. Their system give us mortals hope that our applications are not so bad after all.
Let me explain the pain I am going through to recover my hacked gmail account.
First, there is no way to talk to someone, their responses are canned, and to top it off, they send you to a link to submit a password request.
So far not a problem, but the email you get back after sending the password reset request contains a link to a page that allows you to cancel the request (not sure the genius who had this idea). Now that the email is hacked, the hacker can read the emails and click to cancel the recovery process. And the vicious cycle continues.
What to do?
168 comments
[ 5.3 ms ] story [ 215 ms ] threadOn the other hand, it is a free service. If you'd have the business subscription, they do have a helpdesk you can contact by phone: https://www.google.com/work/apps/business/support/
The prospects for the rest of us are fairly bleak.
Mostly because if changing ownership of a Gmail account were as simple as "Post to Hacker News and complain," it'd be an obvious and exploitable security gap.
I don't expect it to be easy to change ownership of an account - but there has to be a secure process that one can follow in the event. I'd be happy to pay for it. It's the fear that if the worst happened you would quite simply be unable to contact anyone that concerns me
"White House Gov Account Hacked, Please Help"
However, us normal plebes should be able to get some competent human on the phone and talk to him about what's going on.
I'd hop through lots of hoops to recover my google account, but without getting a human's attention I can't do anything.
Unfortunately, it's a tough situation since for all Google or we know you could be the hacker trying to get into the account and hard for them to verify who you are, since if the hacker was able to steal person's phone to bypass 2 factor authentication, they may also have access to a copy of your drivers license or ID to send to google in an attempt to verify they are you.
While far from ideal, assuming you don't have a close friend to contact google for you via their google apps admin account, you could create a new trial google admin account and then contact google through that mentioning your situation of your other account. While they will still have to find a way to verify who you are at least you'll reach a real person.
I did create another account, they still send the link to cancel the request to the original account!!!
Honestly I'm not sure what Google can do here that (a) doesn't require them to now individually support users ($$$) or (b) doesn't open them up to thousands of erroneous claims.
If that's not a good counterpoint, my phone/SMS service sucks when I'm traveling abroad, which is exactly when Google thinks I'm not me.
I wish Google supported TOTP like Github does, without asking for a phone number.
https://en.m.wikipedia.org/wiki/Google_Authenticator
This[1] would seem to indicate you can use a U2F device[2] as an alternative to providing a cell phone for verification.
[1] https://www.google.com/landing/2step/#tab=how-it-works
[2] http://googleonlinesecurity.blogspot.com/2014/10/strengtheni...
http://www.zdnet.com/article/invasive-phone-tracking-new-ss7...
SMS-based 2FA is really "security through obscurity". It's "good enough" (generously said) if you happen to not piss anyone off or be someone's target. Otherwise, not so much. I don't think enabling SMS-based 2FA will pose any problem for China to hack back into OPM for instance, and yet I think that's one of their "fixes" right now.
Google's Authenticator is also useless as now Gmail allows you to bypass the Authenticator when you can't authenticate with it for whatever reason, and go straight to using SMS 2FA instead, which brings us back to point one.
It is not difficult to do without them.
Asking for help on HN or Reddit works sometimes, but if your business (or personal life for that matter) relies on their services you should really work towards being able to do without them.
However, I'm using an IMAP box on Gandi.net and a domain purchased elsewhere and that is it. I refuse to use any services tied to a single company any more.
This change has given me a lot of headspace for other things.
I do have two-factor authentication after a scare.
edit: just remembered they have a referral system, should you be interested: http://www.fastmail.com/?STKI=13352501
On top of all of that, they actively contribute to open source projects such as Cyrus.
https://www.google.com/work/apps/business/pricing.html
It also comes with 10 minute turnaround time on phone support. You get a little popup asking if everything is okay and if you want to receive a call for support when you login to the admin interface.
I've been quite happy with it for the last three months.
Knowledge about items on the inbox/address book
Location of devices used to access the account
Knowledge of past passwords
Not sending password reset emails to secondary emails that have just been added
I've had more than one job that uses gmail in the office, including my current one. My boss's account is presumably authenticated and if I bugged him he would vouch for my identity.
I have correspondence with a bunch of people in my google account going back years. I could bug any number of them to vouch for me.
I've had, in the past, a few work accounts that used google, that mad my picture associated with it. I can do a google hangout to show that that is still my face.
I have a driver's license with my real name on it, which matches my google account.
I control the phone number associated with my google account.
. . . A hacker could compromise one or two of those, but it would be hard for him to get a majority of them, even if he had my phone and email in his control.
> You're not Google's product, you're their supplier; one of their many millions of suppliers.
Their product is your personal information, which you supply to them in exchange for their services. The fact that you are one of many millions of suppliers (each dealing in microtransactions) means you don't have a lot of weight when you need to get help from them.
The best counter to the lazy Google meme is to think of all the companies where you are indisputably the customer and you also get awful incompetent support.
Pointing out that Google has little incentive to support it's users in a post about getting little support from Google seems very on-topic (but perhaps unoriginal) to me.
To sell to advertisers Google has to get people to use its search engine and other products. To do that it has to treat users like customers in that it would rather have them be happy than not happy, at least unless it costs them too much. This is precisely the relationship that other businesses have with their traditional, simple customers.
Calling someone a "product" is a great way to make a flippant jab at a company but as far as a product is something a company produces, it's just not the case.
Google, like these other companies, produces useful (to many at least) services. The way they make money on this is by selling ad space or access to my eyeballs and earholes. So to claim that users are simply "product" is misleading at best. Their "product" for me is webmail, search, navigation, and file hosting. Their "product" for other companies is space where they can reach potential customers.
So in this sense, like countless other media and information companies, access is one of their products and information services make up their other products.
Well, yes you are. Some years ago, a CEO of french television said that his business was to sell "available brain time" to advertisers.
I'd echo others though - Google is awful at support. They're awful at communication. They decide to shut down products at the drop of a hat without telling people. Avoid Google if you can.
I'm hoping you'll say no, because my feeling of security comes from the fact I've enabled TSV.
Get a U2F key. They work with Google accounts and provide much better protection against phishing (the phishing site does not have the key handle and cannot initiate the challenge-response as a result):
https://www.yubico.com/products/yubikey-hardware/fido-u2f-se...
https://www.yubico.com/applications/fido/
Moreover, U2F does not present itself as a USB keyboard (which had security implications on X11, since every application can listen in on keyboard events.)
Sure it does. TOTP codes are only good for X seconds and most phishing scammers merely collect the information to use much later (I have seen the source behind the actual phishing sites).
I have yet to hear of a story of someone's account being compromised while using TOTP (knock on wood).
But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP. So I would wager that TOTP is pretty safe to use.
Not seconds, usually a minute:
https://tools.ietf.org/html/rfc6238#page-6
(This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.)
and most phishing scammers merely collect the information to use much later
Right. It's probably still profitable to do things in this manner because most people do not use any second factor. That does not change the fact that TOTP is extremely vulnerable to phishing. Most people here could probably a code that does this live in an hour or so.
But seriously though - companies like Google, Facebook, Gandi, Dropbox, and Microsoft all use TOTP.
Yes, because TOTP adds good security against other attacks, such as password leaks, since every site has its own shared secret.
Almost every service I use is 30 seconds - including Google's [1]. Even in the RFC you linked it says 30 seconds.
> This is mandated because the user could start typing at the end of a time step and/or clocks can be slightly out of sync.
That is the downside of TOTP. If your clock isn't in sync with the server's then you may never have a valid OTP. However, I have seen many implementations allow for time shifting - ie the code that was generated in the past 30 seconds, this 30 seconds and the next 30 seconds are all valid. I didn't do that for my source code hosting service - but it makes sense in case the user hit enter right after the 30 second window. I suppose HOTP is supposed to solve the timing problem.
> That does not change the fact that TOTP is extremely vulnerable to phishing.
This doesn't make sense - TOTP isn't any more vulnerable than the password itself. You still need my password. And even if you phished that - by the time you would attempt to access my account the TOTP would be invalid. The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.
[1] - https://github.com/google/google-authenticator/wiki
Hence one minute. This is also why I referred to the RFC.
The only way that would work is if you were actively watching the captured credentials and attempted to login right away. That to me would be a targeted attack rather than some random phish.
Why? It's no problem to make a phishing site that requests the password and the TOTP code and uses these credentials immediately.
Upvoted you but...
A company offers a free service. "Your aunt" does know know or understand the need for "two step verification" nor do almost certainly a large percentage of people using gmail.
This idea that companies resolve themselves of all responsibility to provide reasonable customer support for a free product with such wide adoption is ridiculous. Google derives benefit from the relationship regardless of the fact that the service is free.
This is why you end up fixing your aunts printer. And why you have a more secure e-mail account than her. And why you can handle backing up your photos.... etc
It's not Google's fault entirely.
I like the sound of that. I actually have run my own mail servers since the mid 90's [1] but I am more of a business guy who knows computers than a strong technical guy the way that I see it. I don't use gmail (for anything important I do use it for unimportant things) I don't like the idea of my mail sitting on their servers.
[1] Actually if you include non internet mail dates back to the mid 80's on a Unix system V.
I have found it helpful and have done deals with people that would normally be considered spammers. Wish I could provide details but let's just say that some people who spam actually are legitimate buyers of certain products or services and respond quite well to reply emails.
How much spam do I get and have to go through? Easily 3000 messages per day. You will have to trust me when I say I have not regretted not doing any filtering in terms of what I do [1]
[1] And no I do not sell a product or service to spammers...
There are various options for dealing with spam, if you're doing it by yourself.
My number one defense is a simple DNS check. SMTP servers that do not have valid and matching forward and reverse DNS are almost always spammers, with very little false positive identification. Spammers almost never have a server whose reverse DNS address is a domain name that resolves back to the same IP. Most of the time when spammers do have such a thing is when they compromise someone else's (e.g. Yahoo or whatever).
After that, it's a few DNS-based checks of black-listing databases.
Then some pieces of custom logic in the Exim configuration.
Of course, SPF: if the apparent sender's domain publishes an SPF record, I check it to see whether the server connecting is authorized to handle mail for that sender.
Finally, I also have scripts that monitor the mail server's log and implement IP banning (like fail2ban but home brewed). For instance, if the server reports suspicious SMTP commands, this will be ferreted out of the log in real-time and turned into an iptables-based ban that stays in effect for some time.
Oh, plus I have geographic banning in effect. Periodically, I download the latest IP netblock list from ARIN and other autonomous systems and block certain parts of the world (e.g. China) from connecting to my port 25.
I wonder more and more if we need to make it mandatory in some form, but maybe more formal. Like you can use your phone, but also here is a plastic, officially-sealed set of codes we'll mail to you at a verified address just in case.
And then people would start crying ... "google now wants to know your home address .... "
... and stories such as this are the consequence we shall have for taking the Libertarian solution. Not that I disagree with the solution taken! I just have a hard time swallowing the argument that it's always the provider's responsibility to account for total user ignorance at all times. A solution has been provided for this attack vector, and if the end-user chooses not to use it then perhaps at some point the onus is on the end-user.
(Or perhaps Google should just make 2FA mandatory for everyone, "your aunt" included).
Email is the most sought after account. All the password reset requests to your Bank, Twitter, Facebook, etc. are delivered to your email account. So when someone steals your email account, they've stolen all the others too. Go change those accounts to use your new email (if you can).
Did you set the recovery email the same as the main email? Cause I only get password reset to the recovery email.
If you used the same address for recovery email, then it defeats the whole purpose
I actually just tried it on an account I own, and it does not send the email to both addresses, only to the recovery email address.
If that is really happening to you, that sounds like a bug to me.
I believe i can help.
The first step would be to edit the title of your submission to begin with "Ask HN: hacked Google account, what to do?", since you're asking a question.
"Google hacked account" means, to an English speaker, that Google perpetrated hacking against some account somewhere (subject-verb-object, right?) E.g. Google people gained access to your bank account. I.e. your current submission title is clickbait.
The current title is ambiguous at best; just plain misleading/sensational at worse - especially now reading that this is really about just one person losing access to their Gmail.
_____
EDIT: In case the title does get changed, the original title that I'm looking at right now is "Google hacked account". This is what I woke up to this morning --- http://i.imgur.com/vWJ41ck.png
But oh right, you woke up this morning and the sky was falling, all because you had to take an extra 30 seconds to actually read the fucking post
Additionally, you have to track every change with a timestamp so that you can invalid everything that came AFTER the change you just reset. That will prevent a hacker from being able to screw with the account because the original email address will also be able to cancel future changes, no matter how many times the perpetrator did it.