Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Google

'Adding a Phone Number To Your Google Account Can Make it Less Secure' (vijayp.ca) 106

You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case. Vijay Pandurangan, EIR at Benchmark (and formerly with Eng Site Lead at Twitter) argues that your phone number is likely the weakest link for many attackers (at least when they are trying to hack your Google account). He has shared the story of his friend who had his Google account compromised. The friend in this case, let's call him Bob, had a very strong password, a completely independent recovery email, hard-to-guess security questions, and he never logged in from unknown devices. Though Bob didn't have multi-factor authentication enabled, he did add a backup phone number. On October 1, when Bob attempted to check his email, he discovered that he was logged out of his Gmail account. When he tried to login, he was told that his password was changed less than an hour ago. He tried calling Verizon, and discovered that his phone service was no longer active, and that the attacker had switched his service to an iPhone 4. "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." The attacker reset Bob's password and changed the recover email, password, name on the account, and enabled two-factor authentication. He got his account back, thanks to support staff and colleagues at Google, but the story illustrates how telco are the weakest link. From the article: Using a few old Google accounts, I experimented with Google's account recovery options and discovered that if a Google account does not have a backup phone number associated with it, Google requires you to have access to the recovery email account OR know the security questions in order to take over an account. However, if a backup phone number is on the account, Google allows you to type in a code from an SMS to the device in lieu of any other information. There you have it: adding a phone number reduces the security of your account to the lowest of: your recovery email account, your security questions, your phone service, and (presumably) Google's last-ditch customer service in case all other options fail. There are myriad examples of telcos improperly turning over their users' accounts: everything from phone hacking incidents in the UK to more recent examples. Simply put, telcos can be quite bad at securing your privacy and they should not be trusted. Interestingly, it appears that if two-factor-auth via SMS is enabled, Google will not allow your password to be reset unless you can also answer a security question in addition to having access to a phone number.
This discussion has been archived. No new comments can be posted.

'Adding a Phone Number To Your Google Account Can Make it Less Secure'

Comments Filter:
  • Reason (Score:5, Insightful)

    by Jiro ( 131519 ) on Friday October 21, 2016 @09:52AM (#53122415)

    Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

    • Correct.

    • Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      The number is to make account recovery possible in the event you've forgotten your password. The assumption is that attackers won't have access to your phone. That assumption is violated if your telco will transfer your number to the attacker's phone, of course.

      If you prefer not to give your phone number to Google, don't. Just turn on two-factor auth using a non phone number-based auth method, either the Authenticator app or (better yet) a security key, or both. Then download and print out some backup 2FA

      • by GNious ( 953874 )

        If you prefer not to give your phone number to Google, don't. Just turn on two-factor auth using a non phone number-based auth method, either the Authenticator app or (better yet) a security key, or both. Then download and print out some backup 2FA codes and keep them somewhere safe. Google won't have your phone number and you won't be vulnerable to mistakes by dumb telco customer service reps.

        Not google, but on Twitter I've had to use 2FA codes 2-3 times daily - any hiccup, and I have to log in again, and every time(!) it'll request a code.
        Sure, could print a dozen or 2, but I'll burn through them quickly.

      • Google definitely uses the phone number for learning connections between people.

      • by tlhIngan ( 30335 )

        The number is to make account recovery possible in the event you've forgotten your password. The assumption is that attackers won't have access to your phone. That assumption is violated if your telco will transfer your number to the attacker's phone, of course.

        And the good folks at NIST have already commented that phone numbers are a bad authentication method and should never be used for the second factor.

        Because of exactly this - a phone number is not necessarily under control of the phone you think it is

      • If you prefer not to give your phone number to Google, don't.

        You can no longer do that.

        I just tried setting up a gmail address -- it won't work unless I give them a phone number.

        And for an old address that you set up before this policy, they have the nice habit of blocking pop3s/smtps access from time to time, forcing you to login via web through a page where they pester you again about adding a phone number

        Because of that wanton blocking I can no longer trust to use my gmail address for any seriou

      • When google has asked me for 2-factor, they always want the phone and nothing else. They don't even say "2 factor" until you dig down and ask why. Early on I had no texting ability at all, explicitly disabled on my phone account, so providing a number would have been useless unless they were going to phone me directly. Even with texting now I don't want this as this phone will not be with me for the lifetime of the account.

        The biggest security headache involved in this is losing the phone, in which case

    • Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      Correct. It's not Google that wants your phone number linked to your email account -- it's the NSA. Email accounts may be disposable and free, but every phone is costing somebody money. Unless you buy a burner phone and service cards for cash, there is a financial trail behind every phone that leads back to a person. Once the NSA knows the person's phone number, geolocating the phone (and therefore the email account owner) is child's play for the inventors of PRISM.

      Even if you buy a burner phone and ser

    • by PPH ( 736903 )

      Everyone wants your phone number so that they can link the account in their database to other information that contains your phone number.

      FTFY.

      I wrote a check the other day (with no phone # pre-printed) and the clerk asked for one to write down. I decided to run a test and said, "No phone." He asked, "What?!" I replied, "I don't have a phone." He looked like he was going to shit himself, but accepted the check anyway.

      Phone numbers accepted in this manner have little to do with security or identity verification. By the time the number is exposed as a fake, the thief is out the door with the goods. And if it was actually me that bounced a che

    • This is how Russians were hacking social media accounts and public emails of British MPs last year. It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI), advertising cookie brokers). Then they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from BT to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged into them, i
    • Google doesn't actually want your phone number for security. Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      This is how Russians were hacking social media accounts and public emails of British MPs last year.

      It is assumed that they procured IMSI IDs of MPs from open sources (databases of gaming companies (this why Google lets apps to read your IMSI) or advertising cookie brokers).

      Then, they used Russian cell phone networks to announce a "Roaming transfer" of their phone numbers from British Telecom to them and then used an "SMS login" and password recovery from their Snapchats/Twitters/Whattsups. Once they logged

    • Google wants your phone number so that they can link the account in their database to other information that contains your phone number.

      Don't be daft, Google already has that information.

  • by H3lldr0p ( 40304 ) on Friday October 21, 2016 @09:55AM (#53122443) Homepage

    it's the humans at the other end of the line.

    The lesson is the same one we've been screaming about for the past few decades. People are the weakest link. They're paid just to get on with the job, not to take the time to analyze or think that deeply. The article even mentions how the security the phone company has as part of their procedure was ignored. Why? Because for the support people it's about getting to the next caller.

    Change that and you've changed security. That'll cost money, but I have a feeling it's more than affordable.

    • I download the Authenticator App and just use that.
    • by Jiro ( 131519 ) on Friday October 21, 2016 @10:07AM (#53122537)

      It's the "one database key connecting everything" idea that makes it insecure, so that if there's a breach in anything, it becomes a breach in everything you're involved in. If phone numbers and email addresses were kept separate, then the effect of the bad security at the phone company would be limited in scope to the phone account only.

      The lesson is that Big Data and specifically Google are evil for creating conditions where security breaches cause more damage than they otherwise would..

    • Comment removed based on user account deletion
    • Social engineering (Score:4, Insightful)

      by bradley13 ( 1118935 ) on Friday October 21, 2016 @11:42AM (#53123259) Homepage

      Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

      This is made more believable by the ranks of the clueless, who really do get themselves into weird predicaments. Sometimes there really do need to be exceptions to the security rules. But when? How do you tell?

      I have a cousin who could do this. Let him talk to you for five minutes, and he'll have you believing anything he wants. Venus is actually in a retrograde orbit? Obama is actually a white guy in black face? It almost doesn't matter how outrageous it is. Fortunately, he's not evil, so it's just a party trick: he convinces people of stupid stuff, then let's them stew in their juices until they figure out that they've been tricked. It's damned unsettling...

      • by SeaFox ( 739806 )

        Attackers get the service people on the phone, and spin a believable story about just why they don't know the answer to the security question, or have lost their PIN, but it's really important that they get this changed. They pull the support worker onto their side, partners against the evil bureaucracy. The support worker feels good, for helping someone out of a tight spot.

        Pfft! More like "support worker helps the customer out because the customer is getting angry and he doesn't want a supervisor call". It's amazing how stupid users are all-for improved security until they "lose their key" and then blame the company for "not being helpful" when the protections work designed against them.

  • Just say no. (Score:5, Insightful)

    by DidgetMaster ( 2739009 ) on Friday October 21, 2016 @10:03AM (#53122499) Homepage
    The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.
    • When the real-name policy was in effect, you needed to put a name on the account in order to use Hangouts. It took a bit of finaggling, but it finally accepted: Crash N. Burn.

      Although apps wanting ALL information is egregious. Hell even OperaMax (data utilization|optimization tool) wants "location, and contacts" in it's most recent update. I'm skipping that update until I root my phone and start feeding bogus crap to such apps.
    • The last thing I want (well, one of the last things I want), is for Google or anyone else to have one bit of information about me than they absolutely must have. This is why I give fake names, addresses, and phone numbers to 95% of the online 'accounts' that I have. Unfortunately, it is getting harder and harder to 'opt out' of sharing information. The defaults of almost every application is to grab everything and beam it home to the mother ship. Even when you tell it NO, many will keep bugging you until you say yes. Every 'upgrade' will reset the defaults and if you are not paying attention, you are screwed.

      I second this. I NEVER give my phone number or real name to any service I'm not paying for, and I'm very careful about info I give to services I DO pay for. Google may have my cell number because I have an Android phone, but it's not associated with my account in any public-facing place AFAICT. And Google doesn't officially have my real name. I'm sure they know it just because they're Google - but my Gmail account is under a pseudonym, and I don't use it except to the extent necessary to use Google Play. So

  • by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Friday October 21, 2016 @10:04AM (#53122503) Journal
    Changing information on an account without verifying that the person doing the changing is actually authorized to do so is... well... negligent to the point of incompetence, and he may be able to successfully sue Verizon for the costs associated with getting his email back.
    • by XXongo ( 3986865 )
      Really, I'd much rather not have the problem in the first place than have the consolation that if I want to, I could spend a portion of my life pursuing a lawsuit that might, if I spend the time on it, give me a few hundred or maybe even a thousand dollars back.

      The point is that Google offloaded their security to Verizon, who turned out to be a bit lax on security. Security is only as strong as its weakest point.

  • Account Recovery (Score:5, Informative)

    by bigfinger76 ( 2923613 ) on Friday October 21, 2016 @10:04AM (#53122517)
    Google no longer supports security questions for account recovery.
    • Google no longer supports non-security questions for account recovery.

      FTFY. Security questions are a joke. The answers are almost always easy for an attacker with a little bit of information about you to find, and a lot of the time the legitimate user can't remember them. Moreover, those two traits are strongly correlated: the harder it is for an attacker to find the answers, the more likely it is that the user won't be able to find them either.

      Everyone should stop using them.

      • Probably has something to do with why they're no longer supported.
      • by Anonymous Coward

        FTFY. Security questions are a joke. The answers are almost always easy for an attacker with a little bit of information about you to find, and a lot of the time the legitimate user can't remember them. Moreover, those two traits are strongly correlated: the harder it is for an attacker to find the answers, the more likely it is that the user won't be able to find them either.

        Everyone should stop using them.

        Use random characters for 'security question' answers, just like passwords. Store the answers in your password manager, just like your passwords.

        I agree with you, giving easily discoverable answers to common questions is not "security", so do not do it.

      • by jrumney ( 197329 )

        The answers are almost always easy for an attacker with a little bit of information about you to find,

        Which is why I always give false info to answer the questions. The problem is you don't need to answer security questions very often, so when recently, for certain types of transaction my bank suddenly started requiring an answer to a randomly picked security question from the 5 I had to give them 8 years ago when I set up internet banking on that account, I had to start visiting a physical branch to do my

  • by Anonymous Coward

    https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/

  • So much for the popular meme with some Slashdotters that iPhone users are idiots that only use Apple products because they don't know anything about "tech".

    Sounds like that particular iPhone user knew exactly how to take over someone's online identity. That implies at least some level of expertise in matters other than the "Ooh, shiny!" that some Slashdotters think is the norm with those who use Apple.

    Of course I am sort of joking; but the underlying facts are still there...
    • by green1 ( 322787 )

      They didn't necessarily have any technical expertise. They had social engineering expertise which is something entirely different. In fact the 2 are often not really related. The stereotypical technical person (geek/nerd) is not known for their social engineering abilities.

      • They didn't necessarily have any technical expertise. They had social engineering expertise which is something entirely different. In fact the 2 are often not really related. The stereotypical technical person (geek/nerd) is not known for their social engineering abilities.

        You realize, of course, that you have just replaced one Stereotype with another, right?

        • by green1 ( 322787 )

          My point was that we do not know the level of technical expertise of the attacker, because their exploit was not of a technical nature. While pointing out that there is no reason to believe that there is any correlation between the 2 different skills.

          To emphasize the point I used a humorous stereotype in response to their stereotype, however it was not the point of the discussion, and I in fact specifically called it out as a stereotype as opposed to claiming that it was real.

          • My point was that we do not know the level of technical expertise of the attacker, because their exploit was not of a technical nature.

            The attack itself may not have been technical in nature; But I still submit that the attacker had to know something about "tech" to so quickly and efficiently go right to the right places to effect a rapid takeover, staying ahead of the legit user.

  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Friday October 21, 2016 @10:16AM (#53122595)
    Comment removed based on user account deletion
    • The whole goddamned point was an online network not controlled by a big telco or the government.

      You don't know much about the history of the internet, do you? The internet was invented by the Defense Advanced Research Project Agency with the goal of networking military computers in a failsafe fashion. The stated goals [princeton.edu] were:

      1. Internet communication must continue despite loss of networks or gateways.
      2. The Internet must support multiple types of communications service.
      3. The Internet architecture must accommodate a variety of networks.
      4. The Internet architecture must permit distributed management of i

    • And here we are - controlled by monopolistic entities and/or governments

      Is it? The only evidence I see here is that some guy lost access to his emails. This is about my grandma's level of thinking when we talk about "the internet".

      You can't run your own servers, at least if you don't want to play whack-a-mole with constant threats, paramount being the DDoS that you have no power to resist yourself.

      It just sounds like YOU can't run your own server. I personally have been running one without problem for 15 years now. Can't say I've ever been hacked or DDoS'd. But how is that Google's fault again?

      Disconnecting entirely sounds better and better every day.

      Or just don't use gmail for internet. I know it's hard since gmail IS the internet but there are actually alternatives.

      • Comment removed based on user account deletion
        • There was a time I thought myself invincible.

          And just why do you need to be invincible? Are you a big enough target to need the additional protection? If you are then you can afford better protection. If not then you don't need the protection to begin with.

          I'm not invincible. But I am one of several billion internet users which makes me a very irrelevant target in a sea of indecipherable shit.

          I'd say something smart like "come at me bro" but that's kind of the point isn't it. The internet is a perfectly safe place to host and manage your own connectio

  • 'Adding a Phone Number To Your Google Account Can Make it Less Secure'

    You may think that adding a backup phone number to your account will make it prone to hack, but that is not always the case.

    Well done, you've contradicted the headline in the first sentence. I assume someone accidentally a word.

  • So the person who hacked the email also knew this guys (nominally unpublished) cell phone number and went to the effort of calling Verizon in person to move his number to an entirely different SIM with apparently zero authorization? I mean - it could happen - but that's a shit-ton of human time to go after a single mark, with a pretty low likelihood of working. It just smells like a set up.

    • Not really... there are plenty of people that might know your unpublished cell number like ex wife/husband/girlfriend/boyfriend co-worker employee any of which might hold a large enough grudge to take the time to do something crazy.

      We had disgruntled ex-employee call and make appointments for breast enlargement consultations at every place in the area for one of our managers. They also had a bunch of free brochures and news letters sent to her home address and email.

    • Perhaps he registered for another site with his email address and mobile number. Said site either used that info for no good, sold it to people who used it for no good, or was hacked by people who stole it and used it for no good. Taking his phone number probably put them in a position to be able to get to something more important like his bank account. Or the bank account of his elderly mother who is very concerned that her son texted her or called her saying he needed her to wire him 600$.
  • by green1 ( 322787 ) on Friday October 21, 2016 @10:28AM (#53122675)

    It doesn't really matter what that is, but if there's a way to "recover" your account, then it's by necessity, a way to completely bypass any other authentication you had. The more ways to recover the account, the more attack vectors there are.

    It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway.

    If I need a password to access the site, at least it's only one thing to remember, and only one point of weakness for an attacker.

    So the big question is, which is more important? the ability to recover an account you've been locked out of? or the security of knowing nobody else can either?

    Of course companies can really screw this up too. For instance Tumblr recently re-set everyone's passwords and forced them all to use their recovery option because their password database had been compromised. Anyone who did not have a working recovery option was completely screwed, even though their account was otherwise more secure.

    • A password manager. No forgotten passwords. No account recovery required.
      • by Anonymous Coward

        A password manager. No forgotten passwords. No account recovery required.

        A sheet of paper, stored in a hidden vault, with the passwords written down with a pen. Extremely inconvenient, but fairly safe.

        • by green1 ( 322787 )

          Slightly less secure than a password alone.

          An attacker can still get in with the password, but they can also now get in by gaining access to the vault. Now you could argue that the vault is more secure than the passwords, so the risk is minimal, but it still decreases rather than increases security over all. Additionally, what if the vault is destroyed? If you're talking one in your home, if your home is destroyed the vault could be as well. While it's true that you then have "bigger problems" to worry abou

      • by green1 ( 322787 )

        So now people can hack your password manager and get access to ALL your sites instead of just one.

        A password manager is another "account recovery" option, it weakens your security. By how much depends on the type of password manager used.

        And how does the password manager solve the Tumblr incident I just mentioned? Or what if the password manager stops working for some reason (corrupt or lost database, cloud provider goes bankrupt, etc etc)

    • "It's why I hate "recovery questions", they're usually bad questions that anyone could find out, and if I use some other answer, then I'm likely to forget what it is anyway."

      The you're doing it wrong.

      You should not have to remember your bogus answers. You should instead record them in your encrypted password safe.

      I probably have over 100 different accounts at 100 different sites all over the web and each and every one of them has a different randomly generated strong password and nonsense security questio

      • by green1 ( 322787 )

        What happens if your password safe is a) compromised b) destroyed?

        Using a password safe decreases security over all by adding a single point of failure for all of your accounts, and additionally decreases reliability by allowing you to lose access to all of your accounts at once if anything were to ever happen to it.

  • Facebook keeps asking me to confirm my phone # is correct. Of course it's a random "555" number I gave them, along with incorrect address etc because there's no f***ing way I want them to have that information...

  • At least if your phone service is Google fi there is a lessened chance of it being hijacked. (requires Nexus / Pixel phone)
  • On GSM networks you transfer your number between phones by moving the sim card. So there's no way you can get control of someone else's phone number via just a phone call.

    • by zdzichu ( 100333 )

      But you can still move ('port') your number to different provider. It's all happening between telekoms. Lately crackers have been moving the numbers to shady VoIP providers, in order to intercept 2FA tokens.

  • by Jezral ( 449476 )

    Though Bob didn't have multi-factor authentication enabled...

    I think I see your problem. Why have a phone attached but then not use MFA on the same device?

  • Is how did they switch his phone number without any kind of authorization?
    He's a paying customer isn't he?
    Can anyone just walk into the store and request new simcards for random numbers?
  • Headline seems to indicate that adding phone numbers decreases security, but the blurb below it seems to indicate that adding VERIZON to your google account is the issue.

  • by Anonymous Coward

    I'll tell you a secret. It's the reason Google, Yahoo, and others have been asking for you cell number recently. They're following Facebook, who figured this out years ago. It's also the reason Facebook broke it's Messenger app out as a separate entity from it's Facebook iPhone app. And it's the reason Snapchat moved to build its social connection graph from your cell phone contacts list:

    Your Cell Number Uniquely Identifies You.

    Sure, you could get two cell phone lines. But most people don't do that. T

  • ... "Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record." ...

    Something similar happened to my Verizon account. Verizon does not appear to have a high level of account security.

  • Verizon later conceded that they had transferred his account despite having neither requested nor being given the 4-digit PIN they had on record

    So it's not the phone, it's the company that didn't abide by their own policies.

No spitting on the Bus! Thank you, The Mgt.

Working...