If you’re a Gmail user, Google probably holds the keys to your digital life.
Gmail accounts are full of emails, photos and documents and, through password resets, can provide access to Facebook and Twitter too.
This makes them a paradise for any cybercriminal who can gain access.
Now a security expert has warned that Google’s requests for users’ mobile numbers could make their Gmail accounts “substantially less secure” – if users don’t go on to activate multi-step authentication.
Vijay Pandurangan, a former Google and Twitter engineer who now works for Benchmark, wrote in a Medium post that hackers seized control of a former colleague’s account using his phone number. He refers to the colleague as Bob.
Google declined to comment on the account.
Bob, Pandurangan said, is cautious about his online privacy. While he hadn’t activated multi-step authentication, he had a strong password, an independent recovery email, hard to guess security questions and, as Google advised, his mobile number attached to his account.
On 1 October, Bob found himself logged out of Gmail after a two hour absence from his phone. When he attempted to log in again, he discovered that his password had been changed, Pandurangan said.
He then discovered that his phone service had been cut off, according to the account.
Pandurangan said that the hacker had convinced Verizon, Bob’s network operator, to move Bob’s mobile phone account over to the hacker’s phone without requesting Bob’s security code. Verizon* did not respond to HuffPost’s request for comment.
If you’ve been logged out of Gmail, you can log in again by requesting a code to your phone, which is what Pandurangan said the hacker did. Because Bob’s Verizon account was registered to the hacker’s phone, the hacker received the code rather than Bob, and used it to access Bob’s account.
The hacker then removed Bob’s password, as well as his backup email address, meaning he had no way of regaining entry, Panduragan said.
Bob got his account back after speaking to Google’s customer support team and some ex-colleagues who he used to work with at Google, according to Panduragan.
Panduragan said Google’s software failed to register the behaviour as suspicous: “This pattern seems like something security software should be able to detect: a password reset with incomplete information, followed immediately by a change in recovery email, name, and two-factor-auth settings, coupled with a “my account has been compromised” help request is highly suspicious.”
Huffington Post was able to replicate this process without arousing suspicion.
Pandurugan said “telcos can be quite bad at securing your privacy”, citing the phone hacking scandal, and “should not be trusted”.
He urged users to activate two-factor authentication and apps such as Google Authenticator or Duo to bolster security. Users are also advised against listing their backup phone numbers in their email signatures.
*Disclosure: Verizon is Huffington Post’s ultimate parent company.