This story involves an aging dog, the Google Search app, a Citibank credit card perk I’ve never before used, and the infamous Equifax Hack (for the latter, see: Is the Equifax cure worse than the hack?).
While doing research for my “Equifax Hack Rx” series, I learned how insecure SMS is for two factor authentication, and that led me to change security on my Gmail account. Did I lose you there? Let me back up… The main thing I’m worried about with the Equifax Hack is the likelihood that our personal information will be used by criminals to get access to our accounts: bank accounts, digital currency accounts (BitCoin, for example), frequent flyer accounts, etc. All they would need to do is to try to log into our accounts and click the “forgot password” link.
After clicking “forgot password” the criminal may have to answer some questions to prove that they are you. Well, thanks to the great security forces at Equifax, the criminal may now have the information needed to do just that. In many cases, though, the way a criminal must “prove” they are you is by receiving a text or email message containing a one-time code.
Regardless of whether the criminal must answer security questions or get access to a one time code, the end result if they are successful is a new one-time password sent by email.
If the criminal gets that one-time password, then they are in. Most financial institutions have additional safeguards to prevent people from suddenly cleaning out your account, and federal and state laws are likely to protect you anyway. But other forms of digital valuables are not so well guarded. Digital currencies like BitCoin can be instantly and irrevocably liquidated. And loyalty rewards (frequent flyer miles, store rewards, etc.) can often be cashed out quickly and easily as well.
All of this shows how critically important it is to safeguard your email account. A strong password isn’t enough. A hacker can use the “forgot password” exploit to still get in. For years, I thought that I had properly secured my Google Gmail accounts by enabling two-factor authentication. Anytime I logged into my Google account from a new device, Google would send me a code via SMS text message. The only way into my inbox was by entering that code. That’s safe right? No… it turns out that it’s not safe at all.
Just last week, Forbes published “All That’s Needed To Hack Gmail And Rob Bitcoin: A Name And A Phone Number“. Apparently it’s easy for an expert hacker to intercept text messages! The article describes a hacking demonstration by researchers from Positive. Here’s a summary quoted from the article:
In their attack, the Positive researchers first went to Gmail, using Google’s service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim’s phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they’d compromised.
Fixing the hole where the hackers get in…
Immediately after reading this article, I browsed to my Google account (myaccount.google.com) and ran their Security Checkup. At the end, I had a chance to change my 2 Factor authentication settings. I removed my phone as an option and instead setup both Google’s Authenticator app and the Google prompt options. I installed the Google Authenticator app on my iPhone for the former, and installed the Google Search app to enable the latter.
I’m sure that I’m nowhere near completely safe from hackers, but by changing my 2 factor authentication to less vulnerable options, I should be significantly safer than before.
How to setup 2-Step Verification with Google
About that Google Search app…
One of the things that the Google Search app can do is to hack your life… but in a good way (albeit creepy). Within minutes of installing the app, this alert popped up: “Update on a product you researched: Price drop”
When my dog isn’t busy photo bombing my credit card photo shoots, he spends his time getting older instead. We don’t know how old he is — he was a rescue — but we know from his behavior that his attempt to get older is working…
In addition to aging, our dog’s other favorite hobby is to sleep. And as he gets older, he has a tougher time each day jumping up to our bed. Even though he sleeps most of the day wherever he is around the house, nothing is as good as sleeping in bed. So we bought him foam doggie stairs that we found on Amazon. He hated them. Despite treats, goading and cajoling, he wouldn’t climb those stairs.
So, we tried a more expensive option: Drs. Foster & Smith Dura-Ruff® Indoor Ramp.
Well, it sort-of works. Our dog won’t use the ramp part of the thing at all, but he does jump to the midway point and from there jumps up to our bed. Mission accomplished (as long as he doesn’t get any older).
So… back to that Google price drop alert… I had paid $135, but the same ramp was now being advertised for $79.99. That’s a $55 difference.
I had paid for the ramp with a Citibank card. That was good news since Citi has a nice “Price Rewind” feature for all of their cards. Theoretically you can have Citi watch prices for you and automatically pay you when the price drops. In this case, Drs Foster & Smith products are apparently not in their search zone. Instead, I filled out a Price Rewind Benefit Request Form and emailed it to Citi. While they haven’t responded yet, I do expect to get the difference back.
As an aside: I probably should have contacted the online store’s customer support to see if they would refund the price difference directly. I was curious about using credit card price protection, though, so I decided to try out that benefit.
All of the above was a long way of saying that you should do the following:
- You should setup two-factor authentication to protect your email accounts
- Whenever possible, don’t use SMS (phone texts) for two-factor authentication. Instead, use something like Google’s Authenticator app.and (less importantly):
- If you’re going to buy something that is likely to drop in price, use a credit card that has some form of price protection (many do).
- Consider allowing Google to mine your life (they’re doing it for good, right?)
- Do whatever it takes to make your dog happy.