> It seems like the specific attack vector in this case was linking the gmail account with a cell phone number.
The whole story seems kind of farfetched really. If the attacker did get forwarding to work - it would only forward calls not text messages (which gmail would send a recovery code via text message). According to the story it was in the process of being ported which MAY send texts to the new number - but on most accounts that I've read with dealing with porting that takes at least 24 hours for them to start receiving text messages on the new provider. To my knowledge no carrier has implemented text message forwarding. Also it seemed my posts were downvoted right around the time of his responses.
There are certain holes in this story - first it was a gmail account, then it turned into a gmail + google apps account which are 2 completely different things.
Regardless - enable OTP period.
> Surely the most secure option is simply a very strong password
Arguably using a different strong (12+ characters) password for every site and service is a good approach - but then you should probably be generating those passwords and storing them into a password manager. Then that password manager becomes a target[1]. Using OTP is just a good layer of security.
Most services which use phone numbers for authentication helpfully offer to call you and read out the code using text-to-speech if they can't text you, including Google accounts. This is often exploited by attackers.
The whole story seems kind of farfetched really. If the attacker did get forwarding to work - it would only forward calls not text messages (which gmail would send a recovery code via text message). According to the story it was in the process of being ported which MAY send texts to the new number - but on most accounts that I've read with dealing with porting that takes at least 24 hours for them to start receiving text messages on the new provider. To my knowledge no carrier has implemented text message forwarding. Also it seemed my posts were downvoted right around the time of his responses.
There are certain holes in this story - first it was a gmail account, then it turned into a gmail + google apps account which are 2 completely different things.
Regardless - enable OTP period.
> Surely the most secure option is simply a very strong password
Arguably using a different strong (12+ characters) password for every site and service is a good approach - but then you should probably be generating those passwords and storing them into a password manager. Then that password manager becomes a target[1]. Using OTP is just a good layer of security.
[1] http://arstechnica.com/security/2015/06/hack-of-cloud-based-...
reply