Gmail, Google Checkout, and what not to do

The latest entry in the “why I don’t quilt enough” saga is indeed a sad tale and a warning. After the Computer Woes of two weeks ago, I thought I had it all back together, but it was not to be. Aside from some ongoing issues with the DSL router that we finally solved yesterday morning by the simple expedient of buying a new one, I spent the last part of the week doing damage control.

On Wednesday morning I tried to check my email at Gmail, and my password was mysteriously incorrect. It was fine the night before at 11:30-ish, and I couldn’t get into the account at 8:30 the next morning. I use Firefox and Outlook to check mail, and of course the passwords are stored in there, so I pretty much knew that I wasn’t giving Gmail the wrong one, so someone else must have changed it. Now, while Gmail wants you to think that this is not a complete crisis, let’s look at the facts:

Gmail’s password recovery system is seriously flawed when it comes to a malicious user accessing the account. Why? first, you have to say you’ve lost your password, and Gmail will send password recovery instructions to your “secondary email account.” If you don’t have a secondary email account set to begin with, or you no longer have that email address, you’ll never get that email, so you can’t get back into the account. OR, if someone else has gotten into the account, what do you think the first thing they’ll do is? Um, change that secondary email? Yeah, that’s it, you’re never getting those password reset instructions.

Never fear though, since Gmail’s got your back, right? If you wait five days, and no one accesses the account, Gmail will ask you your secret question, and let you back into the account. Hmmm, let’s see, if you’ve really just forgotten your password, that might work, because you don’t have the password anyway so you can’t access the account, so as long as you don’t try to get in (since a login attempt, even if failed, counts as accessing the account), you’re golden. BUT, if a malicious person has hacked the account, do you seriously think they’ll let it be dormant for five days?? NOT. And, they’ve undoubtedly changed or deleted that secret question and answer anyway.

Gmail will tell you that if you’ve forgotten your password and can’t remember the answer to your secret question, they can’t help you. But if someone else has gained control of the account, you’ll never be able to get it back through their normal channels of help for this problem. And of course, there is no telephone support for this kind of thing from Google, no surprise. All of these stark realities sank in Wednesday morning as I tried to work through the mess, and see what was actually at risk. When I started to think about what that hacker would have access to through my Gmail account, I really started to worry.

Leave it to Google to make stealing from you even easier…

Gmail wants you to think that it’s a good thing that you never have to throw anything away, but consider this: I’ve had that email for almost two years. Everything (and I mean everything, unless I manually deleted something) is still in there, every email that went out, and every one that came in. Sure, you don’t share passwords, SSN’s, or credit card numbers in email, but a savvy hacker can trace your activities and find vulnerabilities. What if, like I’m sure so many people do, you use a certain password for your email address, and then when you shop at an online merchant and create an account there, that same email address is your login name and you use the same password out of habit (or to make it easier to remember the huge number of passwords that we have to in todays world)? That hacker could figure this out from order confirmation emails that you’ve received from that merchant, and use your account at that merchant to buy goods with your credit card that’s probably stored there too, and have the goods shipped to themselves. But leave it to Google to make stealing from you even easier than that.

If a hacker has a Gmail address and password, they have access to all the information in the GoogleCheckout system for that account as well.

I spent all day Wednesday changing passwords for all the places I shop online (there are LOTS of those!), and all the financial institutions’ sites that I access. I thought when I got up on Thursday that things would have calmed down, even though I still didn’t have access to the email account, and Gmail wasn’t responding to the pleas for help that I submitted via their forms online. Then I checked my bank account, and realized that someone had used my credit card at GoogleCheckout, and happily spent almost $1,000 at different online merchants. I’d forgotten that I’d used GoogleCheckout to buy some tiny little thing, and let it save my address and credit card number. If a hacker has a Gmail address and password, they have access to all the information in the GoogleCheckout system for that account as well. So now a thief has my credit card, address, and telephone number, and I can’t get into the account because said thief has changed the secondary email, secret question and answer and now has control. Great job Google! The system is seriously flawed, and you don’t want anyone to know that do you?

After canceling the credit card at the bank, and being (somewhat) reassured that I wouldn’t be responsible for the charges, calling a couple of merchants and giving them a different credit card and email since I’d placed orders with them that were in progress when all this happened, I put fraud alerts on our credit reports as a precaution. I really don’t need to add identity theft to the growing list of injustices here. I sent up more pleas to Google for help, this time through their Checkout system, in hopes for a faster response. The situation was now credit card fraud, not just inaccessible email, so I was hoping that would light the fire under somebody.

I did hear back from an actual person at Google on Thursday evening, so once the situation turned fraudulent, they were quicker to respond. The thief has been shut down, and I have control of my account again, and two of the three charges have been canceled, and the third hasn’t actually posted to the account yet either. I made sure to delete any credit card numbers and addresses that were stored in there, and needless to say, won’t be using GoogleCheckout again, and I’m probably going to boycott Gmail as well. There has to be a better email system out there. You would think that having your email online would safeguard it from loss by accidental deletion (think about hard drive crashes on your desktop system at home or office), but in reality, if it’s online and stored on a remote server somewhere, it’s not safe from hackers.

I love online shopping, and email and all that. At times like these though, I begin to wonder if life is really easier because of it all. Do we really have any idea who sees this information? Nope. It’s a scary thought. But at this point, would it really be possible to go back to “life before the Internet?”

4 thoughts on “Gmail, Google Checkout, and what not to do

  1. I love my gmail account but I’ll now keep it totally separate from my online purchases. I have been considering opening a google checkout account. You’ve now convinced me not to. I hope things calm down soon.


  2. Yup, I loved Gmail too, since the spam filter seems to work so well most of the time, but the Checkout thing has me running the other way now! Things are calm at the moment and hopefully will stay that way for a while.


  3. the exact same thing happened to me. August 21st my Gmail was hacked, my password stopped working, and the person gained access to my eBay account and made fradulent bids. My security question was also changed. And Gmail is structured so that a hacker can get in and make it physically impossible for you to get your account back. Screw Gmail, and screw Google. Good luck with your Gmail saga. I know that Yahoo is of course susceptible in the same way but they have a feature where you can identify yourself with a credit card if you’ve used it to buy something through Yahoo’s services. And since credit cards have more customer service (Google does not have ANY customer service) it seems like it might be a good way to go.


  4. Hmmm. Interesting that it happened on exactly the same day, Jason. That almost leads me to believe that it was something internal, or at the very least, there are probably more folks than just us with this problem right now. I still hadn’t decided what to do about it all, since I do have control of the account again and I’ve of course made sure there’s no financial information in it. I think it may be time to close it completely at this point, though.

    I wonder what the point of making fraudulent bids on ebay was? That just sounds like making trouble for the sake of visiting inconvenience on another to me. And you’re right, if it’s just an email issue (with out credit card fraud attached) Google has no customer service to speak of. Good luck with the problem, Jason, I feel your pain.


Comments are closed.