Quick Article around cyber crime, Google is being used as an example, but it is essentially any consumer service.

If you find this Article helpful, please support a petition we have at the end of this page for the PSTN switch off in the UK, it creates new Cyber Crime issues, limits our ability to call emergency services and increases the cost for a lot of individuals out there (Contrary to popular belief).

Let’s crack on, we are going to list out 5 ways that Google services enables cyber criminals to access your accounts and commit fraud and cyber crime, so let’s get to it!

1. Strong passwords? How about easy workarounds!

Let us say that this is my password

xN_987!://jKlc4c5b

It is long enough and random enough that it cannot be cracked or guessed in any easy way.

Well with Google you don’t need to worry about the pain staking process of cracking a password, they’ve made that easy for you!

The simple account recovery method using a telephone number means that by prompting a voice call to your device, you can receive an easy to enter 6 digit code, so this makes the following true

If your telephone device is in my hand

1. I can reset your password in a couple of seconds, so what would be defined as taking millions of years on today’s technology to crack, I can do that in about 15 seconds using the account recovery methods.

If I don’t have your device in my hand

Well, if I can forward your calls to my number, the Google pin numbers will also forward

1. Phone hacking scandal showed us that pretty much anyone can access a voicemail, but most people do not realise why they need this to be secure. So if I ‘hack’ your mobile voicemail, or any other service, I may be able to forward your calls.

2. As part of a Job I had for a large corporate, for some reason Execs personal phones came under my realm of responsibility. These were the type of people who didn’t know anything about themselves, but would often ask me to contact their providers. Getting passed security questions pretending to be someone else is easily done, I know for a fact if you fail all the security questions with a mobile provider, it doesn’t mean you cannot get them to forward the phone calls.

3. You will have an online portal for your mobile telephone number, this can be used to forward your calls, so if that is not secure, it means I can access your emails as well.

Fix

By default, Google will prompt you to set up a mobile telephone number for account recovery, you want to remove this as an option.

If you log into your account, then go to this page, you can remove the recovery telephone number. You can set up a recovery email instead.

https://myaccount.google.com/security

Other services

Where possible, do not use telephone numbers for account recovery.

2. Two Factor Authentication, how about no factor authentication…

Depends on the method

  1. If the two factor authentication sends a voice call then per above methods
  2. If the two factor authentication sends a text, then I need your phone in my hand
  3. If the two factor authentication sends an email, then I need your phone in my hand
  4. If the two factor authentication is authorised on a device, then I need your phone in my hand

Do I really need your Physical Device?

Well, not if you use an account recovery option by telephone call, in fact if you do that then the same recovery option is used to bypass 2 step authentication using the “Forgot password” option, then when prompted for the 2 step authentication you simply click on screen “notification not received”, this will then prompt alternative methods that allow you to simply work around two step services.

Fix

On google, do not use the Voice Call option for 2 step authentication, be aware that a text or email option the pin number can be read without unlocking your physical phone.

By default, Google will prompt you to set up a mobile telephone number for account recovery, you want to remove this as an option.

If you log into your account, then go to this page, you can remove the recovery telephone number. You can set up a recovery email instead.

https://myaccount.google.com/security

Other services

Where possible, do not use telephone numbers for account recovery.

Where possible, do not use telephone numbers for two step authentication.

3. Isn’t it so annoying when you hack an account, then you have to reset all the other passwords and try to get into their bank account

Well not anymore!

You often see a little prompt on Google Chrome or Internet Explorer for “Store Payment Details” or “Store Passwords”, or you may even have set up Gpay.

Well if you are logged into google when you see these prompts, it stores against your Google account in a very non-secure way.

Yes it masks some of the details, but, for some reason it stores the CVV number in the account so you don’t need to enter it again.

It also then lets you transfer money via URL to telephone numbers or email addresses.

Short of it is, if you use Gpay or save card details against Google, I can empty your bank account in a few simple steps.

Then for everything else you use, your passwords are stored in plain text, so I don’t need to reset them. The real risk here is that I may have your passwords for everything you use, but you simply think you have forgotten your email password.

Fixes

Passwords

Make sure that no important passwords are saved against your google account

Go to this link, remove important passwords for important things.

https://passwords.google.com

Payments

I would strongly advise against using Gpay, it is non-secure by design.

You then should not store payment details against your account

Go to this URL, remove payment details

https://myaccount.google.com/payments-and-subscriptions

 

4. The hassle you have to go to for email interception, what a nightmare!

So this is where I see copies of your emails, replace them with my own, or see when you send an email so I can follow up with the recipient as you.

Essentially, I get a real life activity ledger into your account.

These are the types of crime where you see “Someone lost life savings, now cannot afford to pay X for the service provided”

One example was a person being hacked and they received an email from a builder with payment instructions, this email was replaced, same content but different bank account details.

To set up these services are really easy, I can do it with the “Filter” option and the “Email Forwarding” options, then use Aliases to make an genuine email that would look real (as technically it is from yourself)

Now the advice around this type of hack is “It wouldn’t happen if you have 2 factor authentication”, but as we have shown so far, that is easy to work around.

Fixes

Periodically check some settings

When logged into Gmail, click the “Cog” icon in the top right, then click settings

You want to check the “Filters and Blocked Addresses” tab, to see if any filters have been set up

You then want to check the “Forwarding and POP/IMAP” tab to see if anything has been set up here.

 

5. Nothing to blackmail someone with? That’s OK, create your own blackmail list!

This is pretty damned awful if you think about it, so google is not a device specific tool.

So you may notice that when you search for something at work or on your mobile, you go to google it again and google has the exact search term you used, highlighted in a different colour…. that’s because your search history and certain browsing history is associated to your account, not the device.

So if I log into your Google account, from any device, I can not only review your search history, but I can create a search history. Essentially, I can enter search terms, go to pages, and it will look like you are doing it.

I’ll let your imagination fill in the gaps there, so you can end up being blackmailed for something you have not done, as the proof I have entered into your account would look pretty damn damning!

Fixes

Beats me mate! No not really, but the compromise here is reasonably difficult for some. So you may find that google stops showing you things you want to see, arguably a good thing in my opinion, as their SEO is pretty crap for my uses (I used to use Google for education, not anymore though, it is good for entertainment only really, Ecosia for education right now.)

Anyway, turn off all the Activity controls on this page

https://myaccount.google.com/data-and-personalization

Bonus Round – Won’t somebody please think of the Children!

Location, location history, website history, contact history, who they are friends with, who they hate, where they like, where they go, where they are at this very point in time… pretty awful when you think about it.

Often tracking is enabled simply by allowing “Let Google Use your Location”, which could be done pretty harmlessly from google maps, or facebook, or anything really.

So, your kid loses their phone, or somehow someone get’s access to their phone, just for a few minutes (which is how long it would take to use the recovery options to access their account), then what? Look at all this stuff on their google account, made easy to access by a poor account recovery option letting me work around 2 factor authentication and secure passwords in a couple of minutes…

Maybe you turned off tracking, but when someone accesses your kids account, they turn it on.

The real life equivalent here is “Stranger Danger”

Yet without knowing they are doing it, your kids are likely creating a record of information that “Mr Stranger Danger” can access, knowing quite a lot about them.

Data Protection, GDPR, all that stuff doesn’t really come into it for this topic. Google are not giving out this information laid out in this article, it is stored in your account for the purpose of “Improving your internet experience”, but, if someone else can access it, which they can, it is a list of all you do and are.

Now I have kept this article Financial, but think about our 5 points above, from the perspective of your child

Points 1 and 2 – allow me easy access

Point 3 – That allows logging into Facebook, Twitter, Instagram

Point 4 – That allows replacement of emails, maybe for a location or event address

Point 5 – Blackmail could still be used here, dependent on the search history found “for fear of getting into trouble”, but you can also monitor it, then tailor “Click-Bait” emails around the interests displayed in the activity

Point X onwards – it is everything in one easy to access place, Photos, Videos, Content, linked accounts, locations visited…

Summary

(Don’t forget our petition at the end of this page)

So, where did it all go wrong?

Like I said, this is not just google, it is Facebook, Windows Live, Twitter, Instagram, they all focus on convenience and consumer confidence above security. So “Add a telephone number to make your account more secure”, it is, in fact, an illusion.

The NCSC (National Centre Security Centre), their partners and the likes of Ofcom focus more on consumer confidence than security, but their biggest crime is this assumption

“This has worked in businesses, so it works for consumers”

Something like 2 Step Authentication and Account Recovery works very VERY differently in an enterprise business setting, essentially, not every step is automated and convenient, some steps have to be more difficult than others, this allows for a secure method of account recovery and for 2 step authentication or even multi-factor authentication to be implemented appropriately.

This is generally because there is an understanding that convenience is not security.

If something is overly convenient, it is not secure. If something is overly secure, it is not convenient. Something really convenient and really secure has yet to be created.

But in this instance, it all started with Googles suggested and frequently prompted account set up method, it prompts you to add a Telephone number for account recovery, allowing an easy method to bypass secure passwords and 2 factor authentication.

If we go back further, then we used to have 2 step authentication in the form of a Username and Password, we went to 1 step authentication when we replaced our Usernames with email addresses i.e. publicly provided information.

Accounts can be accessed, it used to be the case that this took a bit of effort, but now someone accessing your account is as simple as following a wizard and using the services available to you to access an account, it is made easy for you, which makes it easy for someone else.

This article is simply a fraction of what I can do if I were to access an account, you can make it more difficult for someone by removing the telephone number from the account recovery options, as that will then mean that your password actually does something of value, I have to crack it the good old fashioned way which takes some time, but there are other considerations, taking the time to make sure that services like “Location Tracking” are turned off, they may improve some services like browsing and search results but only at the cost of safety, especially for children.

But for some of you out there, this may have already been done without you knowing, so now what do you do? You can reset your password, but If someone has set up some email monitoring functionality, resetting your password does not turn those services off, so you should go through checking some of the places I have listed, make sure that certain things are not configured on your account.

Short and sweet of it is, given everything that is being stored in a central easy to access location, like a Google Account, if you don’t make it difficult to access, then you make it easy to take advantage of you.

This article is a Summary of all the others we have, (links below), where we have more information and methods of preventing crime

This article lays out How I listen to phone calls, and new cyber crime coming to you in 2020 (Has a link to our petition that we want you to sign, there is also a link to the petition below.)

How I would listen to your phone calls

Steps 1, 2 and 3 from this article (above)

How I would steal your phone to steal your wallet

How I would Blackmail using the internet (Step 5 from this article)

How I Would Blackmail Using the Internet

Other Articles can be seen on this page for cyber crime

How I Would Commit Cyber Crime

 

Residential Information

Holds additional information around our petition for the PSTN switch off

Residential Information

 

Petition

This is our petition around the PSTN switch off, focusing on the access to emergency calls, but we list out a load of other issues, from Cyber Crime to definitions of vulnerable individuals

https://www.change.org/p/jeremy-wright-mp-tom-watson-mp-the-future-means-you-can-t-call-999-in-a-power-cut

Thanks for taking the time to sign this petition!