
Adding a phone number to your Google account can make it less secure - vijayp
https://tech.vijayp.ca/adding-a-phone-number-to-your-google-account-can-make-it-less-secure-f1cc7280ff6a
======
exelius
> I'm curious [...] why Google doesn’t temporarily disable accounts so
> impacted until a human reviews activity.

Because Google doesn't have humans reviewing anything unless there's a direct
link to marginal revenue/cost avoidance attached to that interaction that can
be priced in. Their business model is to achieve scale through automation and
machine learning; which means not doing things that would require manual
intervention unless absolutely required.

Explicitly, this means that for free services like Gmail, humans aren't
involved. Ever. Try getting support for a Google product and you'll see what I
mean -- there's not even a phone number to call or an e-mail address unless
it's a paid product (and even then, they've got a less-than-stellar reputation
for support of paying customers).

~~~
incompatible
So I've heard, that it's difficult to get a human involved if you have a
problem with Google's free products. The article says "Eventually, with the
help of Google’s customer support and some ex-colleagues who still work at
Google, Bob was able to get his account back." For the average person who
doesn't have ex-colleagues who still work at Google, or who's name isn't Linus
Torvalds, it will be far more difficult.

~~~
leviathan
I keep hearing this, but here's my anecdote.

I signed up for AdWords a long time ago and created a test campaign just to
see what it looks like, but never completed the process, so I didn't have a
payment method entered.

Fast forward till start of this year, I created an AdMob account to put ads in
one iOS game I have, and apparently as soon as I entered my credit card info,
the old AdWords campaign started running and was taking $200/day. I noticed
after two days and immediately stopped it and contacted support. They quickly
got back to me, a person called me and explained that the issue was an error
from their side, and they refunded me the amount. It took three weeks for the
refund to occur, and during that time the guy called me at least once per week
to keep me in the loop. I was surprised with this after all I've heard about
Google's support. But I guess that's just one data point in the pool.

~~~
degenerate
AdWords is "different" because if your account has an issue, they aren't
getting lots of your money. So their support is actually pretty good with
AdWords. The rest of their services, the support is pretty bad (such as Google
Apps), and their free services may as well have zero support.

~~~
geomark
My anecdote: I was brought in to help with an AdWords campaign for an
ecommerce site. I did some keyword research, ran some small campaigns to get
some CTR and conversion metrics, then kicked off a bigger campain, pruning
keywords as needed to ensure CTR stayed up and we didn't get a low CTR slap on
the account which results in CPC skyrocketing. It was chugging along at a
pretty good ROI. At that point I turned it over to the person who is named as
the contact on the account with instructions on how to keep it running. A
couple days later they got a call from someone at Adwords offering to "help",
and they recommended turning on display ads. A few days of that and the CTR
had plummeted, CPC prices had skyrocketed, and ROI tanked and the account was
ruined - couldn't get a decent CPC due to the CTR hole that had been dug.

Thanks Adwords support.

~~~
gpvos
CTR = click-through rate, CPC = cost per click

------
balls187
Recently my wife, without any identification, went to Tmobile and was able to
have my account automatically canceled and added to a new joint family
account.

She went with my knowledge, but TMobile never called to confirm.

After which my phone no longer had service, and I had to install a new sim
card prior.

While she did this with my knowledge, I no longer have access to make changes
to the account, until she adds me to the list of authorized people, and I lost
all my voice mail.

It's very disturbing that she could do this, without any sort of checks and
authorization.

Also, FWIW, my wife and I do not share a last name, and she did not provide
anything other than my phone number to TMobile. She was a new Tmobile
customer, and I was an existing customer, albeit on a very cheap pre-paid
plan.

~~~
mikeleeorg
It's frightening how easy this is. Here's another example:

[http://www.businessinsider.com/hacker-social-
engineer-2016-2](http://www.businessinsider.com/hacker-social-engineer-2016-2)

~~~
wfunction
Out of curiosity, if this is done with the consent of the person whose account
you're hacking (as in this example), is it illegal (considering that the
corporation is also a party here)? More generally, in what circumstances can
you lie on the phone about your identity without committing a crime?

------
Sir_Cmpwn
>Eventually, with the help of Google’s customer support and some ex-colleagues
who still work at Google, Bob was able to get his account back.

I bet I know which one of these resources was more important.

~~~
BinaryIdiot
I bet I know which one of those resources actually _exists_.

~~~
knz
Google's Project Fi has great customer support. You can get someone via IM
almost instantly and they also offer phone/email support. As a Fi customer,
that would be my first stop if I was locked out.

Good luck if you aren't a paying customer though...

~~~
RubyPinch
>You can get someone via IM almost instantly and they also offer phone/email
support. As a Fi customer, that would be my first stop if I was locked out.

if you were locked out of your phone (plan) & email, would you be able to
contact them?

~~~
knz
My wife is also a subscriber so I would still have access to support behind a
login. Support staff are also quite active on the reddit site for Fi.

------
x1798DE
I don't think it's possible to make a Google account without a phone number
anymore. It's really unfortunate, especially because I deliberately don't set
up fallback contacts for my "alternate" gmail accounts, and Google keeps
locking them as suspicious when I log in from a second location, and I need to
"verify" with a phone number any time that happens (at which point I abandon
the account).

I understand that they want to fight spam, but I'd be willing to spend 5
minutes doing captcha type activities in exchange for not requiring a phone
number, and that should pretty severely rate limit account creation.

~~~
jasonjayr
I've several children, and can no longer make Google accounts for their
Chromebooks. All the phone numbers I have and control can no longer be used to
register further accounts.

What happens to users that buy a new Android cell phone who's number has been
burned by Google?

~~~
antocv
This is the time to get to know
[https://mail.yandex.com](https://mail.yandex.com)

Seriously, the interface is so much better than todays gmail, its astonishing.
There is no spam either, and no ads.

~~~
jasonjayr
The email account is not the issue; I run my own email server with all the fun
that brings.

It's that the Chrome Books really need separate Google accounts otherwise,
settings + notifications to end up replicated to all of them.

And yes, I have a greater than average number of children. I feel as if the
only way forward is to purchase a google for business account, and add them
all there :-/

~~~
ensignavenger
Install a different Linux distro on them?

------
jcoffland
> This pattern seems like something security software should be able to
> detect: a password reset with incomplete information, followed immediately
> by a change in recovery email, name, and two-factor-auth settings, coupled
> with a “my account has been compromised” help request is highly suspicious.

This series of events could easily occur in legitimate cases. Say you lose or
destroy your cellphone. Since you only ever logged in via your phone you don't
know the password. Your recovery email was attached to a service you don't use
because you normally use gmail. I'm not saying this scenario is a good idea
just that it's probably quite common.

As a software developer I often hear from well meaning users that are appalled
that software didn't do-the-right-thing in some complex scenario that appears
to have an obvious solution because the desired outcome in obvious. In
reality, handling the corner cases is complex. Adding these obvious solutions
to the code easily leads to even worse situations.

~~~
jandrese
At the very least, any change to the email address should send out an email to
the old address stating "If you didn't make this change, click on this link to
have your account frozen until you do a password reset."

It's silly to depend on an email for authentication, then allow the hacker to
just delete the email address before they change the password. Giving the old
address the right of first refusal defeats that kind of attack and should be
dead simple to implement since the framework was already laid down for the
"verify your email" step during setup.

~~~
reitanqild
Not sure but I think I have seen hotmail/live do this?

------
nchelluri
What I recall reading over the last year is that:

\- phonelines can be hijacked (this article)

\- DNS can be hijacked in a similar manner

\- SMS can be hijacked (for 2FA via text message)

I guess 2FA using an authenticator app is the way to go for now. Do you guys
agree with the removal of backup phone numbers recommended here? Seems
reasonable to me but scary; I've lost my phone(s :( ) before. I do have backup
codes generated though.

~~~
AdmiralAsshat
The problem with the backup codes is that I have so many now. Pretty much a
list of codes for _every_ account I have 2FA enabled on (about a dozen). If I
actually printed them out and kept them in my wallet, my wallet would be
overflowing by now.

Authy has been a great improvement over Google Authenticator for me. I
primarily used it when I migrated phones for the upteenth time, but were I to
lose my phone, I could also restore the database on my tablet in the meantime
and use that instead. The prospect of doing so does leave me a little
concerned, however, because my phone has full-disk encryption enabled while my
tablet does not.

~~~
dnr
I recently turned on 2FA on a bunch of accounts (nine total) and ran into the
same problem. My solution was to save the initialization QR codes and print
them on a piece of paper (actually three copies, stored in separate
locations). This involved a bunch of screenshotting and messing around in gimp
and was in general a big pain. But if my phone dies, restoring my 2FA setup
will be much simpler than using backup codes: I just have to scan codes; the
account providers aren't involved at all.

(I do also keep a few backup codes for the most important accounts in my
wallet.)

I know Authy can back up 2FA state to their own cloud, but it's unclear how
secure this is: they let you restore codes onto a new phone with the same
number, and apparently even to a brand new phone
([https://www.authy.com/phones/change/](https://www.authy.com/phones/change/)).
So it seems like stealing a phone number would allow an attacker to steal 2FA
codes stored in Authy.

(What I'd really like is a TOTP app that let me back up its state into a
single giant QR code or a small file that I could print out in hex and
scan+ocr later.)

~~~
AdmiralAsshat
>So it seems like stealing a phone number would allow an attacker to steal 2FA
codes stored in Authy.

You're required to set a password on your Authy database before you can start
adding tokens to it. So when I transferred my Authy database to a new phone
(had to send in the old one for a replacement), I had to confirm the password
before it would sync to the new device. Authy also bugs you about once a month
to confirm your password phrase to make sure you don't forget it.

Additionally, you can set a PIN that Authy will prompt you for any time you
try to open the app. I have that set, as well, so that even if someone should
get past my lockscreen, they can't reach my 2FA tokens without another PIN.

~~~
twr
> You're required to set a password on your Authy database before you can
> start adding tokens to it.

That's not true. Passwords in Authy are for backup, which is optional. Backup
synchronizes offline TOTP secrets between paired devices. Only the offline
TOTP secret is encrypted; the token name is not.

"Authy Account" secrets, the ones created by the Authy API, used by Coinbase,
Cloudflare, et cetera, are always stored remotely, and can be restored
without-password to anyone with possession of your phone number and email
account.

I wrote about this a little over here:

[https://news.ycombinator.com/item?id=12603380](https://news.ycombinator.com/item?id=12603380)

------
Pym
It's not the first time that Verizon transfers an account like this...

Have a look at this other story from last month, "On Phone Numbers and
Identity":

\- [https://medium.com/the-coinbase-blog/on-phone-numbers-and-
id...](https://medium.com/the-coinbase-blog/on-phone-numbers-and-
identity-423db8577e58)

\-
[https://news.ycombinator.com/item?id=12597609](https://news.ycombinator.com/item?id=12597609)

"It turns out the attacker was able to impersonate the employee on a call with
Verizon"

------
peterjlee
Once I had my SIM card stuck in my phone. So when I wanted to use a different
phone, I bought a new SIM card kit online and brought it to a T-mobile store.
I told the clerk my SIM card is stuck in this phone so I want to transfer my
number to the new SIM card. He asked for my phone number then scanned the new
SIM card and transferred the number. I didn't have to provide any identity or
proof that I actually own the number. It's scary how easy stealing someone's
phone number can be.

------
wfunction
Kind of related, but any Googlers here? Can you please make Google send
notifications whenever someone tries to log in to an account and is required
to do anything other than typing in their username/password? I REALLY _should_
know when someone is trying to respond to a 2FA prompt or answer my security
questions or use SMS or email to reset my password... it's ridiculous that
these don't all result in emails right now.

~~~
lukasb
I work at Google (I don't work on this stuff though, so I'm basically just
another random commenter.)

We do send an email when you log in from a new device. What would you do if
you got an email about failed attempts to login / reset password?

~~~
hughes
I get notifications about that from Facebook sometimes. It is a bit unnerving
to hear that someone is attempting to repeatedly log in with my email address,
but it certainly prompts me to make sure my accounts are locked down well.

~~~
knz
Do you have an email address that may be similar to others?

My work recently implemented a login process for customers and it was
surprising how many user errors we had related to names/emails that were
similar (so bob@gmail.com vs nob@gmail.com etc - these were not the actual
addresses but you get the idea).

~~~
lucb1e
> login

> emails

There's your problem. If autocomplete didn't exist I'd go nuts having to type
my email address, and clearly those people don't have autocomplete or they
wouldn't be making mistakes. Just use usernames.

~~~
nommm-nommm
Then nobody remembers their user name, I don't remember any of mine. If I
didn't have LastPass I'd be password resetting on every financial account I
have.

------
proee
Another issue with sending Google verification reset codes over SMS is that a
lot of "Google Phones" allow for viewing text messages/headers while the phone
is "locked." Therefore if you leave your phone (even for just a few seconds),
someone could quickly gain access to the reset vectors. In looking at the DNC
leaks for example, if an attacker had the phone number of a high-profile
target, locates them in person, and then execute a reset "event", they're now
in very serious jeopardy, assuming attacker gets physical access to the
target's phone for just a few seconds. (Edit: Attacker might have the ability
to also view their phone through a high-resolution camera(s) as the target
pulls up the text message. Thus allowing attacker access to codes without
physical access to device.)

------
jsingleton
If you are ever required to give a phone number but don't want to then you can
use an official fictional one. This means no-one else will have access to it
(or be annoyed by it). Same with email addresses.

If you need access then you could use
[https://smsprivacy.org](https://smsprivacy.org) or
[https://dtmf.io](https://dtmf.io). I've not tried these though. Or of course
you could build something yourself with
[https://www.twilio.com](https://www.twilio.com) or
[https://www.nexmo.com](https://www.nexmo.com).

I wrote a bit about this here: [https://unop.uk/phone-numbers-for-examples-
and-user-identifi...](https://unop.uk/phone-numbers-for-examples-and-user-
identification)

------
throw7
Google seems to think phones are very secure:

[https://support.google.com/accounts/answer/183723](https://support.google.com/accounts/answer/183723)

Why mobile phones are more secure

Your mobile phone is a more secure identification method than your recovery
email address or a security question because, unlike the other two, you have
physical possession of your mobile phone.

~~~
xg15
...until the moment where you don't anymore.

------
FullMtlAlcoholc
>Eventually, with the help of Google’s customer support

That he was able to contact someone at customer support for his Gmail account
was the most amazing thing in this article!

> and some ex-colleagues who still work at Google,

:( That's why

------
cantrevealname
Using a phone as a login credential is risky from a reliability point of view.
At least with passwords and security questions you can (in theory) have 100%
dependable access to them anywhere in the world if you memorize them, back
them up, or put them on an encrypted USB flash drive or in an encrypted cloud
location.

You can't do that with a phone. You can't duplicate your SIM card. If your
phone is lost, broken, stolen, or your service is cut off or unavailable for
whatever reason, you're screwed. At least with passwords, security questions,
or hardware tokens (of which you can have several), you maintain reliable
access no matter what if you've made backups.

~~~
azernik
You can't duplicate your SIM, but your phone carrier can. In some countries,
this involves them checking your government-issued ID in person, which is
handy for Google as a way to outsource the ID-checking requirements.

The issue is that they don't discriminate between carriers that perform good
identity checking and those that don't.

(Reliability is actually well-addressed by Google - they offer this as a
supplement to the other forms of verification they provide.)

------
throw2016
I think with centralization comes control, arbitary rules, surveillance,
potential for abuse of power and loss of end user control.

The fact that it keeps on becoming more and more difficult for individuals to
run mailservers cannot be a coincidence.

The solution is decentralization at least for things like reddit, mail,
search, social and other similar services. Multiple discrete 'old style'
forums, search services, email providers and individual servers with dispersed
control cannot be easily silenced, surveilled or subject to arbitary rules.

I think the usual response is people don't care but I think that's because
they don't know and may not have stopped to consider the consequences. And
perhaps more important before they didn't have to care. Now increasing
creepiness from centralized providers means sooner or later users will wisen
up.

If parents for instance become concerned about privacy issues they will go out
of their way to protect their children and this can lead to new more privacy
aware services, rules, and distributed applications. It also makes centralized
unicorns based out of SV less of a desirable thing.

------
keyme
This doesn't even take into account how inherently insecure are actual mobile
networks. Human factor notwithstanding.

Using GSM? Your recovery code is sent essentially plaintext over the air.

Think you're not using GSM? I'll just follow you around until you are (say, if
you go out of town).

Since I'm already following you around, maybe I'll just jam your 3G/4G for a
minute. Save us the waiting around.

Disabling 2G on your phone is a shitty solution. I want to be able to receive
calls/SMS even if it's insecure.

TL;DR:

My account -> Sign-in and security -> Signing in to google -> Account recovery
options -> Recovery phone -> Remove number

~~~
jdavis703
By the time I have you (or anyone else) following me around to hack me, I've
got way bigger problems than loosing my Gmail account.

~~~
keyme
I don't know.

I can imagine you saying the same thing about the case in OPs article.

The attack was targeted. The attacker knew your name, phone number and email
address. The attacker went through some real effort to hack you (SEing reps,
buying SIMs, burner iPhone, taking some risk).

How much further do you think they were willing to go? Not enough for a $200
plane ticket?

You have a problem the moment someone capable has targeted you. For the
attacker, is just a matter of choosing the easiest attack vector. Today it was
Verizon reps. Tomorrow it may get a bit more difficult.

------
willvarfar
Phone diversion can also be used to confirm large bank transfers; this
happened to a friend of mine in 2012
[http://williamedwardscoder.tumblr.com/post/24949768311/i-kno...](http://williamedwardscoder.tumblr.com/post/24949768311/i-know-
someone-whose-2-factor-phone-authentication)

------
cupantae
Huh. I wonder if the author had seen this video
[https://m.youtube.com/watch?v=Q00OZ_Xk24w](https://m.youtube.com/watch?v=Q00OZ_Xk24w)
which describes a similar story and recommends a solution based on the same
factors (2FA on a number no one knows under a fake name).

But anyway I don't understand why he thinks it's some kind of shocker that
this makes it less secure. It's another access method. Recovery options are
_obviously_ attack vectors.

------
SamBam
One thing that I don't see mentioned: The attacker doesn't need to know the
victim's email address or even name, if they have a compromised phone number.

If you go to mail.google.com and say "Find My Account," you can enter a phone
number directly, and then proceed with SMS-based recovery, if it's enabled.

This means that _any_ time an attacker gains access to a phone number, they
can plug it into gmail and fish to see if they can break in to an account.

------
zitterbewegung
Adding a phone number that people KNOW about can make it LESS secure. A
workaround is to get a phone number that is only used for identity
verification and not given out to anyone.

~~~
wyclif
One way to accomplish this would be with, ironically, a Google Voice-type
service (but associated with a completely independent email provider)

~~~
ocdtrekkie
This can actually be problematic. I've found many 2FA services use text
services with shortcodes which sometimes do and sometimes don't work with
services like Google Voice. Back when I used Voice, my actual cell number was
only used for identity verification.

------
darkhorn
In Turkey, if you apply for a new SIM card (let's say you have micro and you
want nano) then you cannot access your bank account (for example Garanti Bank,
probably other big banks too). Doesn't matter whether you try to access the
bank via your PC or phone or via your home telephone, a massage appears saying
that your SIM card has been changes and thus you need to re-validate yourself.
So, this means that the banks and mobile operators share data.

Plus, if you apply for a new SIM card and you have a changed information in
your ID, such as your father's has changed his name or you have corrected your
birth place, then your ID is send to the government and only when the
government gives a permission then they can give you a new SIM.

If you are not the owner of the SIM card no one talks to you.

If you want a new phone number then you must register with your ID.

~~~
nommm-nommm
Off topic, but I am really curious. What would be a reason for your father to
change his name in Turkey? Is men changing their name common in Turkey?

~~~
darkhorn
For example when you apply for Turkish citizenship your father's name is let's
say Philipos, and you have a father with that name until he also becomes a
Turkish citizen with a new name let's say Filip. Now you have to update your
ID.

I've heared that some police or military people change their name because they
killed many terrorists.

But the most comman provlem is with birth dates. Some of my friends had such
birth dates in their IDs; 0.0.1984 or 5.12.1885 (should be 1985). Why?
Actually they have birth certificate in Bulgaria, even with hours. But when
they become citizen of Turkey an idiot public service officer wrote wrongly to
a paper, now you need to prove that you were born in that date with
diplomatically certified and translated birth certificate that you have
optained from your home country wich is possible but long and boring process.
Instead they auto corect to middle of the year; 1.7.1984.

Especially some eastern places before 90s didn't wrote their birth dates
because you know, is a "boring paper work" for them.

Or a parent says that their douther's name is Gizem but the public servant
writes İzem.

This is why this country is called a developing country. They can't write
something propery.

------
andyana
Two years ago, I added a friend on to my phone plan so that he could call his
sick mother. I made it clear to Telus (my carrier) that he should not be able
to modify the account or discuss account details with them, and they assured
me that he wouldn't without both my PIN and express permission to add him to
the account administrators list. Three months later he walked into a Telus
store and got a new iPhone with a 2 year contract on my plan. When he stopped
paying what he owed, guess who got stuck with the early termination fee?

------
angry-hacker
Can Americans explain me how can you just do things like that by calling
customer support? Wouldn't it make more sense to go and show your ID if you
want to make changes like that?

~~~
exelius
Where would you go to show ID? In many places in America, the closest telco
customer service office may be a 2 hour drive away. Everyone saves time/money
by being able to do it over the phone; but unfortunately the customer service
reps are usually poorly trained.

~~~
jdavis703
Training shouldn't really be a factor here. The software systems shouldn't let
social engineering hacks work. Why is the customer service rep allowed to
override whatever prompt ask for a PIN number? If this override is really
needed it should be a higher ranking support member or manager who can do
this.

------
camupod
Does anyone know anything about the security with regard to using other
providers (e.g. twilio or google voice) as a recovery number?

Let's say my recovery number is actually a google voice number that's
connected to a separate google account, but not forwarded to my actual
cellphone (i.e., I'd have to login to my other google account to view the
recovery code). Thoughts?

~~~
stanleydrew
The specific flaw exposed in this story is not exploitable with providers like
Twilio and Google Voice, because they don't assign phone numbers to devices
with SIM cards.

Verizon is the bad guy here, since they agreed to re-route SMS traffic from
the account holder's device to a new device without properly confirming that
the request was coming from the account holder.

Technically there's nothing stopping a motivated attacker from attempting the
same social engineering attack against a Twilio or Google Voice number, but
getting those providers to re-route SMS isn't as simple as just calling and
saying "my iPhone broke, I need you to assign my number to my new phone" like
you can with Verizon.

The attacker would need to know some particulars of the SMS routing protocols
of Twilio and Google Voice to achieve a similar result.

------
abandonliberty
These are recovery options. By definition they make your account less secure
by adding additional entry points for both you and a potential attacker.

I have 2 factor enabled and did some testing.

Security options Account Recovery email (phone # disabled) 2 factor Recovery
phone #, backup codes

All of these require you to provide them. Phone number is given as XXX-XXX-
XX12. Email is userna __ __*@domain.com.

Failing all of those options, Google asks you to provide an associated email
to help with recovery. It then provides a freeform text field for you to
explain the situation and expect a response in 3-5 business days. If you have
a secondary less-secured email address this could be a viable vector.

tl;dr two factor seems to add an additional layer of security / accounts that
an attacker would have to compromise if appropriately configured. Recovery
options weaken your security and you should be cautious when configuring.

------
billconan
I have this weird thing in my google account.

When I set up my 2 way authentication, I noticed my account has a phone number
added, which I don't recognize at all. The phone number has a Florida area
code. I have never been to Florida. I emailed google about this, asking how
the number was added? I didn't get any reply.

~~~
lucb1e
Honestly, did you expect a reply from Google? Have you ever had one?

Even people I was friendly with on forums or social networks that were
employees for Google (or Microsoft for that matter, or both in one occasion)
stopped responding when I mentioned anything from "heads up (since there is no
contact listed for product x): there's a bug here, you might wanna forward
that" to "do you know why this is that way?" It's a really weird experience.
I've stopped trying to contact tech giants that are too big to care about an
individual.

------
nfriedly
I think that for a lot of people, the added access is worth the security risk:
they're more likely to forget their own password than to be hacked.

One of my moms friends had gone through the Gmail password reset process a few
times, but she but she called me one day kind of frantic because she could no
longer reset her password (or remember the old one).

It seems that previously Google had allowed either a phone call or an SMS to
the phone number on her account, but had recently taken away the call option.
Her phone was a landline that couldn't receive SMS messages.

She didn't have (or couldn't access) a backup account and couldn't remember
the answers to any of her security questions, or at least not enough of them.

I think she just gave up and switched to Yahoo.

------
leesalminen
I bought a Yubikey for $40 and now use that as my second factor for my Google
Accounts. It's quite durable and fits on my keychain. Love it!

------
hash-set
I always thought Google was trying to tie your gmail account back to a cell
phone number so they could help end anonymity on the Internet. Or else give
the information to the NSA or something. I'm trusting Google less and less
these days.

At the very least, Google should not have come out in favor of a particular
Presidential candidate. Corporations have become incredibly powerful entities,
able to affect the lives of all their employees and many others. If they can't
wield this power ethically, they need to be shut down or we risk suffering
under fascism.

~~~
vonklaus
Don't understand the downvotes. Thought this was widely acknowledged.

~~~
twr
It's widely acknowledged by the paranoid. The reason why so many services
started requiring a phone number at signup is that it's an extremely effective
anti-spam technique. Of course, the paranoid people aren't necessarily wrong
either.

------
metabren
I imagine adding a phone number to your Google account is more about Google
having a particular phone number explicitly linked to an account for their
information graph rather than for security reasons.

------
chris_wot
Two factor auth using SMS us increasingly becoming a risky option. For not I
have it on my personal accounts, but I'm considering changing over to Google
Authenticator.

------
baybal2
This is how Russians hacked social media accounts and public emails of British
MPs last year.

It is assumed that they procured IMSI IDs of MPs from open sources (databases
of gaming companies (this why Google lets apps to read your IMSI) or
advertising cookie brokers).

Then, they used Russian cell phone networks to announce a “Roaming transfer”
of their phone numbers from BT to them and then used an “SMS login” and
password recovery from their Snapchats/Twitters/Whattsups. Once they logged
into them, it is believed that they downloaded past conversations and other
data through synchronisation APIs.

Back then, Google only confirmed that they did sent a recovery SMS to one
account, but hackers didn’t manage to answer a security question. This
probably deterred them from attempting to try the same trick on Google
accounts of other MPs whose numbers they pwned, or maybe Googlers simply made
that up to cover their asses.

Amazingly, many cell operators don’t check the digital signature on roaming
requests, nor require the roaming counter-parties to pass them through.

------
bikamonki
Google fills my droid with bloatware. Even worse: all of Google apps will not
work without Google Play Services which is a super abusive app: among other
things, it logs ALL MY ACTIVITY 24-7. So, if Google already runs apps with
such privileges, why not adding a small app that mimics Whatsapp SMS
verification. After verifying that a given SIM is installed on the phone where
my Google account has been authenticated, it can establish a secure tunnel to
send me 2FA codes. If a hacker would clone my SIM and even have my Google
password they can prevent login until I grant permission from the first
install/verification. Should I lose/change my phone, Google would not allow a
second verification unless a pin is entered (which I created on the first SIM
verification). Another aproach that avoids the pin number would be a delay
before authenticating the second install. If I get 24hrs and a notifcation
that I have logged-in on a second device, I certainly have enough time to fix
any possible hack.

------
buyx
SIM swap fraud has been common in South Africa for years, and bank accounts
were being cleaned out before the cell networks tightened their procedures.
Yet I've started to see reports of similar scams in the developed world.

I'm surprised that anyone is surprised by this. Perhaps the time has come for
a more global approach to security.

------
rohitarondekar
Would using a dedicated phone number (sim) that is not shared with any other
service protect you from this? Basically nobody besides Google and you would
know of this number. In India dual sim phones are very common and I've been
thinking of getting a second sim (phone number) for this purpose.

------
iconjack
Well of course it makes your account less secure. It's another attack vector.
As shown in the post, Google doesn't say add a phone number "to make your
account more secure", it says "so you don't get locked out". Intuitively,
making it more difficult to get locked out of your own account would likely
make it easier for someone else "not to be locked out" of your account.

------
mtgx
Google does another stupid thing (or at least it used to do two years ago, but
I think it's still doing it): when you pick Google Auth for 2FA, and for some
reason you can't use it, you can still login to your account with an SMS
code...

Like WTF Google? Any attacker could just as easily do that, too, anytime they
want. As long as this remains true, Google Authenticator (or any other Google
security measure that could easily by bypassed this way with SMS) has
literally _zero_ advantages over SMS, while retaining the disadvantages of
being less convenient to use, etc.

------
walrus01
SS7, phone numbers and telco stuff are built on trust, with a 1970s/1980s
business model when the only people messing with the system was the ILEC.

It's trivially easy to fake scanned documents proving that you're authorized
to port a phone number from one service to another. In this case there was
probably no SS7 messing about at all, just somebod falsifying the info or
socially engineering his cellular carrier to transfer the number to a new
phone. Mitnick's "Art of Deception" book is an authoritative resource on this
problem.

------
josefresco
"there's not even a phone number to call or an e-mail address unless it's a
paid product"

Well duh. What kind of support should Google offer to almost a billion users
that pay nothing for the service?

"(and even then, they've got a less-than-stellar reputation for support of
paying customers)."

Not from my experience. Have had to call them a handful of times on behalf of
clients. A human always picked up quickly, and resolved my issue or answered
my question. Also followed up.

------
whyagaindavid
@vijayp Please retitle your post to add "In North America, anyone can take
anyone's phone number". BTW arent any of hackernews readers worried?

------
spiznnx
What are the security implications of using my google voice number as a backup
phone number to my google account (the same account)? I've been doing this for
a few years, and its been very convenient. Basically, any time I need to log
in with a new browser or device, using the number for two factor SMS gives me
codes on all other logged in gmail windows, and on my phone.

~~~
stanleydrew
I do this too, but it's circular. So there is a pretty significant risk of
getting locked out entirely if your authentication tokens for your Google
account expire on all devices at the same time.

Yes, that's unlikely. But if it happens, we're screwed.

A better option would probably be to set up two Google accounts with two
Google Voice numbers and use them to cross-validate each other. I think I'll
go do that now.

------
johnjhayes
_> Bob didn’t have multi-factor authentication enabled_

even if enabled, if it was set to send the code as sms it would go to ... the
phone :-\

~~~
haser_au
If you read all the way through, the article states this. Recommendation is
"use something like Google Authenticator, etc..."

------
pm24601
I wonder if a landline is more secure from transfer?

Anyone know if the procedure for transferring landlines is more painful for
fraudsters?

~~~
ComodoHacker
Landline is easier to hijack though. I mean physically.

------
dragonwriter
AFAICT, and this is supported by the Google screenshot shown promoting the
feature, Google doesn't say the phone makes the account more secure, it says
that it makes the account more usable, since it provides a way to recover from
lockouts. This is one of many cases where usability and security aren't
aligned.

------
mercora
i always failed to see why adding a phone number would be somehow more secure.
However, i also knew this kind of attack was somewhat common for German online
banking accounts using SMS TAN because service providers were easily convinced
to send a new (second) sim card to a new address they would never heard of
before.

------
DINKDINK
Another case of an attacker using phone porting to attempt to compromise
accounts: [https://medium.com/the-coinbase-blog/on-phone-numbers-and-
id...](https://medium.com/the-coinbase-blog/on-phone-numbers-and-
identity-423db8577e58#.xeqi89wpn)

------
gambiting
Ha! My telco in UK(giffgaff) does not have any phone customer support, so the
only way anyone could ask for an account transfer would be through a
webform....after logging in to my account. Doing which would also send a
notification to my email address. Feels slightly safer now.

------
Spooky23
I wonder if having having a really shitty prepaid carrier for this purpose or
a commercial account is a viable strategy?

A lousy MVNO is impossible to contact in any situation. Usually with business
accounts the carrier refuses to talk to anyone except the designated account
manager.

------
haser_au
TLDR: Telcos really are the weakest link, and you should not rely on your
mobile phone number for 2FA.

Background: I have worked in IT Security at an Australian bank, and had close
ties to the Internet Fraud department to help them understand fraudster's
tactics.

Many banks use SMS for 2FA. Australia has a law regarding how long it should
take customers to switching telco providers (called 'Porting' because your
retain your phone number), and the timeframe in which this must be completed
(90% within 3 hours, 99% within 2 business days). If the Telco doesn't
complete in this time period, you can raise a complaint to the
Telecommunications Industry Ombudsman.

Example: If you are currently with Telco A, to port your number to another
company, you call Telco B and provide your details. They take care of the
porting process, and you can have your service running on a new phone and SIM
within 3 hours.

"All you need to have with you is your mobile number, the name of your old
mobile provider, your account type (pre- or post-paid) and your account
number. We'll handle the porting process from there. It can take from three
hours to three days, but we try to do it as fast as we can." Source:
[https://www.cnet.com/au/news/switching-telcos-easier-than-
yo...](https://www.cnet.com/au/news/switching-telcos-easier-than-you-think/),
2012

To make matters worse, the fraudsters would then change the details at the new
Telco B (i.e. my address is now 123 Rainbow Road, and my mother's maiden name
is Smith, not Jones). When the victim called Telco B, when Telco A told them a
porting request had been completed, they'd say "Sorry, we have no idea who you
are and the details you're providing don't match our records". It can take
days to sort the whole thing out, by which time, your Internet Banking has
been compromised and funds transferred out.

This was a major problem for Australian banks, because they cover the losses
for customers if you lose funds as a result of Internet Banking, as long as
you weren't negligent (e.g. you left your Internet Banking logged in on a
public computer in a library, or something).

If you are relying on your telephone number as a security mechanism, I would
change to something else. Something you have, ideally (Google Authenticator, a
physical hard token, etc.).

Sources: ACMA Porting Rules for Telcos:
[http://www.acma.gov.au/Industry/Telco/Numbering/Portability/...](http://www.acma.gov.au/Industry/Telco/Numbering/Portability/mobile-
number-portability-information-for-industry) Example A:
[http://lifestrategies.net.au/wp-
content/uploads/2015/03/Marc...](http://lifestrategies.net.au/wp-
content/uploads/2015/03/March-2015-Newsletter.pdf) Example B:
[http://www.itnews.com.au/news/45k-stolen-in-phone-porting-
sc...](http://www.itnews.com.au/news/45k-stolen-in-phone-porting-
scam-282310/page0) Example C:
[http://www.news.com.au/finance/business/banking/customer-
sca...](http://www.news.com.au/finance/business/banking/customer-
scammed-20000-after-telstra-representative-gives-out-personal-details/news-
story/90150d435ced674117e3925fbf1d48dc)

------
ww520
The phone companies have horribly bad security practice. I once had a phone
number taken over by someone. When asked, the phone company just said, oh,
someone called in and wanted to take over the billing of the account, so we
let him. WTF.

------
codedokode
This is serious problem. In some banks having access to a phone allows the
attacker to login into a web client and transfer money from the account. And
many web services rely on SMS as a method to restore the password.

------
yAnonymous
If telco providers are not taken to court for the damages caused by changing
plans without any verification, why should they change their practices?

Complaining on the internet won't help in this case.

------
sairamkunala
Doesn't google voice or a static number from Twilio solve the problem if one
cannot get the service that is required from Google free accounts?

------
shawn-butler
Is it possible to sue Verizon, TMo, ATT for their failure to to adhere to
their own security practices for damages subsequent to a hack?

I think someone should try.

~~~
nommm-nommm
Someone is trying

[https://krebsonsecurity.com/2016/08/a-life-or-death-case-
of-...](https://krebsonsecurity.com/2016/08/a-life-or-death-case-of-identity-
theft/)

Basically husband had a heart attack and when wife went to call for help her
phone had been shut off by ID thieves. Husband died. Kids are suing Verizon
for not preventing ID thieves. This story doesn't seem to make sense though
because I thought a phone without service could still call 911.

------
syphilis2
Are there any startup email services that provide time-synchronized one-time-
use passcode dongles with each account?

------
awqrre
And Google uses dark patterns to incite you to add a phone number and a credit
card number to your account...

------
nameisu
they only respond to charge backs from credit cards

~~~
lucb1e
You sure t those are not computers?

------
sumitgt
As a Project FI user, not an option unfortunately.

~~~
AnonCoward1
Yet one would suspect that Google, being both your telecom provider AND your
email provider, would be less vulnerable to social engineering targeting one
of their two services by means of the other.

------
bitmapbrother
>While Bob didn’t have multi-factor authentication enabled, he had also heeded
Google’s suggestions to add a backup phone number to bolster security.

Ah, there it is. No two factor turned on.

~~~
haser_au
If he was using SMS for 2FA, he still would have been compromised.

~~~
andmalc
The article states that if 2FA is enabled, then answering a security question
or access to the recovery email is also required.

------
hakcermani
"He used a very strong password (which was never used elsewhere)"

Am wondering .. how was the attacker able to compromise the account ?

------
emeidi
I stopped reading here: "While Bob didn’t have multi-factor authentication
enabled"

~~~
claudius
You shouldn’t have. Google trusted the phone too much, using it instead of the
user-supplied secrets to determine who was allowed to access the account.
Whether or not the account used multi-factor authentication seems quite
perfectly irrelevant?

------
ChoHag
And this is a surprise because ... ?

------
esalman
How did Verizon move his services to an iPhone 4? Does it mean the attacker
had physical access to his phone?

~~~
feld
No, they just change in their system the IMEI or ESN that phone number is
registered to so all incoming calls and texts start going to the phone the
attacker owns. It's just social engineering where you pretend to be the
customer and tell them you need to transfer your number to a new phone.

------
kibwen
I've also noticed that there's something very surprising about how Google has
implemented their 2FA. When I log into Gmail from a new computer, it does not
text me an authentication code and then lock me out of the account until I
enter the code. Instead it lets me into my account immediately with only a
password, and then sends my phone a notification that someone has logged in
from a new computer. Ignoring this notification has no consequence for the
logged-in computer. Convenient indeed, but this is really not how I expect 2FA
to work, and does nothing to prevent an attacker from reading the contents of
your emails or sending fraudulent emails with nothing but a password.

~~~
Nacraile
That's not how Google 2FA works; you seem to have misconfigured something.
When you actually have 2FA on (like I do), you must enter your one-time code
after entering the correct password.

~~~
kibwen
If I've misconfigured something, then it's news to me as to how. I've received
2FA texts from Google before, so I know that it used to work as expected, and
I haven't been in my account settings for over a year. If something on my
account has changed, then it's been out from under my feet without my
understanding as to how.

