Comment by thaumasiotes
5 years ago
Just a couple of days ago, I signed in to a gmail account using the correct username and password.
Gmail intercepted me and claimed to be worried that they couldn't recognize the device I was using. According to the flow, they wanted me to verify my identity in one of three ways: (1) I could verify the backup email address associated with the account; (2) if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?); or (3) I could provide a phone number -- previously unknown to Google -- on the spot, and then provide the 2FA code sent to that brand-new phone number. (How is this supposed to help them verify my identity?)
I went for option (2), the email 2FA code. After providing the code, I was informed that, before signing in to my existing gmail account, I must also provide a phone number and enter the 2FA code sent to my new phone number.
So I went back and went for option (1), typing in my backup email address. Same thing happened. Because Google "couldn't recognize the device I was using", I was not allowed to sign in to an account I obviously controlled without providing a phone number with absolutely zero authentication value.
I did find a workaround. If you attempt to sign in to an account afflicted in this way in an incognito browser window, Google will, for the moment, allow it.
"Don't be evil" is long gone.
Never ever ever ever give your phone number to Google for verification or authorization. People just don't understand how easy it is to find someone's phone number and then steal it for long enough to steal e.g. emails. Has happened, will happen etc. Like ssn, phone numbers were never made for this purpose. In fact phone numbers and services (e.g. SMS) are just the front end and are setup to be easy to redirect.
We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.
Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.
If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
> Never ever ever ever give your phone number to Google for verification or authorization.
You literally do not have a choice, last time I checked you had to setup SMS 2FA first. Once you’ve done that you can setup a better method and remove the SMS, but you have to remember to do it.
> If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
My bank certainly has not gotten that memo.
Even if it looks like you can disable it, I wouldn't be surprised at all if they'll still let you recover access with the phone number if you fail to log in enough times. They want people using their accounts, searching and using other Google $ervices.
What even more sucks that you need to first set up phone 2FA before you can enable TOPT. You can remove the phone number afterwards, but why make it so complicated?
Because they want your phone number
Is it really that easy to steal a phone number and/or intercept SMS messages? Isn't the SIM supposed to hold all sorts of secrets to prevent that?
I don't think it's down to the SIM. It's more they call help at the phone company and say "hi I've lost my phone, number 0123123. Could you transfer it to my new handset with another SIM in." Or similar. I had my one (with Three UK) transferred to some random fraudster this year. I got it back but it was a pain and potentially dangerous. In fairness to Google they didn't manage to get in to that.
Suggestion to phone companies: When receiving such requests email and text the user saying "we've had a request to transfer your number, contact us if not you" rather than just cracking ahead.
> Isn't the SIM supposed to hold all sorts of secrets to prevent that?
The process has a security hole by design: SIM cards can get damaged/lost (usually with the phone) and you wouldn't want to lose your number just because you lost your phone or damaged your SIM card by accident. This hole is typically exploited by attackers after they have identified a high-value target. You basically outsource the control over your account to a telco employee.
I had happen after a promotion that changed my LinkedIn title to something more prominent.
Still can’t prove what happened but someone ported my number from my carrier to Sprint and it took easily 18 hours to undo it. And it required convincing sprint, which I had no affiliation with, that the original transfer was not intended, and that yes I want to reverse it out.
Crazy painful.
High level government members were hacked in Brazil using spoofed numbers to access voicemail. No social engineering, just bad systems.
It varies by country and the US is not very secure. In a lot of technically more secure countries social engineering and corruption are available for a determined attacker.
It shouldn't be an immediate problem if it's really 2FA: if the second factor fails, there's still the first factor. The problem is that many systems use phone as single factor.
It's especially nice when traveling. I was once asked by a client to do something while I was in other country about 5k km from regular location. Couldn't login to the apps account for this reason (no backup email or phone set). So I didn't do the work.
I suspect it's some work-life balance enhancing thing. :D
I don't really mind, since it also helps me bash Google services in front of my clients who still use them, without being aware of these failure modes.
Personally speaking, it's absolutely a no go service. I can probably handle service loss at home quite fine, but if I relied on google or other services with these "anti-abuse" features while traveling that would be very stressful. I usually print out everything important before departing so I don't rely on any electronics, anyway, because none of it is as reliable and as quickly accessible as a piece of paper or a bunch of cash.
If you look at the gmail login page, you may notice that they specifically recommend you sign in in incognito mode when using a device that doesn't belong to you.
Their expressed policy makes an interesting contrast with their behavioral policy of freaking out and locking you out of your own account if you ever try to sign in on a device they suspect might not belong to you.
And of course, they're godawful at recognizing whether a device belongs to you. They freak out and send me "urgent" emails (on a different gmail account) whenever my phone switches between wifi and the cell network. Responding "yes, that was me" does nothing to prevent this.
I imagine it has nothing to do with security and is more about tracking. A similar failure mode with apple is that I essentially need to own two apple products with the same account to accomplish things that should only need one apple product, like making a free download from the app store.
2 replies →
Can relate on the freak out part. Recently I logged in and generated an app password and it triggered 3 emails per action and to 2 different emails I had as my backup.
I wouldn't rely on printing out cash, that can get you in trouble.
Maybe, but it sure is convenient. ;D
:)
I had that happen, too — even after successfully receiving the passcode at my recovery address, and entering it, they still denied login. Presumably it's a bug in their system (being generous), but who knows when they'll fix it, if ever?
I currently have an old (infrequently used) gmail account, with a valid recovery email, that I cannot log in to at all.
I don't have (or want) 2FA set up for it.
I tried an incognito window just now, and same problem ):
Just had this happen to me with my Microsoft/Minecraft account. I had migrated my mojang account 2 days ago and today I was told that apparently they "detected some activity that violates our Microsoft Services Agreement" and locked my account. They did not explain what the violation was and apparently it would magically go away if I verified my phone number (which they did not have before).
Never doing any buissness with ms again.
>"Never doing any buissness with ms again."
No github for you then ;)
Well, gitlab is way better. Github is the Facebook of developers.
7 replies →
I was not planning to get a paid account there anyway. And regardless I prefer gitlab (due to the ICE stuff).
I've actually found it hysterical. The phone number question seems to be for their data mining as well as evidence. But anyone can get into any email address when prompted this way. It is possible to send a text to someone else's phone, the servers connected to phones online are often polluted but many times they are not. You can send a text to those and get the code.
Or of course, just send the code to anyone and SS7 hijack that specific text message. You aren't hacking them, after all, you're hacking yourself or someone else.
> the servers connected to phones online are often polluted
What does this mean?
there are websites or chatbots that will give you a phone number and show you the text responses it receives
>if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
I am one of those people using option 2, by virtue of keeping a lot of old email accounts that I have set up to forward to my main account. So I don't usually need to remember which account if was, and just wait for the email to come through from the void
Once upon a time not long ago, I got off from my flight into a foreign country (I don't have a SIM card that would work there). I turned on my wifi and was delighted to see they had a public network you can use. There was a captive portal, and the only sign in options (besides using a local phone number) were Facebook and Google. I chose Google, and entered my id and password. Google promptly went into the "sus" mode as you described.
Now I can't use option 1 or 2 because I don't have internet access until Google approves my sign in. I can't use option 3 because I don't have a SIM card that would work locally. Thankfully Facebook login worked.
That's when you turn on the DNS tunnel (https://news.ycombinator.com/item?id=7619259 ). If they somehow detect that and try to block, change your MAC and repeat. Those bastards deserve it for trying to force users into megacorps' services.
Wow that's something devious!
When I sign into a Google apps account I have associated with a school about half the time I am forced to go through option (3) whereby I’m asked for a number they can send a SMS to. I am never presented with option 1 or 2. Per the tenant settings which I do not control, 2FA is disabled and users cannot enable it, nor provide a backup email last I checked. Extremely frustrating- especially not being able to use a VoIP number, landline to dial, or set up a more robust TOTP generator or the like. Perhaps the school should codify the requirement for students have cellular service just to enroll, since it’s the de facto case already. sigh
How does that story have anything to do with being evil, by any stretch of the definition?
Are you insinuating that Google has this convoluted verification flow to intentionally harm people in some way? Or even to intentionally harm privacy or further business goals at users' expense?
Or are you just using "evil" to refer to anything you don't like?
The outcome is that they hold your email / data hostage while escalating their demands for your personal information. That sounds pretty evil to me.
That may not be what they intend, but that is result, regardless.
>Or even to intentionally harm privacy or further business goals at users' expense?
Yes (and obviously).
Google, and other SaaS, have used such dark patterns to collect more user identity data (user profile info is what they ultimately sell - even if sold to advertisers "anonymized", the profile is richer and more worth the more data they have on you).
What never seems to come up is that as far as ads are concerned and with the amount and kinds of data that these companies are and have been collecting, your name is worth zilch. "Anonymized" is a red herring.
> How does that story have anything to do with being evil
Google forcing you to enter a phone number is dishonest/hostile and has absolutely not the slightest to do with any desire to make your account more secure.
It's basically just Google holding your account hostage to get your phone number.
It’s a false reason to collect more data by holding your Gmail hostage until you provide a phone number. It is a pretty shitty user flow with no benefit except for their data collection.
I think that comment refers to Google trying to know more identifiable information about the user: a phone number. Which adds to Google’s collection of private data, susceptible to more profiling and such.
FB were caught using 2FA phone numbers for 'evil' purposes.
https://www.eff.org/deeplinks/2019/07/fixed-ftc-orders-faceb...
As noted in the parent, in the given scenario the phone number provides absolutely no improvement in security or verification that the person who enters the phone number is actually the owner of the account. At best, granting Google the benefit of the doubt, it is security theater.
So, since it isn't effective for its stated purpose, are there other reasons it could be in place?
It's not security theater, they don't verify whose phone number is provided. Whatever number they get is used to unlock the account.
1 reply →
I had this problem this week too. I have a secondary Gmail account that is forwarded to my main one. I tried to login to it, they demanded a phone number (even though I do have access to the backup email), and wouldn't let me in because the only number I have is one that's already in use on my main account. I guess now you need one unique fully-functional phone number for ever Google account you have?!
I think you can verify 6 Google accounts with a single number.
Hmm. I'm sure I don't have that many, and it told me I couldn't use that number, but maybe it was a temporary issue. I haven't tried again...
> if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
Two options from the top of my head:
1. you have email forwarding configured so received mails will be delivered to another account. That's generally configured in the settings of the provider (I.e. directly under account settings in Gmail iirc)
2. You have a logged in device which receives mails through an application password. You cannot read it out because it's masked and even if you could, it wouldn't help you because it's only allowed to receive mails, not login.
I don't think this is particularly rare, honestly.
But yes, it is obnoxious.
I have real anxiety about being locked out from "digital self" someday due to issues like this. Sometimes I really think this just isn't worth it anymore and I'm far too invested in "the Internet".
There's a workaround to fix an account afflicted this way, use a yubikey to add as a security key and then add a 2fa through the google authenticator standard (which works with 1password). Once that's setup google will never ask for your phone number again.
I seem to recall fb doing similar. It's similar to banks or telecom providers requiring a persons home address (or worse: to prove it using a utility bill).
Wherever I can I set up code generation / TOTP 2FA precisely to avoid lockouts. Then to avoid losing all of those whenever I change/reinstall my phone I opt for the less secure option of storing them in a password manager...
I can't think of another way not to get locked out in case I ever lose my phone.
Google, Paypal and a few others seem to be the worst offenders at "protecting me".
Phone numbers are tied to your identity. You cant buy a mobile sim card without showing your id and the phone number will be registered to your id.
This happened to me years back. What would you say to the argument that it's to protect users from identity theft
Check your internet connection and Google/Gmail certificates. It looks like you are taped.