Tuesday, November 08, 2011

Cloud email and other Internet services start to offer 2-step verification processes, using cell phone; Gmail (Google account users) encouraged to switch to it now

First, I want to recommend that everyone read the detailed article in the November 2011 Atlantic, p. 100, “Hacked”, link here. The TOC subtitle is "An inside look at the unsettling perils of cloud computing, and how to avoid them". 

The writer describes an incident in 2011 when he and his wife returned from a trip to China, and one morning his wife found that her Gmail account was locked up. By logging on to his own Gmail, Fallows discovered that his wife’s account had been hijacked for a “Mugged in Madrid” scam.

What happens is similar to spam with sender spoofing, but it is more dangerous because the email owner’s account is logged into (by stealing the password) and used to send spam.  In this case, the spam tries to collect money from “friends” of the victim.  (It’s easy to imagine trying to do this with a Facebook Friend’s list.)   Of course, with well-educated populations, most people will recognize the scam and not respond.  But the scam is operated usually from a poor country, where the scammer needs only to collect from maybe 1% of the contacts to “make a living”.

It’s not clear how the password was compromised. The most likely explanation (multiple choice test question) is that his wife had used the same password (although strong) on less secure sites, including Gawker.  It’s possible to crack passwords today even when the server like Gmail limits attempts from an automated script.  (The same sort of issue has existed with using captcha’s to prevent spam, particularly spam blogs.)  Since the logon is encrypted (https), it shouldn’t have been sniffed, but perhaps overseas in China it could have been.

As to the extra dangers: In theory, it would sound as though the account owner could have legal liability. Unlike simple spoofing of his sender name, the actual account is used. I haven’t heard of litigation or prosecution from this. But what if an account were hijacked from the cloud and used to send child pornography? Some prosecutors still believe in a potential “absolute liability” doctrine for misuse of one’s own resources.  This would be a good question for Jeffrey Toobin or Richard Herman on CNN.

Fallows says that his wife's entire Gmail content spaces was deleted (usually this doesn't happen), and only because of recent changes in Gmail policy was the company able to restore it. Typically, companies are more concerned that they can permanently delete materials when told to by consumers (for privacy reasons). [Facebook may be the exception.]

Fallows describes the common transient attacks on Gmail, and recommends that users start taking advantage of Google’s two-step verification process, which has been in use for about a year.  I just signed up for it today.  The theory is that to log on a user must have not only a password, but also access to a physical cell phone.

The process applies to the entire account, not just Gmail.  When you sign up, the process tests your cell phone first with an SMS message.   (It does not force you to change the password if it is already strong enough.) You will get a second text (which you must use) for your first “live” logon.  You can use one pw per computer (and once for every browser on that computer, in my experience) every 30 days.  I presume that this means that if you have several laptops, you go through the process for each machine. (If your cable provider changes your IP address or you have more than one way to get on – by going to a hot spot, I’m not sure if you have to reverify I wonder if Webroot Spysweeper's prediliction for quarantining cookies will cause more frequent need for new verification codes.)  When you plan to travel, you should set up your travel laptop the day before.  

The process supplies backup codes and the opportunity to add a second phone should the cell phone not be working.

Owners of some devices (including Androids and recent Blackberries) can download a Google Authenticator, which generates codes not dependent on a cellular wireless connection.  After download on the Blackberry, it can be found under “Downloads” (an envelope icon) and the application icon looks like a G in heavy metal.   When I signed up, it did not give me the opportunity to use it.

Once you use the process, other applications (like Picasa for pictures) will require generation of one access code per app.  Save these in hard copy (and back up on a thumb drive or Carbonite).
Google’s main link for the 2-part process is here


Fallows’s Atlantic article discusses Gmail only, and doesn’t mention that the process applies to the whole Google account.  But Fallows passionately recommends that everyone use it, as do most other security experts who write about it on the Web.

This suggests that banks (and especially brokerages) might start using a similar process to protect customer accounts. Other email providers, like Yahoo! and AOL, would be well advised to follow suit. (I have been spoofed many times on AOL, with a particularly massive incident in 2006, but never had the account taken – particularly dreaded in early days when my publications were on Hometown AOL.)  Shared hosting ISP’s might also start using it; most have recently started to require strong passwords on everything.  Would it be practical for Facebook and Twitter?  Probably not – if mobile access is part of your strategy, how do you require the user to have a second device on hand?

(Second photo: from the DC Metro, Jan., 2012).


Update: Jan 27, 2012

Today, I couldn't physically grab my cell phone to open the text message from Google quickly enough, and it sent me a second text.  When I finally opened it, Google still took the first verification code, which continued to work on the same computer (and same browser, Chrome; different browser will generate another code request).  I'll have to make sure the code "stays down" today.

Feb. 2

Google's new privacy policy indirectly means that the 2-step process is even more important than before.


No comments: