The latest entry in the “why I don’t quilt enough” saga is indeed a sad tale and a warning. After the Computer Woes of two weeks ago, I thought I had it all back together, but it was not to be. Aside from some ongoing issues with the DSL router that we finally solved yesterday morning by the simple expedient of buying a new one, I spent the last part of the week doing damage control.
On Wednesday morning I tried to check my email at Gmail, and my password was mysteriously incorrect. It was fine the night before at 11:30-ish, and I couldn’t get into the account at 8:30 the next morning. I use Firefox and Outlook to check mail, and of course the passwords are stored in there, so I pretty much knew that I wasn’t giving Gmail the wrong one, so someone else must have changed it. Now, while Gmail wants you to think that this is not a complete crisis, let’s look at the facts:
Gmail’s password recovery system is seriously flawed when it comes to a malicious user accessing the account. Why? first, you have to say you’ve lost your password, and Gmail will send password recovery instructions to your “secondary email account.” If you don’t have a secondary email account set to begin with, or you no longer have that email address, you’ll never get that email, so you can’t get back into the account. OR, if someone else has gotten into the account, what do you think the first thing they’ll do is? Um, change that secondary email? Yeah, that’s it, you’re never getting those password reset instructions.
Never fear though, since Gmail’s got your back, right? If you wait five days, and no one accesses the account, Gmail will ask you your secret question, and let you back into the account. Hmmm, let’s see, if you’ve really just forgotten your password, that might work, because you don’t have the password anyway so you can’t access the account, so as long as you don’t try to get in (since a login attempt, even if failed, counts as accessing the account), you’re golden. BUT, if a malicious person has hacked the account, do you seriously think they’ll let it be dormant for five days?? NOT. And, they’ve undoubtedly changed or deleted that secret question and answer anyway.
Gmail will tell you that if you’ve forgotten your password and can’t remember the answer to your secret question, they can’t help you. But if someone else has gained control of the account, you’ll never be able to get it back through their normal channels of help for this problem. And of course, there is no telephone support for this kind of thing from Google, no surprise. All of these stark realities sank in Wednesday morning as I tried to work through the mess, and see what was actually at risk. When I started to think about what that hacker would have access to through my Gmail account, I really started to worry.
Leave it to Google to make stealing from you even easier…
Gmail wants you to think that it’s a good thing that you never have to throw anything away, but consider this: I’ve had that email for almost two years. Everything (and I mean everything, unless I manually deleted something) is still in there, every email that went out, and every one that came in. Sure, you don’t share passwords, SSN’s, or credit card numbers in email, but a savvy hacker can trace your activities and find vulnerabilities. What if, like I’m sure so many people do, you use a certain password for your email address, and then when you shop at an online merchant and create an account there, that same email address is your login name and you use the same password out of habit (or to make it easier to remember the huge number of passwords that we have to in todays world)? That hacker could figure this out from order confirmation emails that you’ve received from that merchant, and use your account at that merchant to buy goods with your credit card that’s probably stored there too, and have the goods shipped to themselves. But leave it to Google to make stealing from you even easier than that.
If a hacker has a Gmail address and password, they have access to all the information in the GoogleCheckout system for that account as well.
I spent all day Wednesday changing passwords for all the places I shop online (there are LOTS of those!), and all the financial institutions’ sites that I access. I thought when I got up on Thursday that things would have calmed down, even though I still didn’t have access to the email account, and Gmail wasn’t responding to the pleas for help that I submitted via their forms online. Then I checked my bank account, and realized that someone had used my credit card at GoogleCheckout, and happily spent almost $1,000 at different online merchants. I’d forgotten that I’d used GoogleCheckout to buy some tiny little thing, and let it save my address and credit card number. If a hacker has a Gmail address and password, they have access to all the information in the GoogleCheckout system for that account as well. So now a thief has my credit card, address, and telephone number, and I can’t get into the account because said thief has changed the secondary email, secret question and answer and now has control. Great job Google! The system is seriously flawed, and you don’t want anyone to know that do you?
After canceling the credit card at the bank, and being (somewhat) reassured that I wouldn’t be responsible for the charges, calling a couple of merchants and giving them a different credit card and email since I’d placed orders with them that were in progress when all this happened, I put fraud alerts on our credit reports as a precaution. I really don’t need to add identity theft to the growing list of injustices here. I sent up more pleas to Google for help, this time through their Checkout system, in hopes for a faster response. The situation was now credit card fraud, not just inaccessible email, so I was hoping that would light the fire under somebody.
I did hear back from an actual person at Google on Thursday evening, so once the situation turned fraudulent, they were quicker to respond. The thief has been shut down, and I have control of my account again, and two of the three charges have been canceled, and the third hasn’t actually posted to the account yet either. I made sure to delete any credit card numbers and addresses that were stored in there, and needless to say, won’t be using GoogleCheckout again, and I’m probably going to boycott Gmail as well. There has to be a better email system out there. You would think that having your email online would safeguard it from loss by accidental deletion (think about hard drive crashes on your desktop system at home or office), but in reality, if it’s online and stored on a remote server somewhere, it’s not safe from hackers.
I love online shopping, and email and all that. At times like these though, I begin to wonder if life is really easier because of it all. Do we really have any idea who sees this information? Nope. It’s a scary thought. But at this point, would it really be possible to go back to “life before the Internet?”