
Turn on MFA Before Crooks Do It for You - todsacerdoti
https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/
======
ping_pong
This is absolutely getting unwieldy to the point of being fucking ridiculous
and unusable.

I've been in tech for 25+ years. I'm very familiar with security, and I have
the internal endurance to sit patiently and work through IT-related issues.

However, at this point, there are just too many broken ways and I'm at the
point of giving up. I use LastPass and if that somehow gets hacked or phished,
I lose absolutely everything. I'm waiting for the next virus or phishing
attempt to steal my LastPass password.

I use multi-factor authentication on some accounts, but if they use SMS like
many sites do, I can get my phone number stolen from me and then I lose
access.

I use Gmail and Google Authenticator, but if I somehow do something to piss
off Google, I can lose my gmail account and access to Google Authenticator and
then I'm really fucked. I've lost some gmail accounts because they will ask me
for security questions when I log in with the correct password, and I don't
remember them so my account gets locked, so they're gone forever.

What we need is a single way to do login, MFA and security across every single
site. We can't have every company incorporating their own methods. We need
standardized customer support, where Tier 1 customer support can't give you
access to things like credit card numbers, last 4 digits of SSN, or change
passwords. Changing passwords needs to be a higher level, better trained
customer support.

There needs to be an ISO standard that is well thought out and implemented by
all the vendors, or at least all the big vendors. If there's a standard way of
doing security but also a standard way of doing customer support and what data
is exposed to various levels of customer support, then social hackers can't
take partial info from sites A and B, and use that to social engineer site C.

This has to be simplified because it's absolutely unwieldy even for a veteran
like me. There are too many ways I can get hacked and we are all just sitting
ducks. The only thing protecting us is that we aren't high-value targets.

~~~
saulrh
Re: Google Authenticator, I've started grabbing the TOTP secrets and storing
those in backups. Download the QR code and decode it to get a string like the
following:

otpauth://totp/Domain%3Ayour%40email.com?secret=HXDMVJECJJWSRB3H&issuer=Domain

That "secret" field is the only thing that TOTP actually cares about, and any
app that supports TOTP will happily ingest the secret and provide 2FA codes.

~~~
bigiain
Careful with those backups though. You should probably treat your TOTP secrets
as password-equivalents.

I grab all my QR codes or secrets, but I store them in 1Password so they're
strongly encrypted in my backups.

~~~
saulrh
Agreed. They live in BitWarden right next to the passwords. I lose _some_
security, since compromising my password manager now also compromises my 2FA,
but the password manager is itself behind 2FA, a Yubikey, and its backup codes
are on paper in my safe.

~~~
justinc8687
Yubikeys can do TOTP. Why not just store the secrets on the key itself?

~~~
saulrh
Laziness, old Yubikey hardware that doesn't do TOTP natively, logging in to
websites on my phone. I probably should upgrade, it's just pretty far down my
to-do list.

------
muststopmyths
>“During this period, we started realizing that his bank account was being
drawn down through purchases of games from Xbox and [Electronic Arts],” Dayman
the elder recalled.

You should never trust any of these companies with your actual bank account.
All of them have garbage customer service with hoops upon hoops to get real
help if your account is somehow compromised.

Use a credit card, prepaid card (in the US Amex gift cards you get at grocery
stores will work just fine) or buy codes from Amazon and redeem them.

~~~
pmiller2
Agreed. By extension, you also should not use a debit card as a credit card,
for largely the same reasons. Credit cards have excellent fraud protections
enshrined in law that are not extended to bank accounts or debit cards. Your
individual banking experience may vary, however. For example, my credit union
has a $0 liability guarantee for fraud on my debit card, but they are not
required to offer that.

Personally, the only companies that have direct access to my bank account are
those that either won't accept credit cards, or make it excessively difficult
to do so. Chief among them would be the service that processes my rent
payments, and PG&E.

~~~
muststopmyths
I have something called "Bill Pay" from my credit union where they send the
checks for payment (Rather than the company drawing from your account). That's
how I pay PG&E. You might want to investigate if your bank has the option
(unless you already have, in which case never mind :)

~~~
pdonis
Sending checks isn't really any different, since the checks contain the same
information that you would provide the company to draw from the account. Even
the one additional safeguard checks used to have, that they have to clear
through the banking system so there's a paper trail, often doesn't apply any
more since many companies will now process the check as an ACH transaction
instead of a paper check transaction, the same as they would if they were
drawing directly from your account.

~~~
mindslight
AFAIK, most bill pay services move the money from your account into an account
owned by the bank, and then send out a bank check. But verify this for
yourself before trusting it.

~~~
toast0
When I was using my credit union's billpay, sometimes they would do that, and
sometimes they would write a check against my account; it wasn't apparent why
(as I recall, some scheduled checks were issued with both methods over time)

------
tgsovlerkhgsel
2FA is a maintenance nightmare.

I have 2FA turned on for Github. Since they refuse to recover accounts that
have 2FA enabled if you lose your second factor, I have many alternative ways
configured: TOTP, U2F, recovery codes, recovery phone number.

I have the recovery codes stored in a secure location, and several U2F tokens
enrolled (one of them is also off-site at a different location).

But I didn't back up my TOTP seed. I still have the old phone with Google
Authenticator, but it's too old to accept the version that lets me export my
keys.

Getting a new TOTP seed requires me to re-setup 2FA, which will invalidate the
recovery codes and possibly unenroll my security keys (it says "This will
invalidate your current two-factor devices and recovery codes.")

It's also apparently impossible to set up Github 2FA with "only" a set of
security keys + recovery methods - you have to first set up an authenticator
app or SMS 2FA as a primary method.

So now my options are:

\- Leave the dead TOTP on the account, and don't have a working TOTP setup

\- Re-setup from scratch, invalidating the recovery codes and possibly U2F
tokens, requiring me to visit two distinct off-site locations to re-setup
everything, one of which is currently locked down and inaccessible due to
Coronavirus.

And Github is one of the better sites when it comes to 2FA!

~~~
lambda_tango
I had to get the seeds out of Google Authenticator several years ago. The
seeds were stored in an SQLite database file in the app directory. I think I
used another app to read the DB file and export the seeds to plain text, but
you could also conceivably copy the file to a computer and work from there,
though you might need root access either way.

~~~
tgsovlerkhgsel
Yes, all of this requires a rooted phone or otherwise subverting the Android
security model.

A potential alternative could be finding an ancient APK that didn't have the
'prevent backup' bit set, downgrading via adb install, and pulling an adb
backup. Still, massive PITA.

------
branon
Or just don't reuse passwords.

Two-factor authentication is largely an annoying band-aid over an easily-
solvable problem. It either relies on devices and protocols like smartphones
and SMS (which are fundamentally insecure to begin with) or requires expensive
proprietary solutions like Duo.

I do like hardware (U2F) keys a lot though.

~~~
majormajor
How do you accomplish "don't reuse passwords" in practice without relying on
those same devices like smartphones or computers to store your passwords?

~~~
branon
Personally? [https://masterpassword.app/](https://masterpassword.app/)

It's like an anti-password manager. Doesn't depend on any specific device.

Essentially it's a sane implementation of what others have already discussed
below, in the other child comments -- using the name of the site to derive a
secure, non-reusable password.

~~~
linsomniac
I used to do this in the distant past, but gave it up because it didn't cope
well with:

\- Sites that have different password requirements (some require special
characters, some don't allow them, for example). \- Changing my password on a
site.

I took a peek at masterpassword.app, but couldn't see that it solved these.
Does it?

~~~
branon
Barely. In order with your requirements, Master Password offers:

\- A choice between a few different password types (numerical, short, long,
complex, phrase) for picky sites. It relies on you to remember which password
type you used for which site.

\- A counter you can increment arbitrarily to generate new passwords for a
given site. Again, relies on you to remember that you're on password #3 for
site X, password #5 for site Y, ...

I haven't reached a point where I've had to make heavy use of these features
(yet) but if you use lots of picky sites, or change passwords very often,
certain limitations will become apparent.

If it's any consolation, passwords generated by Master Password tend to have a
unique phonetic cadence -- that is to say, once you're familiar with the first
or second syllable of your password for a given site, you'll know pretty much
instantly if you're looking at the right one, despite not being able to
reproduce the entire string from memory.

This might make it easier to increment the counter several times in quick
succession while being able to conclusively discard passwords that don't
"sound right".

YMMV of course. If this sounds like something you'd hate to do, Master
Password may not be a viable solution.

The Java-based desktop app somewhat solves these issues by (optionally)
caching encrypted data about your passwords (site names, password types, and
counters) on disk. However this could possibly end up defeating the point of
"doesn't rely on any specific device", if the user grows to become reliant on
the cached data.

------
mnm1
The downside is not touched upon, however: losing access to an mfa account
because the mfa is lost. This can happen in a multitude of ways. Losing a
phone, wiping a phone, changing phone number, losing a hardware access key,
losing recovery keys (if they're even provided, many times they are not), etc.
It's inconvenient too, especially for sites that require it on every log in
and whose sessions were short lived (aws). Or refreshing everything when the
mfa changes including codes. I have almost 500 logins in my password manager.
That's 500 potential mfa code generators and 500 sets of restoration keys. All
I'd have to manage manually (pw manager can help with the keys but it's all
manual).

~~~
twblalock
Most of my MFA accounts allow me to download offline backup codes in case I
lose access to the authenticator.

~~~
Mirioron
How do you keep all of that safe though? Unless you use a password manager
that backs up into to cloud you can still be in trouble. If your house burns
down then there's a good chance your codes went with it.

~~~
bakoo
Keep it where you keep your other valuables, and store a reasonably safe copy
with family or friends.

------
wwarner
There is also an argument here against multi-factor authentication. If
compromised _first_ the second channel makes the system more vulnerable.

------
klaasvakie
Living in South Africa, I actually turn off 2FA wherever I can. I use a strong
random password per site stored in a password manager, but my phone number is
controlled by a drone at a telco helpdesk which can easily be convinced to
port my SIM to another.

SIM-swap fraud is super common here, so turning on 2FA actually reduces the
security of my account.

------
technion
Since this is a gaming article..

A soon to be released patch offers world of Warcraft players an in game
upgrade (additional bag slots) for players with MFA setup. I would have
thought this would be supported by a community.

Instead, the feedback I'm seeing everywhere us "it's just a scam to make you
setup the authenticator, don't fall for it". I cannot fathom why people think
this, when it's a free offering and protects you more than them.

It just shows how differing some community views are from the security
community.

~~~
MrStonedOne
MFA has made authentication less reliable.

You can reset a lost password with an email and an automated process. You can
not do this with 2fa on just about any 2fa enabled site I've seen.

2fa is a net gain in how likely you are to get locked out of your account,
This is why nobody wants to use it.

------
notkaiho
The article mentions the father having recovery codes in a safe. For those of
you who do use MFA with recovery code access if the MFA device is lost, how do
you store your recovery codes?

Say I have MFA enabled to send me an SMS when I log into my email.

I am abroad, and my phone gets stolen. I need to log in to my email on some
other device and re-access my boarding passes, maybe communicate about my
upcoming radio silence. But I can't access my account without the code sent to
my phone...

That's my worry with this thing.

~~~
justinc8687
I print them on paper and snail mail them to my sister and parents. I lose my
yubikeys (I store TOTP secrets here, not my phone), I can call them
internationally and have them ready me the seeds (or send me a picture, at
which point I roll them all over).

I've also done it where I sent them a YubiKey with my secrets, then set it up
so I can access a computer remotely (via ssh, rdp, etc...). I have to call
them to insert the key into the machine, so if the machine gets compromised,
there's not much risk, as it's only plugged in if I call them to do so (and
tell them to unplug it X minutes later).

~~~
notkaiho
Interesting! I think I read about a person who had a "only turn on this
machine if I ask you to" situation, where that computer would boot,
automatically connect to a network and allow for connections to the secrets
store, in a situation like you describe.

Of course, that requires maintenance and checks it would work in a real life
situation, that network configurations haven't changed, the parents are
present and compos mentis, etc.

------
dastx
Every now and I then I get a password reset email from spotify. Someone
somewhere keeps trying to login to my account (not sure what the point is to
try and go through the password reset process, since the email gets sent to my
email, and they likely won't know which email it gets sent to). Would be
brutal if they find out my password is 64 random characters.

What's annoying is that a lot of these attempts would stop if spotify simple
started forcing MFA. Even if through their mobile app.

~~~
jimmaswell
What's the point of breaking into a spotify account?

~~~
chewz
It happens a lot.

1) To get free premium account

2) Same email/password re-used on other sites

NYT: Who’s Hacking Your Spotify?

[https://www.nytimes.com/2019/12/05/style/spotify-hacked-
what...](https://www.nytimes.com/2019/12/05/style/spotify-hacked-what-to-
do.html)

~~~
kipchak
Sorry to hijack, but I came across your comments on Dyatlov Pass after looking
into a bit myself. Do you have a favored theory by chance?

~~~
chewz
After reading a lot and especially watching recent programs on Russian TV with
witnesses comming out I am strongly convinced of human action.

They were lined in front of tent and told to leave external layer of clothes
and shoes in the tent. Otherwise it would be to easy to escape in the
darkness. Walked down the slope, some resisting had been beaten (Kolmogorova,
Slobodin) and under the tree some were undressed and tortured with fire
(Krivonischenko).

This TV show is a mess of but there are some interesting witnesses who came
forward.

[https://youtu.be/uBzHvq3fWh8?t=1295](https://youtu.be/uBzHvq3fWh8?t=1295)

[https://youtu.be/dN7LSVjpPGs?t=882](https://youtu.be/dN7LSVjpPGs?t=882)

[https://youtu.be/UM2csYGEU5k?t=2160](https://youtu.be/UM2csYGEU5k?t=2160)

The most mysterious persona are Krivonischenko nad Zolotaryov .

~~~
kipchak
Both are definitely mysterious, it's a bit difficult to tell by reading
English translations but as far as I can tell Zolotaryov's body had a tattoo
(I've seen it described as military related, crime related and unknown) that
people who knew Zolotaryov said he didn't have, Had a fifth camera that was
unknown to the rest, had different tooth caps and didn't match a DNA test
after a recent exhumation, though later testing matched.

Also on the subject of the rib fractures, they've been described as consistent
with a bomb or car accident, a snow mobile like a B7 seems like a possibility.
Maybe Krivonischenko was suspected of leaking information and Zolotaryov was
there to keep an eye on him, and the rest got caught up in the mess. And when
things got out of hand, Zolotaryov sided with the group.

~~~
chewz
Fortunately I can still understand Russian that I had to learn at school..

Krivonischenko was no ordinary guy. His father was in rank General Major and
in charge of constructing Soviet nuclear plants. Krivonischenko himself worked
on liquidating Mayak (Kyshtym disaster -
[https://en.wikipedia.org/wiki/Kyshtym_disaster](https://en.wikipedia.org/wiki/Kyshtym_disaster))
then he suddenly quit his job and ignored letter denying him release. From
what he saw at Mayak and from informal talks with his father he could have had
troves of valuable information.

[https://dyatlovpass.com/konstantin-
krivonischenko?rbid=18461](https://dyatlovpass.com/konstantin-
krivonischenko?rbid=18461)

Suprisingly there is another member of the group - Kolevatov - that from
analysis of his biography looks like career officer involved with nuclear
industry. At 19-year-old Kolevatov graduated from the Mining and Metallurgical
College in Sverdlovsk and was sent to Moscow to work at 9th Directorate of the
NKVD of the USSR laboratory "B", focused on creating protection against
ionizing radiation. And then sent back to Sverdlovsk (which does not make
sense as voluntary career move but makes sense as some sort of assignment).

[https://dyatlovpass.com/rakitin-on-
kolevatov](https://dyatlovpass.com/rakitin-on-kolevatov)

And Zolotaryov - there are witnesses of him beeing seen at different places at
the same time. We know that he had zek brother (kept in Gulag for beeing
traitor after WW2). He was leading tourist expeditions often close to the
borders of USSR (in 1950s it was difficult to achive permits for such
expeditions - there were people trying to escape and in some still active ant-
Soviet partisans).

He claimed that after Dyatlov expedition he will achive fame. He was simple PE
instructor but working in secret city.

On the TV show the daughter of Zolotaryov life partner and a person who have
taken bath with him on previous expedtion does not remember Zolotaryov
tattoos. No one else does and Zolotaryov was handsome man and well remembered.
It was also at times hard to imagine for a normal member of Soviet society to
have tattoos. Especially for PE instructor who has been leading PE classes
with students in short sleeve shirt.

[https://dyatlovpass.com/resources/340/gallery/Semyon-
Zolotar...](https://dyatlovpass.com/resources/340/gallery/Semyon-
Zolotaryov-29.jpg)

Zolotaryov young son disappeared without a trace. He was apparently given into
foster care but boy's mother (Zolotaryov's life partner) had been actively
looking for him for long years in vain. So it looks like the paper trail of
the boy vanished or have been erased.

[https://dyatlovpass.com/semyon-
zolotaryov?lid=1&flp=1#sasha](https://dyatlovpass.com/semyon-
zolotaryov?lid=1&flp=1#sasha)

So we might assume that Zolotaryov had been given new life, taking boy with
him and the body found have been his brother's.

[https://dyatlovpass.com/zolotaryov-
exhumation-3?rbid=18461](https://dyatlovpass.com/zolotaryov-
exhumation-3?rbid=18461)

Tumanov - pathologist on the TV show - claims that Krivonischenko's burns are
a sign of prolonged exposure to fire - not an accident casue even semi-
conscious person will react to contact with fire. So either Krivonischenko
climbed the tree and fire was used to force him to get down or it was plain
torture to extract some information.

Slobodin (amateur boxer), Kolmogorova and Dyatlov all had died of hypothermia
but also all have signs of blunt force trauma. So hypothermia might have been
result of being left unconscious in the cold after receiving serious blows
(back of skull for Slobodin, batton on a hip and bleeding nose of for
Kolmogorova and Dyatlov had frozen with his both hands in protective gesture).
Especially in case of Slobodin the snow evidently melted under his warm body
and frozen later.

All three of them especially Kolmogorova have been really well dresed so
hypothermia is unlikely explanation (they were all tough tourists, familiar
with camping in the snow without all the equipment that we have now (polartec,
gore-tex, down parkas and down sleeping bags, mats etc.) - all of them
perishing from hypothermia within few hours is absurd).

The ravine four might have been just finished off with broken necks. Their
bodies had autopsy after long time in snow.

There are less credible sources saying that Dyatlov group had been followed by
another group of people. On the Rusdian TV show there is a guy who tells that
his father was hunting in the area, saw the fire, came closer and have seen
people being beaten. He did not came forward cause hunting without permit was
criminal offense.

\---

Now this is all armchair theorizing, grasping at straws and nothing more and
it probably belongs in [https://dyatlovpass.com/](https://dyatlovpass.com/)
forum rather then here. ;-)

But let's hope that as Russia's attorney opened the investigation we may learn
what has happened some day.

------
unethical_ban
MFA is great if it is something like Google Authenticator, with recovery
codes.

And yes, store your recovery codes in your safe. Or print them, I guess, but
it isn't that big a deal.

My problem is with most banks that make me use some MFA that I can't
reasonably recover with codes, or those that can be recovered so easily that
MFA is a joke.

------
caiobegotti
Is there a simple site or a table somewhere with services/products saying
whether they support MFA or not? Kind of like
[https://pyreadiness.org](https://pyreadiness.org) for MFA.

~~~
herman_toothrot
The article mentions
[https://www.twofactorauth.org/](https://www.twofactorauth.org/)

------
nuker
KeepassXC can do TOTP, no need for Google Authenticator or other phone app.
And sync/backup your database.

------
kleiba
The lesson learned is that _allowing_ MFA but not making it _mandatory_ poses
a security risk. Arguably, that practice can be even worse than not offering
MFA at all if it gives hackers even better control over your account once they
get in: they can lock you out even more effectively.

------
freetanga
I try to have strong discipline of erasing and closing my digital footprint,
and not relying on freebies like gmail to support my digital identity. News
like these remind me how important that is...

------
xoa
An interesting piece (as Krebs' typically are). There are a number of
takeaways here for both users and implementors. The headline one of course is
that poor implementations of MFA can themselves become a risk factor in a
variety of ways. Ideally if a company is going to implement one at all, they
need to be really careful about what they're rooting the trust in. If it's
required for everybody when the account is created originally, than it can be
assumed by definition that the same human who created the account setup the
MFA as well. But if it's something that can be added on later, is there any
thought to how that fact is established and what recovery procedures are
available if it isn't? That's particularly the case when money is involved,
and it's also curious in that subcase that the money trail itself isn't more
often used as a recovery identifier. Ie., when linking financial accounts a
fairly common verification procedure is that a couple of <$1 deposits are made
and must be entered. This is a pretty core way to verify that at the least the
money is also controlled by the same person, and financial accounts usually
have a lot more identity tied to them. It's almost surprising entities the
size and sophistication of Microsoft or Google don't do that, because it'd
also help reduce the potential financial return for attackers. Want to make
core account changes when money is involved? You need to verify you control
the money. Attackers could change to their own funding source, but that'd
reduce the value of the attack.

Of course it also is a reminder to be careful about what money you tie to
online accounts at all:

> _Nevertheless, the thieves began abusing their access to purchase games on
> Xbox and third-party sites. “During this period, we started realizing that
> his bank account was being drawn down through purchases of games from Xbox
> and [Electronic Arts],” Dayman the elder recalled._

I would never, ever tie a checking/savings account to basically anywhere
online. When the money is pulled out of those it's a huge pain to get back if
it's possible at all. Credit cards, even ultra basic low cap starter types for
people with no credit history yet, are another layer of protection and
intermediation. Virtual card numbers with unique cards per account may
sometimes be useful. Even better is to take the convenience hit and leave no
stored financial payment at all. Just reenter each time, or get $10/25/50 gift
cards and use those to fund a game account as needed for new purchases.

> _“I pulled the recovery codes for his Xbox account out of the safe, but
> because the hacker came in and turned on multi-factor, those codes were
> useless to us.”_

I think this is bad design by Microsoft. Why should turning on MFA, or adding
a new MFA factor, obviate one-time use recovery codes which are to some extent
a weak form of MFA themselves and explicitly should serve as a final emergency
recovery thing people have in a physical safe? A decent recovery code system
itself is typically a requirement for good MFA, as a final resort in case the
factors are all lost/damaged. They could also be used as another way to try to
meet the issue of verifying the person who created/owns the account is indeed
the one turning on MFA.

~~~
perl4ever
Honestly, I think the authentication method used by the credit bureaus is
pretty good, and I think that other companies can license it or something.
They ask you multiple choice questions that require you to know elements of
your credit report. They have the data to make plausible false options. It
certainly seems to work better than Google's recovery process for gmail.

~~~
RandomBacon
Many of those questions are laughably-easy for anyone to figure out.

Also once, I got locked out because they used incorrect data to generate one
of those questions. Once I got in, I then had to dispute that data.

~~~
perl4ever
If they give you five options for where you've had a loan, how would a
stranger know which one is real?

~~~
RandomBacon
Protecting your identity with a 1 in 5 guess is absurdly unsecure.

Let's say I was a bad guy and I looked at my target's social media. I see he
was in the military, and I see USAA (a bank that caters to the military) is an
answer choice, I'll try that one. Or if I know approximately where my victim
lives, I'll look at an online map and see what banks are close by. Chances are
the victim would get a loan at a bank they are already a member of, and would
be a member of a nearby bank so they could deposit/withdraw easily.

~~~
perl4ever
That's not how it works; they don't use a single question.

I suppose it may work better for people who have lived in a variety of places
and had a number of different accounts or loans.

~~~
RandomBacon
I know how it works: I've been subject to them several times. (For those that
don't know, it's a series of questions, see link for screenshots.)

Most of the questions can be easily figured out. See this article:
[https://blog.alloy.co/answering-my-own-authentication-
questi...](https://blog.alloy.co/answering-my-own-authentication-questions-
prove-that-theyre-useless-386191e4f62f)

Anecdote: I was once asked what type of car I got a loan for. First of all,
just because the dealer pulled my credit doesn't mean I bought it (I never
took out a loan for the vehicle). Second, just go on Google Street View to see
what car is in my driveway, or check social media because people like to post
pictures of their cars. So again, more incorrect data they used to verify me,
and if it was correct, it wouldn't be secure!

------
a_imho
Treat accounts like cattle, not pets.

I only use MFA when it is forced on me, yet to encounter a situation where it
prevented anyone but me from accessing a service.

------
lizard
Many years ago, before MFA was really a thing, I changed my email address to
get away from the spam list I'd built up in my youth. Still, I had used the
account for some personal communications and was concerned some people
wouldn't catch immediately update their address books, so I set up a
forwarding rule to my new address for anything that got through the spam
filters.

The old account has been silent for years, to the point that if I'd forgotten
whether I'd even deleted it or not. So imagine my surprise when in the span of
a minute, I get several forwarded emails from Google stating that the account
was recovered, a new device has signed in, password was changed, secret
question changed, and recovery email changed.

Now, as far as I'm concerned, the account is dead and hasn't been linked to
anything I've signed into for years. But that doesn't mean it was never linked
to anything important and who knows what's still sitting in the archive or
who's still in the contact list. So as soon as I saw the messages I jumped to
figure out what happened.

But it turns out that all these security alerts from Google are just to "let
you know about important changes to your Google Account and services" and if
there's a problem just tell you to click a button to login and "Check
activity"...which is difficult to do when all your security information has
been changed before you have time to respond.

There are options to try old passwords and linked email addresses, but after
several attempts all I got was "Unfortunately Google couldn't verify that <the
account> belongs to you." and a link to "Recover your account"[1] that just
tells you to try the recover options that have already been prompted for, and
if all else fails "consider creating a replacement Google Account."

There is no contact information, no option to let anyone know you have a
problem. The emails alerts are sent from the uncaring "no-reply" address while
Googles "Contact Us" only gives a physical mailing address and directs you to
the same help articles.

Now, again, the account is--has been--dead as far as I'm concerned. But
considering the forwarding rule was still in place Google probably thinks
differently. So now the account, and everything in it, belongs to someone
else.

The moral of the story is not only do you need to practice good security now,
you need to have done it your whole life, and go back to do it better when new
security practices are adopted--before crooks do it for you.

1:
[https://support.google.com/accounts/answer/7299973?hl=en](https://support.google.com/accounts/answer/7299973?hl=en)

------
BruceEel
Am I the only one who came here expecting to read about crooks conspiring to
sign me up for a Master of Fine Arts?

