
Gmail's Security Hole Could Lead to Mass Harvesting of Accounts - iProject
http://www.technologyreview.com/blog/mimssbits/27863/?p1=blogs
======
lomegor
I think this is really far fetched. If you can get a person who has their cell
phone number in Google as a recovery option, to not notice that an SMS number
comes from two different sources (one of them possible marked as Google), and
to enter a security number (explicitly labelled so) on an insecure webpage, I
think it would be easier to just ask for their Gmail password.

~~~
moonboots
I agree that this phishing attack probably won't lead to mass account
takeovers because Google's two factor authentication is not be widespread.
However, you are downplaying the risks.

The different sources of the SMS may not cause alarm. The victim may not go
back to original message to verify the numbers. Many companies have multiple
legitimate phone numbers. The phisher may try to find phone numbers that are
variations of Google's so the user is less likely to notice.

The phishing page could be secure in the sense of having SSL and looking
professional. I haven't use Google's SMS verification, but I'm hoping that the
text they send raises red flags about only entering the code in Google's web
site. If not, e.g. if it's just the code, I could very easily see a victim
entering the code into a legimate site. If Google's SMS does have warnings,
the attacker could get a domain like <https://gmailgiftcardverification.com>
that may still get some victims to enter the verification code.

I think this is more dangerous than page directly phishing for a google
password. Users are conditioned to look for google.com and a green address bar
before revealing their password. On the other hand, SMS verification is
relatively new, and users may be less familiar with what to expect regarding
the format and origins of the text messages.

------
gemma
"Gmail's security hole"? Really? So "security hole" now means "any opportunity
for users to be stupid". In related news, Gmail's _other_ security hole could
lead to mass harvesting of accounts when users choose a password of
'password1'!

------
adito
It's weird. A few minutes before I read this article, Google send me a
verification code to my phone. And I don't currently sign-up/sign-in/open any
google related service. Maybe someone use this trick to me?

