Major Security Flaw in Google Accounts

I have just been put through the unfortunate experience of having my Gmail account hacked. I don’t know for sure how they got my original password, but I will discuss that bit and offer some of my lessons learned through this experience at the end of this article. First I want to warn everyone about the huge disappointment I felt at trying to resolve this issue when dealing with Google.

What is your Google Account Worth to You?

First of all, take a second to understand the impact of someone hacking into your Google account. For me, it was huge. I have 4 years of my personal life and business life in that email account – and now some arsehole has access to it all.  They know everything about me. Worse than that, numerous websites which I have created accounts at have emailed me my username and password over the years – so they have access to several of my passwords (something I didn’t think about straight away which came back to bite me on the arse, and which I am still trying to deal with). And more than that, my Gmail account is linked to all of my other Google applications. My YouTube account. My adsense account, my Adwords account, my Analytics account, my google search history, google finance account…etc. Every google account that I have, was linked to that one email address, and they are all now under the control of a criminal with bad intentions towards me.

That is serious.

The Google Account Tug Of War

So what can you do? You click on the “I forgot my password” button – but the hacker has already changed the secondary email address and SMS phone number – now they just know that you are aware of them. So you use the obvious option and select “My Account Has Been Compromised” on this page and end up at this page: “Contact Us – Accounts Help

Hooray. A solution! A way to get your account back! You fill in the form, answering a series of questions that only the account holder could know the answer to and you get your account back…right…? Wait a minute – what about someone who has simply had access to the account long enough to collect that appropriate information from the account?

Yeah, thats right – you use this form, get your account back under your control once “someone  at Google” (almost certainly software) inspects your answers against the information in your account, and then sends a password reset link to whatever email address you chose while filling out the form – completely bypassing all of the security measures in your account. You get back into your account with your new password and while trying to deal with what damage the hacker has already done, they fill in the form again and before you know it, they have your account back under their control again.

I did this three times before I realised what was happening. I mean, the first time it happened, I was trying to figure out how this “Hacker” knew my new password so quickly. Did they have a keylogger on my computer? Were they watching my network? Ha. If only the person who hacked my account had such skill… No, it was just a retarded account recovery system that Google has in place, and NO accountability of the uselessness of it all.

The Lack of Support

Here is the real problem with this situation – remember above, just how IMPORTANT this account is to me? Well when I found my account had been compromised, all I wanted to do was pick up the phone and call someone and say “HACKER IN MY ACCOUNT, STOP THEM!!!!”. I mean seriously private information, financial information, financially contracted accounts and everything available to this criminal…I think some immediate support should be accessible. But no. You can find a phone number for your local Google office, but you get a message system designed to deal with questions relating to the Google brand, or employment options. There is an option for assistance with Google Mail etc, but when you select that, you get told that “Sorry, there is no live support available at this time, please see our online Help Centre”. A help centre, which is just a series of articles about how to keep your account secure – Not a bit of help once you are stuck in a tug of war with someone who has already compromised your account.

The only option available is the User Forums. Yeah, your whole life on the line, and you can go somewhere and kindly ask a stranger to help you – someone who is not employed by Google, has no access privileges, and essentially no power to actually do anything. But they can talk you through it…

I am not the only person to have suffered through this, as this thread on the help forums shows:

While these threads again highlights Googles complete lack of help or concern on this issues of lax security with their accounts system:

And there are a heap more posts out there by people incredibly dissatisfied with the lack of support (complete lack!) offered by Google when things go bad.

Two Suggestions for Google

So first of all, my suggestions to Google (wouldn’t it be nice if someone listened…)

  1. At least ALLOW a heightened security option in Google accounts.
    • Heightened Security state should require that in order for any change in information of your google account, you have to enter a received SMS code, or received secondary email code. So if someone has your password, they still need access to your mobile phone or secondary email address in order to gain COMPLETE control of your account.
    • Not everyone needs heightened security, but some people (like myself) have a LOT on the line when it comes to their google accounts, and will happily tolerate a little more security in order to keep their information safe. So make it an option in account settings.
  2. Have a real person step in if an account has had 2 account recovery forms submitted for it over the course of a few days.
    • Clearly, if a single account keeps having this form submitted for it, then there is a problem. It seems obvious to me that the form is currently handled completely by software, but a human looking at IP address of the people submitting the form (compared to historical ip address of the account user), combined with a combination of other evidence (and preferably combined with a text box on the form for “More information”), then a human could sort this out very easily in most cases (or at least LOCK the account – which is a great outcome for the account owner – much better than letting a criminal have control!)
    • Again, make the number of submissions a personal option in your google account settings. This account recovery form is too powerful as it currently stands, and needs to be controlled. Yet ironically, it is also too lacking, because it is easy to change the information in the account and block out the real owner, or, sometimes the owner really has no idea how long ago they opened their various accounts etc (while a hacker would actively seek out this information upon gaining access so they know they can get back in)

I think if just step one was implemented, then everything would be fine actually. Having a help desk would be brilliant, but it would be unnecessary if there was two layers of protection. You need the password to get in. You need the mobile phone in order to change the secondary email address. You need the secondary email address in order to change the mobile phone.  You need one or the other to change the password.

Oh, and just to be clear, I mean you REQUIRE access to the secondary email account and/or phone in order to make changes – I am sick of watching all of my accounts email me and telling me “Your password has just been changed – you don’t have to do anything, we’re just letting you know”. Thanks. OK, its better than not telling me, but I think simply requiring a verification click would make that email so much more worthwhile – don’t you?

Lessons Learned

  1. Use multiple passwords, divided Sensibly
    As stated above, I don’t know how the ‘hacker’ got my password to begin with, but I used this one password too widely on too many websites which I should not have. So now I have numerous different passwords, and I have absolutely unique passwords to my vital accounts. Now, if someone steals my password from a second rate insecure website, then they cannot use that same password to gain access to my vital email and financial accounts.
    I have always had multiple passwords, but they were not divided sensibly. Keep your vital accounts with unique, strong passwords!
  2. Don’t let your email inbox be a password repository
    I have HUNDREDS of accounts online. Online forums, email accounts, social media, video sites, photo sites, blog sites, my own websites, my admin accesses, my ftp accounts etc. It became easy to let my email inbox be my storage method for the passwords to all of these accounts. The problem with this, is that most people do not have a unique password for every single account. So if you sing up at some random online forum with one of your standard passwords, and that forum then ‘kindly’ emails you your username and password (yes, plenty of them do it), if you do not delete that email then a hacker now has one of your standard passwords.
    So the advice here is to search your inbox for all of your own standard passwords – and DELETE them all.
VN:F [1.9.22_1171]
Rating: 9.7/10 (7 votes cast)
Share

SAG – Some Lessons on Value

From my Blog in Sports Arbitrage Guide:

A brilliant new talk has just been added to TED (Technology Entertainment Design) which I want to share with everyone. I think there is something of value in this talk for everyone and anyone, but if you are in internet marketing, or have your own product which you are trying to sell, then you will definitely get added value out of the talk!

VN:F [1.9.22_1171]
Rating: 9.0/10 (2 votes cast)
Share

New Blog

I have decided to finally move my blog from shanegreenup.blogspot.com to my own domain: ShaneGreenup.com

I for the next few weeks I am just going to move my old posts over to this new site. I will try to move two posts every day or something like that, until this new blog has caught up with the old one.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share

Top Grade Engrish

How to deal with your fucking hair.

How to deal with your fucking hair.

This is the best engrish I have ever seen in my life. Found in a dock department store in Madagascar (Mananara), this hair care product was clearly confused. You have to read the text in the third image below…
(click on the image for full size)

hehe
VN:F [1.9.22_1171]
Rating: 10.0/10 (3 votes cast)
Share

Shane’s Ultimate List of Things Online That You Must See

This list will continue to grow and change as I remember things which need to be added.
 

Funny 
Eddy Izzard

Flight of the Conchords

 The Lonely Island

 Others

Oddities

Inspiring and Impressive

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
Share

A few tips for beginners…

  • It is possible to love more than one person at a time. Love is not a resource that needs to be carefully allocated. It is an emotion which can be felt completely, over and over again, without ever running out.
  • Following rules does not make you moral, it makes you lawful. Morality requires the ability to decide right and wrong for yourself based on valid reasoning – not on doing something because ‘you are supposed to’.
  • If you care enough about someone to interfere in their life (for their own good of course), at least take the time to understand what you are interfering in. Ignorance is dangerous at the best of time, but when wielded with absolute conviction it is nothing short of devastating.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share

Welcome to The Post Developed World

This is something I was working on for a while in Madagascar. This is an early version – I want to write a more thorough, academic style article on the subject, but until that is completed, here is this:

I know I am not alone in the modern generation with my love of technology and the amazing benefits it brings with it, yet simultaneously dissatisfied with the world which provides us those technological innovations. The ‘Developed World’ – our capitalist consumerist society. Driven by profits, marketing and constant competition, each individual is pushed into working longer and harder in order to satisfy ‘needs’ largely based on artificial manipulation by other workers.
Thankful for my position as a member of the ‘Developed World’ I have always appreciated the privilege that comes with it. Science, information technology, luxury, entertainment and general abundance. I have appreciated these gifts of our modern world, loved them dearly yet also felt an overwhelming dissatisfaction with the modern ‘developed world’ itself.

The 9-5 working day has never been appealing to me. Rush hour, traffic jams – everyone doing the same thing at the same time everyday – it has always bemused me. Spending the majority of your pay cheque – usually earned from a job you hate – on fads, well marketed gimmicks, hollow indulgences and image based products. I have never really partaken in this pointlessness. Excessive rules and regulations which seem to be designed for the lowest common denominator of human stupidity. Individual accountability is lost in our world as every possible way of idiots hurting themselves seems to be necessarily considered in advance before you can do anything – otherwise it is somehow your fault when said idiot hurts themselves. Mass media selling us mindless rubbish stories. – prioritising stories about the private lives of pop stars over stories that actually affect our world, like environmental catastrophes, change in governmental regulations and freedoms or the like. –spin- On top of all of these bizarre obsessions of our world is the perpetual ‘Crisis’ we are being sold. Whether it is the cold war, world war 3, Y2K, Terrorism or dramatic climate change, everyone in the developed world knows for sure that the end is near! (still) I don’t put much stock in any of the doomsday prophecies anymore, but a small part of me still thinks that being out of the way of everyone else who does might save me one day.

So in order to distance myself from the over protection of my nation, avoid any semblance of a 9-5 job and maintain a well rounded perspective of ‘what matters’, I have long desired to move myself and my loved ones to an essentially self-sufficient property on the outer edges of a large city. From this property, with our broadband internet access, we will be free to earn money (business activity or work from home jobs), educate ourselves, research topics of interest, entertain etc all while living a cheap non-commercial lifestyle.

Getting out of the city is not a new idea, but doing so used to involve significant compromise. For me, loss of employment options, lower income potential, isolation from family and friends and significantly fewer entertainment options were the most obvious costs of leaving the suburbs. Now, and even more so the coming years, widely available broadband internet is removing all of those compromises/costs. As such I have come to believe that more and more people will make the same move as I wish to make. As the number of these people increase, I believe it will warrant the naming of a new ‘world’. This lifestyle does not exist within the developed world anymore – too many of the attributes of that lifestyle have been discarded. Nor is the lifestyle anything like those in the undeveloped – or the developing (the 3rd and 2nd) – indeed it is the exact opposite direction that the quality of life has progressed for people who make this change. I therefore think that the individuals who make this move will form the first physically-non-localised world; the Post-Developed world. The Zero’th World. Or perhaps in the spirit of ‘The Naughties’, the final few months of which I am currently in, ‘The Naughtieth World’.

The Post Developed World
I believe the PDW is worthy of its own title for two main reasons. The individuals who make it up, although not physically localised, have essentially removed themselves from all 3 of the other normal ‘world’ structures. Secondly, their unity comes through the internet – they are the first virtual world, unbounded by geo-political borders and agendas.

So how is this world made? It emerges as the current internet culture continues to remove themselves from the mass media driven, popular culture, commercial world. It emerges as those individuals choose self sufficiency and personal accountability over governmental protection. Just as members of the Developed world enjoy the fruits of the Developing and Undeveloped world (cheap labour primarily), so too the members of the PDW will enjoy the fruits of the developed world without really exposing themselves to the problems of it. Self sufficiency in most areas protect them from first world economic fears, energy crisis’s, water shortages etc. While their location outside of major cities protects them from terrorism, pandemics, pollution, and even wars to a large extent. All of the usual ‘fears’ of the first world are simply removed by moving into the PDW.

The main limitation of moving into the PDW will be getting away from governmental constraints which no longer apply (or shouldn’t). Developed world governments will continue to be a pain to all PDW individuals – yet ironically still required. Undeveloped governments too.

While exorcising themselves from these problems they are still free to buy products locally, travel into the cities etc without hassle.

Becoming PDW
Becoming PDW requires some success in the developed world and a strong desire to get out of it. Money is required to be able to buy the property and technology required to achieve sufficient self-reliance. But in the scheme of things, the entry requirements are quite modest. Certainly easier than getting out of an undeveloped world.

Mere power generation, supplemental food generation, and water catchment don’t make you a PDW citizen though. It is also a freeing of the mind from one sided media, from fear and propaganda. It is the ability to genuinely take care of yourself within a communal society, rather than expecting a society to take care of you. Because online, borders fall away and sense of community is valuable.

Table 1: Comparison between Undeveloped World, Developed World and the Post-Developed World – Sorry I can’t figure out how to make Blogger display the table in a reasonable position!

News Undeveloped World Word of mouth news with little concern for the outside world
Developed World “The News’ from one or two dominant sources. Very little critical analysis present.
Post-Developed World Internet based headlines and self directed research on topics of interest. No single source of information, much critical analysis.

Food

Undeveloped World Local food and some traded food. No concept of ‘Nutritional requirements’ – you eat what is available.
Developed World Huge variety. Much processed and mass produced food. Most “Try to be healthy”
Post-Developed World Private Agriculture supplements DW supermarkets. Internet used to find optimal techniques, and best sources of seeds and livestock.

Work

Undeveloped World No hours or deadlines, simply a requirement to produce enough for survival. Seasonal variation and various in nature.
Developed World 9-5 structure, rush hour, salary, OH&S, leave etc. Productivity at work is not directly related to survival.
Post-Developed World Balance between income earning work and survival based work. All home based, no rush hour, no salary, no leave.

Entertainment

Undeveloped World Basic entertainment, usually self made. Alcohol common.
Developed World Nightclubs, Pubs, Movies, Parties, Cultural, Computer Games, Home entertainment, Holidays.
Post-Developed World Computer games, Home entertainment systems, The Outdoors, Holidays, Local Pub

Power/Energy

Undeveloped World Primarily fire based. Supplemented with oils, fats and waxes.
Developed World Government controlled and fee driven. Usually reliable. Centralised vulnerable distribution.
Post-Developed World Free self sufficient sources. Wind, Solar, Hydro. Fire.

Water

Undeveloped World River, Irrigation channels, Wells and Tanks. Unfiltered, dirty. Usually lots of effort required to collect and use it.
Developed World Government controlled and fee driven. Large water reservoirs for populations, mass filtered and treated prior to piping to final destination. Limited supply with growing populations.
Post-Developed World Rain catchment, Dam, River, Well, Bore and water Recycling all used as necessary to ensure sufficient water. Water filtered and treated at point of consumption according to use.

Connectedness

Undeveloped World Face to face only. Walking distance.
Developed World Phones, Mobiles, Internet, face to face, meetings, parties, interest groups, universities etc.
Post-Developed World Primarily Mobile phones and internet.

Infrastructure

Undeveloped World Usually very little. Sometimes roads, sometimes expensive public transport on those roads. Usually nothing else easily accessible.
Developed World Nearly everything is within driving distance or public transport. Hospitals, education, sanitation etc
Post-Developed World Depends on location. Usually within driving distance to major development and infrastructure.
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share

Back from Madagascar – New Projects and Old

I returned from Madagascar a few days ago and I am already hard at work trying to catch up with all of the overdue work I had waiting for me back here, PLUS another few ideas I have had while I was away.

I will be working on actually arb trading primarily probably. Simply because I am broke and I need some immediate money and arb trading is the only means of immediate money available to me atm (other than a job of course, but that would really interfere with all of my other loftier goals)

So I am working on perfecting my arb spreadsheet while trying to update SAG and SBB – I need to make some changes to how SAG deals with the numerous alert services. I have several days worth of solid typing to do in order to put all of the articles I wrote in Madagascar into TDMSKP.

Probably most interesting new development though, is that I am going to create a website for Carmen, my friend that I travelled with. She has been travelling for over 16 years now (6-9 months every year) and has done a lot of writing in that time. So I am going to make a blog for her and start posting her travel stories, short stories, poems and other odds and ends for her.

She was actually the page 3 spread in the Sydney Morning Herald back in June:
Article
Multimedia

So I have the relevent domain names registered now: www.HalfBraveHalfStupid.com and www.CarmenMajor.com and I have a host sorted out. I will start installing and setting up the blog in the next couple of days.

A quick mention for Klaus’ new website too. He has created a forum website to help people with scams. So if you have ever been scammed, or know of any scams which you want to warn people about, or even if you just feel like getting into some interesting political or religious discussions, then go to www.ScamsHelp.com and register and participate there!

Shane

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share

Waterfall of Moss

Just finished adding Waterfall of Moss to the TDMSKP guide book. Already uploaded photos from the trip yesterday for Waterfall of Moss and Koombanda Canyon. Next job is to add the guide for Koombanda Canyon.

Jon has volunteered to write a trip report for the two canyons, while Trev has volunteered to put together the video, so I really appreciate that. Meanwhile, I found out while I was away that two of my photos actually made it into the OzCanyons calendar for 2009, which was pretty cool. See the OzCanyons 2009 calendar here.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share

Why would you do that?

A common phenomenon that I have noticed over the past few years is people seeing someone else doing something strange, something a little abnormal or simply doing something a sub-optimal way, and upon seeing this asking their friends “Why would you do that?” or some similarly judgemental question. And it is always asked with such a condescending tone – there is no doubt that the question is not really a question, but an attempt to point out the ‘failing’ they see in the person in question. What they are really saying is “That is such a stupid thing to do/stupid way to do that, I would do it better than that”

It is interesting that I hear people ‘asking’ this question all the time, yet I never see any indication that the person ‘asking’ the question has ever bothered trying to ‘answer’ the question they have (not really) ‘asked’.

I don’t mean to make myself sound like I am above this phrase – I am sure I have said it myself many times. What I am interested in now though, is qualifying the statement by following it up with a genuine thought process. I want to think “Why would you do that?” then follow that with a genuine introspective questioning process: “No really, what reasons would a person have for doing that? Maybe they can’t do it the better way? Maybe there is more going on here than I can see, maybe they have some sort of disability, maybe they are actually smarter than myself and it is myself that doesn’t understand” etc.

I can’t really expect the population at large to pick up this method of introspective consideration, but I think it is more valuable to attempt to understand ‘why they would do that’, than it is to simply ask an empty rhetorical question designed to indicate how bad/stupid/uncoordinated/social inept someone else is.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
Share