There's nothing wrong with the headline, and the article doesn't mention kidnapping. The comparison it does make is a reasonable one: "a modern day version of a mob shakedown".
I know this is not 100% specific to this article, but this is happening right now to a friend of mine's gmail account. Scammer was able to social engineer the cell phone company to forward his number, then did a password reset, and locked him out of his account. 20BTC Ransom. He followed every single google customer service link/resource he could find and tried to reset link, which said they would contact him in 3-5 days. This was 6 days ago. No response. FBI can't do anything either. Its so disturbing that there is absolute nothing you can do to reach Google once this happens. It could happen on anyone's cell phone as well, how many fortune 500 companies have higher up employees with cell phones and gmail accounts? Imagine in the future trusting google with a self driving car and home automation -- imagine getting locked out of your house or hijacked in a self driving car and having nobody to call. If anybody here knows somebody at google who can reach the group that handles Gmail security, please contact this account so I can give you his info.
Yeah thats one way to address the issue (or even using multiple emails), but you know what's even better than that?
Having competent customer support, that would be able to address situations like this. Esp. with the amount of people that are using these home automation services with "cloud" support, its only going to get worse the more integrated these services become.
My friend has had a similar situation with the good ol Yahoo eMail service, and after being on call waiting for 4hours, they told him they cannot help him, then hung up.
I also had a similar service, with my STEAM account, I emailed Valve, and within 45 min the account was restored.
Lol, I was 1/2 way through this email thinking I'd respond that the only one worse is valve... turnabout. I've never had them respond to me. I've got several tickets multi months outstanding.
It is possible they queue their client service based on how much money each client has spent. It is what I would do if I did not have time to get to everyone cost effectively.
I haven't had my account hijacked before with fastmail. But I have had to contact support and I was in touch with a real person in less than 30 minutes.
Not that I'm aware of. I think there's an element of "grass is always greener on the other side." When the NSA thing first came out, people were publicly talking about leaving for GMail for Fastmail, since Google showed up in the XKeyscore docs, just as people felt superior about their Androids when the Apple Foxconn scandal broken. But in all likelihood they suffer from many of the same problems; Fastmail (and the various Android manufacturers) are just smaller and don't attract the same negative attention.
I have dealt with Fastmail support in the past, although it was regarding invoicing questions, not identity fraud. My experiences were fairly positive.
Use the cryptography based 2FA (with Google Authenticator on your phone). SMS is too open to social engineering, and as a second factor might actually make your account less safe.
I'm sorry if this sounds like me being a jerk - that's not my goal. I just want to point out cold hard facts.
> but this is happening right now to a friend of mine's gmail account
I can't stress this enough but please enable OTP on your accounts. Facebook, gmail, and even your Windows system if you are paranoid enough. Yeah it adds some hassle - but the value of increased security far outweighs the hassle. Also backup the OTP codes somewhere.
> Scammer was able to social engineer the cell phone company to forward his number
If they are in the US please tell us the name of the provider so we know not to ever use them. This isn't the first this kind of attack has happened [1] (shame on you DigitalOcean). I use Gandi and they state in their documentation that they will not reset it if you ask them [2].
> Its so disturbing that there is absolute nothing you can do to reach Google once this happens.
It's a free service - what do you expect? I've heard this story many many times. Yes - google makes billions in profits and could in theory hire someone to handle gmail issues. But, they don't and it makes sense from a business point of view (why spend money on a guy who will support a service that doesn't make money?).
> It could happen on anyone's cell phone as well, how many fortune 500 companies have higher up employees with cell phones and gmail accounts?
If a Fortune 500 company uses gmail they would buy the google apps for work. If they buy google apps for work they get an 800 number to call if they have problems (and most likely a dedicated account rep because they are probably buying 1000s of accounts).
> Imagine in the future trusting google with a self driving car and home automation
Again - you would be giving money to google. And in return you will get support. I'm not saying Google is perfect but if self driving cars become a thing I'm sure (hope) there will be an 800 number you can call when your car becomes sentient.
The cellphone provider was sprint. My friend is a paid customer of Google Apps. In part of the process he called called Google Apps, and they immediately disabled his Apps account but -- but they couldn't or wouldn't do anything else including helping him escalate to the right people -- They said they did not know who to contact. Eventually after he called back several times, he got a manager/supervisor who was able to create a ticket. He called back the next day and the ticket was deleted!
Meanwhile the scammer is making threats to his family and pretending to be him send out emergency BTC loan requests and resetting bank passwords. He could be SWAT'd at any moment.
Apparently Google executives are in the mindset that it isn't cost effective for them to provide even the most minimalist crisis support -- a trivial 5 minute look at the account and seeing the ransom artist texting him (through his own gmail) would at least justify an account hold. Google couldn't be bothered-- even at a record 66 billion dollar profit to help him. Why? Because they can't make a profit helping him. Or maybe its that and they are still in the 2003 "beta" mindset. It truly is a real life THX 1138 nightmare for him.
Yes he has a FBI complaint id and met with them. Basically the FBI said there is nothing they can do. I'm going to get him to contact the journalist for this article and see if there is another FBI agent he can work with. Sprint wouldn't work with him at all and only after dozens of calls did they start to help him get his number back. (The entire number was in the process of being ported). We didn't even think about him being SWAT'd until I read this article. The threats were specifically towards his parents. If anybody has any suggestions please let me know.
> My friend is a paid customer of Google Apps. In part of the process he called called Google Apps, and they immediately disabled his Apps account but -- but they couldn't or wouldn't do anything else including helping him escalate to the right people
I would be calling sales and support until I got someone who could do something. I would call any number related to Google - including for services not even related to gmail.
> Meanwhile the scammer is making threats to his family and pretending to be him send out emergency BTC loan requests and resetting bank passwords.
But if his account is disabled how is the scammer sending out emails?
> He could be SWAT'd at any moment.
That is very unlikely and if it did it would have to churn through the legal system first.
> a trivial 5 minute look at the account and seeing the ransom artist texting him
That is a sticky situation - many would argue that Google shouldn't read another user's email. And that's probably why support is an issue.
the ransom artist is in full control of the account and sending out emails and text (through google voice) as him. His account is not disabled. The google Apps access account is not the same as his Gmail account, that is where you might be confused. The apps access is disabled.
He is an active member of the bitcoin community just like the two bitcoin members mentioned in the article, where one of them got swatted, for about the same ransom amount. It could be related. Obviously he was targeted to some extent because the attacker knew he had BTC. Google Gmail end user license agreement specifically allows google to read your emails. My point is they could do a better job, they just don't care. You can't trust them, they don't have any financial incentive to treat you as a real human person. Right now Google ads is happily serving ads to right of my friend's gmail account while ransom artist is using the account, and google is making money off those clicks -- that's all they care about. Ultimately, there is no human dimension in their company vision.
The non-existent support problem exists also with other Google products, even when you pay. For example, I used to use Google Nearline. I pay the storage fees etc., but I cannot even contact some basic support without buying a support package which cost quite a lot. So for now I deleted all my data there.
No reasonable person expects support for free, but relying heavily on a free service would be a lot less scary if there was an option to get customer support for $100, refundable if they can't solve your problem. At the moment there doesn't seem to be a middle ground between 'behave like a company and open a commercial account before you know there's going to be a problem' and 'if a problem does arise there's nothing you can do for any price'.
I can't find it now, but I seem to remember seeing some option to pay for priority in the account recovery options when resetting one of my accounts in the past.You could always try it on one of your accounts and see.
Google apps lets you generate a series of one-time use codes, which you can print out and keep in a safe/folder/notebook, so that if your 2-factor-auth device (phone, fob, etc) gets nuked, you can still log in.
I find it interesting that he could log in without 2-factor auth. Those things I thought were keyed to phone hardware.
Many 2fa implementations offer SMS (which would be compromised given a social engineering cell redirect) as an alternative to TOTP. (What's commonly referred to as "Google Authenticator" - it's time-based, so if you capture the initial image or code, you can actually set it up on multiple devices, so it's not exactly device-based)
This is a reason to not verify over SMS and to instead use the Google Authenticator app. It seems easier to socially engineer a SMS redirect than to obtain the mobile device and bypass its login authentication.
If you are going to verify over SMS, don't have your SMS messages forwarded to email as that would render your 2fa pointless.
> I can't stress this enough but please enable OTP on your accounts. Facebook, gmail, and even your Windows system if you are paranoid enough. Yeah it adds some hassle - but the value of increased security far outweighs the hassle. Also backup the OTP codes somewhere.
It seems like the specific attack vector in this case was linking the gmail account with a cell phone number. Surely the most secure option is simply a very strong password with no TFA, OTP or any other auxilliary recovery options?
> It seems like the specific attack vector in this case was linking the gmail account with a cell phone number.
The whole story seems kind of farfetched really. If the attacker did get forwarding to work - it would only forward calls not text messages (which gmail would send a recovery code via text message). According to the story it was in the process of being ported which MAY send texts to the new number - but on most accounts that I've read with dealing with porting that takes at least 24 hours for them to start receiving text messages on the new provider. To my knowledge no carrier has implemented text message forwarding. Also it seemed my posts were downvoted right around the time of his responses.
There are certain holes in this story - first it was a gmail account, then it turned into a gmail + google apps account which are 2 completely different things.
Regardless - enable OTP period.
> Surely the most secure option is simply a very strong password
Arguably using a different strong (12+ characters) password for every site and service is a good approach - but then you should probably be generating those passwords and storing them into a password manager. Then that password manager becomes a target[1]. Using OTP is just a good layer of security.
Most services which use phone numbers for authentication helpfully offer to call you and read out the code using text-to-speech if they can't text you, including Google accounts. This is often exploited by attackers.
i never activated google's 2factor authentication just out of fear of my phone being stolen. this ugly possibility never even occurred to me. i really cannot understand why this stupid sms-based scheme is pushed down our throats by google.
fingers crossed for your friend, i hope it works out!
So if a) users don't get smarter about security and b) the use of Bitcoin as a ransom currency doesn't get disincentivized, how will this play out? I can't see the status quo continuing; resigning to "oh well, the nerds have won, we can't do anything" isn't how the government tends to operate.
Would the government try to really hammer down on Bitcoin if this becomes the epidemic I think that it might?
Government regulation of companies that permit easily "hacked" accounts?
The introduction of personal insurance policies for online data that would pay?
To me this is a serious downside of cryptocurrencies - the fact that criminals have this secure channel of stealing from victims.
Besides malware, one can be blackmailed with information disclosure (everyone has secrets), one can be physically bullied into transferring his BTC or forced to pay bribes by police or corrupt authorities.
In western countries some of these may seem impossible, but in a lot of places, police or authorities are worse than criminals. And of course good old hacking.
It's also a very good incentive for maybe-criminals to actually go and do the crime - because the risks of being caught are very small.
One counter argument is that it's possible to steal cash anonymously too, but of course it's not the same thing, just like crypto is not cash.
This is serious problem with (anonymous) crypto and it will only grow bigger and bigger as it goes more mainstream..
If we were running our economy on steam and gold we would have even less problems. Your life expectancy would be 2x lower, but Sherlock Holmes would be able to find the blackmailer.
Do you seriously blame the technology and instead of finding a technological solution propose to blame everyone using it for occasional consequences you do not like?
> If we were running our economy on steam and gold we would have even less problems.
Absolutely. I've lost a lot of coins in various hacks so this is experience talking, not theory ;).
> propose to blame everyone using it for occasional consequences you do not like.
Not blaming anyone and I'm still quite hopeful about crypto (albeit much less now than before), just saying this is a dark side of crypto which people are afraid to look at and it's not going away.
You may remember this discussion if god forbid somebody hacks the service were you hold your coins at (https://bitcointalk.org/index.php?topic=576337) or exploits a vulnerability in your OS and steals your wallet OR does the thing in the article.
Right, we are literate, we don't keep our wallets online or on our hard drives. For maximum safety we keep our public key pairs on a piece of paper or wood and hide it away in a dark place.
reply