Problem is that support people mistakenly resetting account auth when the attacker calls up and social engineers them is a bigger and more common issue than people’s only device dying. Not to say that’s not a thing that happens, but it’s a smaller of the two problems.
It's a smaller of the two problems for the company. If you are really poor, losing access to your online life because you couldn't pay your phone bill or something can be a huge, huge problem.
I have been homeless. I'm not currently. But this is an extremely stressful situation that could do all kinds of damage to my life if I can't get it sorted.
It's not just a company problem.
Having someone hack my google account then getting access to my bank account would be just as bad on a personal level. My whole live is managed online too.
Having spent nearly six years homeless and also had a college class from SFSU in Homelessness and Public Policy and having written about homelessness for years, I can assure you that for the vast majority of homeless people, losing their physical phone or being unable to pay for it is a much bigger problem than other people wanting to break into their accounts and steal their identity or some such.
for the rest of us having a hacker gain access to our accounts and stealing money or scamming others is a far greater risk. And for google a far more common occurrence. There is a reason there are so many safeguards in place and its because hackers are trying all day every day to break in and steal identities and money.
Homeless people don't need to use 2fa if they are so unconcerned with someone stealing their account or identity. For the rest of us 2fa and making it hard to steal accounts is 100% a must.
Were you so harsh on self-entrepreneurs that came here crying out loud because Google did shut down their developer account for some unrelated payement error on a linked account?
I hope so because otherwise you are just discriminating people based on their wealth. But praise lord dollar that if you ever fall from your status you won't find pedantic guys like you when seeking for help.
There's a recurrent thread of posters blaming everybody else for having issues with the big companies, because big companies cannot make mistakes otherwise they wouldn't be "big", right.
To be fair to the commenter, the company implementing the system is to blame. I can understand why Google (or other businesses) would prioritize customers concerned about security over the homeless. One is a more profitable customer.
Does that make it right? No. Does that mean people won’t get hurt? No. Plenty of ink on HN has been spilt about how companies act according to a profit motive, and often not in societies best interest. Recognizing this doesn’t make you complicit.
Kind of. The problem is that even when 2FA is disabled, Google's security panopticon will sometimes insist on additional verification anyway, even if you know your password, if it thinks something is suspicious.
If you don't have a verification method—or cannot access it—Google will literally just lock you out.
I have personally experienced this on accounts I don't access regularly.
For a careless user, or one who does not bother to learn about the risks, having one's account stolen is more of a danger. On the other hand, for a reasonably cautious user with a basic understanding of the risks involved, and whose life varies at all from predictable (affluent) norms, losing account access due to Google's protective measures is a bigger danger – and more of a hassle to guard against – because these protections are so easily triggered
I think the GP's point was that the "someone else having access" bit affects everyone, not just homeless people, if the company makes it easier to reset/regain access to accounts.
Bottom line, though, is that these companies should be required to find a way to maintain that high level of security, but also have a process so anyone who loses account access can get it back in a reasonable amount of time.
Yes, I am well aware of that. I have been on Hacker News since 2009 under my Mz handle and I have a Certificate in GIS from UC-Riverside, the most respected GIS program in the world at the time that I attended (2002, IIRC).
I don't try to crow about being some kind of tech genius because for the HN crowd I'm not. But I'm not poor due to being mentally retarded or something. I have an incurable medical condition as does one of my adult sons.
Perfectly average geographers on HN represent! I feel like seeing another GISer in the tech world is like seeing someone from your country while on vacation. You’ve just got to say hi because it feels so rare.
Edit: thanks! Solved. I’ve deleted this part of the comment because I always feel very socially awkward and afraid I’ll make others feel awkward.
I'm sure plenty of people would rather live with the small chance of a hacker even wanting to gain access to their account than the very large chance of eventually losing access to the account entirely.
Although they probably wouldn't want to live with all their emails being discarded because gmail becomes so easy to hack and everyone assumes gmail accounts are spammers.
Huge amounts of spam already originate from gmail addresses, so I don't think this is a good example. That's not to say that I think security should be weakened, though - it should not, but for other reasons.
Back at the start of 2FA rolling out it used to be an absolutely massive issue where the attackers would call up support and tell a sob story and have the account reset and in the control of the attackers.
As a user it doesn't matter how well you manage your own security when that can happen.
but should i have to have an insecure account because homeless people exist?
No, of course not.
This is like when people who drive get chuffed about pedestrians wanting their lives to work and acting like "Well, if we do anything for you, then my life will fall apart." As if we can only build a world that works for cars or build a world that works for non-drivers and the other camp just has to accept a sucky life and all kinds of flak for not liking it.
What in the hell makes you think someone must get screwed and it might as well be those who already have the least? No one is asking you to get screwed here.
> the topic of this thread is suggesting google should reduce security for everyone
I don't really see that anywhere; I think you're jumping to conclusions.
Every system will need to have some escape hatches, whether that's a governmental bureaucratic process or a Google account recovery process. Because no matter how well you design a system some folks are going to fall outside of it because the world is complex and the number of possible situations are too many to capture.
"Yes, but it's only 1%" – yes, but it's 1% for system A, and a different 1% for system B, etc. and it all adds up.
All of this is why things like appeals exist in many processes, and why we have judges in addition to mountains of laws. None of this is perfect by any means and there's lots that can be improved, but at least there's the recognition that The System isn't perfect – even if it's more symbolic than anything else at times.
If I lose access to my HN account then that might be annoying, but fundamentally it's not really a big deal, at least not for me. But some accounts/services are connected to all sorts of things and much more important than some HN account and connect to "real life" in much more complex and impactful ways. You can't on one hand have a service wanting to become central in people's lives but on the other hand also just shrug at the edge cases and pretend it's not your responsibility when people get screwed over.
The solution to that is to make the increasingly intrusive security processes an opt in, not to completely write off anyone who can't reliably keep a particular physical device on their person and working indefinitely.
> The solution to that is to make the increasingly intrusive security processes an opt in
Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.
Only I know the threat models I care about for any particular account I have.
For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.
For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.
Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.
> Only I know the threat models I care about for any particular account I have.
You are not neccesarily the person being negatively effective.
Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.
There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.
Gmail is already a well-known spammer. Loads of spam come from Google, I see it everyday, by far the biggest source of spam I see. Unfortunately, they're also so big, with so many legitimate users, that you can't block them wholesale if you're expecting to deal with the public, many of whom have a gmail address.
In that case I think it's fine to have a default security profile, and let people add or remove things as they see fit. On account creation, they could even present a questionnaire that determines whether the user values security or availability more, and set the security requirements accordingly.
It used to be opt in until the icloud hacking saga where the public demanded something be done. So it was decided users want mandatory security by default. Almost all of these services provide backup codes you can write down on paper as well.
Sure, some people are going to lose their only device and the bit of paper, but at that point if you have literally nothing to identify yourself with, it's going to be hard to provide a secure service to you.
It can still be opt out with a fallback on the old approach of security questions. The name of your first pet, your favorite teacher, etc.
It doesn't matter how much in general 2FA works out better for most people, there are lots of people for whom it is not viable. They know who they are. Give them an option that doesn't make their life worse.
OP knows who they are, but I would not be surprised if many poor/homeless users wouldn't realize they need to opt out of something until they find out the hard way when they're locked out and can't get back in.
That might help for a certain subset of people in this scenario, but there are also people with subtle mental conditions that, while capable of living productive lives, are also unable to deal with MFA. There are also the elderly and non tech-literate.
Tying someone's identity to their phone number is not the answer, though.
I have this at the moment - I'm travelling, moving country every few weeks, so I need a new SIM card and phone number every few weeks. My phone number is temporary at best.
I'd massively prefer to take the risk of my identity being stolen than constantly fighting security measures that assume people never change their phone number (or country of residence, etc).
You don't need to use a phone number for google. I don't have a phone number attached to my google account at all due to the risk of sim swapping despite asking my carrier to lock it, instead i have multiple hardware keys and devices + backup codes in a safe deposit box.
If Google ever thinks you're doing something suspicious, they'll just make you authenticate using a physical device instead, by way of Android functionality they never told you about or asked you about using. Hopefully they won't demand you authenticate on a device that's defunct.
luckily, so far, this doesn't involve the phone number. Google seems to know what my device is and how to reach it without needing to know the number. Little bit scary, but really useful.
You do for lots of other things (and many people have it for Google as well). Most banking or payment, a random selection of apps that decide you now need verification, new apps in the new country...
The problem here is there are ways to allow for both but they are labor intensive and Google (and other tech companies) do not like things that do not scale because it cost them $$$, they prefer no customer service and automation using Security as a cover for their poor practices.
In this instance if they need a code why is there not a process to hell use US Mail and send a paper code to the registered address of the account owner? Analog is often the solution to these type of problems
Maybe, since Google wants to be that important to people's lives, they should be force to have representatives, to whom one can go and have things sorted. Needs to check your id and then phones home (...) to get your account unlocked.
