The latest entry in the “why I don’t quilt enough” saga is indeed a sad tale and a warning. After the Computer Woes of two weeks ago, I thought I had it all back together, but it was not to be. Aside from some ongoing issues with the DSL router that we finally solved yesterday morning by the simple expedient of buying a new one, I spent the last part of the week doing damage control.
On Wednesday morning I tried to check my email at Gmail, and my password was mysteriously incorrect. It was fine the night before at 11:30-ish, and I couldn’t get into the account at 8:30 the next morning. I use Firefox and Outlook to check mail, and of course the passwords are stored in there, so I pretty much knew that I wasn’t giving Gmail the wrong one, so someone else must have changed it. Now, while Gmail wants you to think that this is not a complete crisis, let’s look at the facts:
Gmail’s password recovery system is seriously flawed when it comes to a malicious user accessing the account. Why? first, you have to say you’ve lost your password, and Gmail will send password recovery instructions to your “secondary email account.” If you don’t have a secondary email account set to begin with, or you no longer have that email address, you’ll never get that email, so you can’t get back into the account. OR, if someone else has gotten into the account, what do you think the first thing they’ll do is? Um, change that secondary email? Yeah, that’s it, you’re never getting those password reset instructions.
Never fear though, since Gmail’s got your back, right? If you wait five days, and no one accesses the account, Gmail will ask you your secret question, and let you back into the account. Hmmm, let’s see, if you’ve really just forgotten your password, that might work, because you don’t have the password anyway so you can’t access the account, so as long as you don’t try to get in (since a login attempt, even if failed, counts as accessing the account), you’re golden. BUT, if a malicious person has hacked the account, do you seriously think they’ll let it be dormant for five days?? NOT. And, they’ve undoubtedly changed or deleted that secret question and answer anyway.
Gmail will tell you that if you’ve forgotten your password and can’t remember the answer to your secret question, they can’t help you. But if someone else has gained control of the account, you’ll never be able to get it back through their normal channels of help for this problem. And of course, there is no telephone support for this kind of thing from Google, no surprise. All of these stark realities sank in Wednesday morning as I tried to work through the mess, and see what was actually at risk. When I started to think about what that hacker would have access to through my Gmail account, I really started to worry.
Leave it to Google to make stealing from you even easier…
Gmail wants you to think that it’s a good thing that you never have to throw anything away, but consider this: I’ve had that email for almost two years. Everything (and I mean everything, unless I manually deleted something) is still in there, every email that went out, and every one that came in. Sure, you don’t share passwords, SSN’s, or credit card numbers in email, but a savvy hacker can trace your activities and find vulnerabilities. What if, like I’m sure so many people do, you use a certain password for your email address, and then when you shop at an online merchant and create an account there, that same email address is your login name and you use the same password out of habit (or to make it easier to remember the huge number of passwords that we have to in todays world)? That hacker could figure this out from order confirmation emails that you’ve received from that merchant, and use your account at that merchant to buy goods with your credit card that’s probably stored there too, and have the goods shipped to themselves. But leave it to Google to make stealing from you even easier than that. Continue reading Gmail, Google Checkout, and what not to do