A couple of weeks ago while on vacation in Germany (I'm from the US), my T-Mobile number was targeted by a "SIM swap" attack. At the time, I thought it was just some kind of glitch with roaming, though that had always worked for me in the past. T-Mobile support later (when I got home) confirmed that the swap was performed at a T-Mobile storefront (didn't say where). I do have that phone number back now.
A few days later (while I was still in Germany, and still without access to my T-Mobile number), somebody performed an account recovery on my GMail address. I know pretty much exactly what they did because Google dutifully sent notification email to my secondary email account, an Exchange account maintained by my employer (one which I never lost control of). I presume that the attacker was able to use the phone number to get in to the account; my password was not compromised (it's long and random and not used for any other accounts anywhere).
Google sent me a series of notices:
- Account recovery successful
- New login from a new client (a Linux box, apparently)
- Password changed
- Account suspended for suspicious activity
- Another account recovery
- Another new login
- Another password change
- Recovery email changed
All that happened over the course of a few minutes around 7:30PM Central on May 25th. Of course after the last one, I got nothing. Helpfully, the last one provided the following advice (verbatim): The recovery email for your account was changed. If you didn't change it, you should check what happened. Somebody worked long and hard on that one I'm sure.
I did not create a set of "backup codes" for my account; I didn't even know that was possible until this happened, and of course I've done it for my new account. I strongly advise that everyone get those codes; it's linked in the "Security" account pages along with secondary email etc. Just tape them to a wall or something.
When attempting to recover a Google account, you're asked for the following things:
- Previous password (which I had)
- Backup code (which I did not have)
- Account creation month and year (my account was like 15 years old, so no I don't remember)
- Security code from Google Authenticator app (which could not at this point work, since my phone was also locked out)
- Security code from secondary email (welp)
After that, Google invites you to provide another secondary email, which I did, and of course I provided my former secondary email account. They send a code to that and you confirm. Then Google allows you to type any explanatory information you want before "opening a ticket for the Google Accounts team". You get an email (mine were always from "Lily") telling you that it'll take a few days. An hour or so later, you get another email that says "Hmm Google doesn't know who you are, please go here" with the exact same URL that starts the whole recovery process.
Thus, if your account is lost in a way similar to mine, you seemingly are 100% out of luck getting it back. The "explanatory text" as far as I can tell is never read by a human being, or at least not by any human being capable of actually thinking about the situation. In my case I didn't really care about the years of crap email, but I had a bunch of YouTube videos of my kids performing music, and I was a "Local Guide (level 7)" on Google Maps, with hundreds of photos and reviews. Of course I still had the same related phone number, and the same old secondary email account, but as far as I can tell none of that information is considered at all: if you can't make it through the normal course of recovery actions, your account is gone.
So get those "backup codes" and save them. Also see if you can figure out when your account was opened. Whether those things really help if your account is hijacked like mine was, I can't say. You might just hear from Lily too and get nowhere.
by pointy http://bit.ly/2XshJ5P
No comments:
Post a Comment