Is This Really How Easily a Google Account Can Be Recovered?

[Deactivated] on 06/06/2016 - 00:24
Last edited 06/06/2016 - 01:18

I think I've found an ability to quickly recover password and reset account of someone who is not using gmail.

I've been getting this message on my dummy phone. I tried to google it but I don't think it's showing up anywhere and it seems like something that is new. It has been sitting on my emergency 000 phone for the past few days without me paying much attention to it.

Image is here

  1. Try to login to your google account using a proxy or something suspicious, but don't actually type your password in, just press "Need help". Make sure it is using https if you want to avoid your email being harvested. Alternatively it would be better to create a temporary google account with a non-gmail address. (or use your VPS)

  2. Enter the last password you remember -> Press I don't know

  3. Select one of the options below to reset your password: -> Choose I no longer have access to these

  4. About your Google Account
    When was the last time you were able to sign in to your Google Account? (Required) -> Type something close to today's date

When did you create your Google Account? (Required) -> Guess a few of these and you'll get in without needing to go to the next step where it asks about other tools which you may not even be using.

It will then allow you to set a new password.

Otherwise it goes to another step and asks you to put in some details about where to send the password reset information…

You won't get an email from Google that someone has tried to go through the password reset process for some odd reason, as I have this turned these notifications on and have received nothing, including the duration of my attempts on my own account using a proxy.

I'm not on any leaked databases that I know of. So, pay good attention to your android phones… Should I add a real phone number… Probably not as I can live with this phone being hacked.

Has anyone here gotten this message before? (see image above)

Let me try and explain why I brought up this issue. When you sign up you reasonably expect to be able to only recovery your account using the details you provided and not some public information or guesstimates. Worst of all it asks for easily discernible information like when someone started using youtube\other Google products which have public facing information….

I didn't even expect to find these methods of recovery. I think when we all sign up for a Google account we expect it to be more along the lines of only allowing certain bulletproof recovery methods or to basically lose that account. Not some method that is easily broken.

I do not know when these changes were implemented but it sure as heck was not like this before, with the exception being telephone support social engineering mentioned in a talk I went to recently.

Google also has this new psuedo-policy from its actions, allowing accounts to be breached and information harvested before notifying that a weird device has been used to login. There doesn't appear to be many proactive measures other than to use 2FA but I think the option to use other recovery methods such as above will exist as many lose their phones. This renders 2FA useless.

Whilst there does not appear to have been a breach on my account as of yet, or at least not noticeable using Google's security tools; I think we really need to look at how recovery takes place. Even ozbargain has better security against account recovery attacks……

I sure as hell would not recommend gmail or such be tied to an internet banking account even though it is easier when changing ISP. Remember, the breach happens before you can act, leaving you to remove the offending device from Google's portal, but the attacker has already accessed your email should you become a victim. I think the recovery methods are quite similar for Gmail accounts, but I have only tested the relevant non-gmail Google account which was showing the warning on my android device.

Lots of typos, typing on a tablet whilst in bed…. New epiphanies about my dilemma keep cropping up in my mind

Internet

Related Stores

Google
Google

Comments

  • Hoju on 06/06/2016 - 09:47

    I was fascinated by this so I tried it, but after the stage 'when were you last successfully able to sign in' I got a series of questions:
    what is your favourite cat's name
    Email addresses of up to five frequently emailed contacts
    Name of four labels etc

    if you continue to skip these (or enter incorrectly) it says

    The information provided does not match our records. Try signing in from a location where you usually sign in (e.g., home or work) and fill out the account information again.

    • [Deactivated] on 06/06/2016 - 11:36

      Mine doesn't have that. It must be because it is a really old account with nothing set on it.

      Oh and I suspect different questions for those without gmail because I wouldn't have any contacts that I email…

      So.. More research on the issue probably required.

    • [Deactivated] on 06/06/2016 - 12:15

      Wait, how come it still has your security question?

      http://googlesystem.blogspot.com.au/2014/12/google-drops-sup…

      I think this is what happened, notably if you try to set new security questions a while back, it deleted it rendering the old recovery question gone.

      There should be no security questions on any google account or ability to change or set one anymore.

      http://i.imgur.com/brzTD03.png

      So basically that would explain why all of those options are missing for me, making the account appear to have an open door policy. However, I'm now trying to determine when I did create the account because post 2014 has no recovery questions…

      It would appear that very old google accounts are safer than new ones…

  • ESEMCE on 06/06/2016 - 09:56
    +2

    besides Hofu's point above, 2FA is not rendered useless if you have a backup email or backup number..
    I have an alternate email and my wife's phone number as secondary 2FA "devices", so 2FA is still usable without my phone.

    You should have 2FA turned on anyway. If you don't then you don't care about the security of the account.

    • [Deactivated] on 06/06/2016 - 11:39

      What's the point if it can be bypassed? I'm not going to bother, as it seems if they are lucky enough to break in they would have another piece of information i.e. my phone number. This could then be used to break into a more secure account that would be best served having an actually phone number connected. Now if that the person has it, they can social engineer their way into something else..

      I couldn't find much about the issue but did find below:
      https://productforums.google.com/forum/#!topic/gmail/YxKbWEn…

      • Hoju on 06/06/2016 - 11:46

        But. That forum post just confirms what I wrote above.

        The person was asked

        -When I think the last time I logged in was (which I wasn't sure of)
        -The month and year when I created the account
        -What other apps I used my account for
        -Another email address with which Google can contact me

        There's little chance someone could guess those answers all correctly.

        • [Deactivated] on 06/06/2016 - 11:48

          You can keep guessing though… o_O I am not sure if that is a flaw.

          Account creation date can be also guessed for corporate accounts if they started to use youtube or something.

          A lot of the information is potentially public facing as I have mentioned. Like youtube can be guessed if the approximate start date is known and so on if it is a corporate account…

          Other email address google can contact is actually the same if you haven't chosen to use gmail. I don't think it even asks you for one.

          It would also be very easy for someone close to you, i.e. jaded workmate, that knows when you created your accounts to break in as well… They would also have your full email address and more. It doesn't sound very secure at all…

          In effect we have to rely on security through obscurity, i.e. no one knowing your google account address..

  • fruit on 06/06/2016 - 10:22

    https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines

    Betteridge's law of headlines is an adage that states: "Any headline that ends in a question mark can be answered by the word no."

    • [Deactivated] on 06/06/2016 - 11:44
      -1

      If you actually tried to do it, you would realise it's not actually as hard. So I disagree.

      You also need to use another device so that it doesn't have the same footprint.

      I have confirmed it works for a ssh putty proxy to a private VPS, using a public proxy might flag you more quickly as they would already have a known database of known ip addresses of interest. e.g. project honeypot style system.

  • [Deactivated] on 06/06/2016 - 12:01

    Well ignoring whether it is possible to break into the account.

    Is there any correlation between your Android phone asking to add a phone number and suspicious account activity?

    I have over 7 different devices across my household and only this one seems to be putting up a warning. I haven't seen anyone else who has even posted anywhere about it. I did a full google search on the full sentence as well and nothing shows up on the search engines.

    • ESEMCE on 06/06/2016 - 12:16

      Depends on the version of Android.

  • [Deactivated] on 06/06/2016 - 13:55

    The other weird thing is that I am pretty sure the date of account creation I put the first time, Sept 2014, was incorrect but it seems they have a degree of human error that they factor in.

    I then proceeded to try it again the second time and future retries with the same dates asked for more information which I thought was strange, but got password reset again after guessing those.

Login or Join to leave a comment
Login Join