30 thoughts on “Got a Chromebook? Here’s how and why you need to protect your Google account

  • June 18, 2019 at 12:00 pm
    Permalink

    Make sure you also secure your recovery email accounts too. As you add security measures to your accounts, remove the least secure but make sure you have more than one 2FA fallback. Early on with 2FA I lost access to my phone. The ten one time passwords saved me. Review your account security regularly and remove unused access.

    Reply
    • June 18, 2019 at 12:11 pm
      Permalink

      Great point! Matt had his own phone number and email in there; I switched both to my wife’s information.

      Reply
      • June 18, 2019 at 4:20 pm
        Permalink

        So, now, I need your wife’s info to hijack your account…

        I’m a bit surprised by this possibility of SIM jacking in the US. How comes the provider doesn’t have a more secure process? Would this be the price of convenience?

        Reply
    • June 28, 2019 at 9:55 am
      Permalink

      I love the idea of a key for our family main google account. My wife’s google photo app and my google photo app on our phones uses the main account so that all of our photos shoot up to the GooglePhoto library. Is this bad practice?

      My other question is would the regular key (not titan) render her phone useless to the main account if I am using it or is it just a good backdoor to the account on top of 2factor?

      Reply
      • June 28, 2019 at 12:10 pm
        Permalink

        In general I don’t think it is a good idea to share Google accounts since there is always the possibility one partner will do something that could impact both partners–for example, change a password. Better for each person to have their own account and then share whatever you want to share. It is very easy to share a Google Photos library with one other person. This also creates a “backup” of sorts for all the family photos since chances are you both won’t get locked out of your accounts or lose access at the same time.

        Reply
        • June 28, 2019 at 1:34 pm
          Permalink

          I hear you. It’s the only way I can manage the photos because I have so many. I pay for 2TB of space for 10 bucks a month and the wife is only signed up to the google photos app as my account name on her phone so I capture everything. Any ideas how I can do the same thing and have my paid space still be the repository for photos between the two of us? I really am scratching my head on this one. I tried monthly migrating her photo up there but it is more automated this way.

          Reply
          • June 28, 2019 at 1:51 pm
            Permalink

            You can Share photos between Google Accounts or within a family group. https://support.google.com/photos/answer/7378858

            The the person who accepts the sharing invitation can go to settings and click “Save to your library.” I believe there is a limit of something like 20,000 photos that can be shared.

            Note that if you use the High Quality setting in Google Photos you can save unlimited photos for free.

  • June 18, 2019 at 2:28 pm
    Permalink

    No arguments re: 2FA. However, how does this work if you access Google services from multiple devices in addition to the Chromebook? E.g., Phone, tablet, PC/Mac? Does every device used needs its own 2FA mechanism?

    Reply
    • June 18, 2019 at 5:01 pm
      Permalink

      Same 2FA mechanism for the account works across all devices.

      Reply
  • June 18, 2019 at 3:41 pm
    Permalink

    I’ve tried using Google Authenticator but it never works so I still use SMS but put a Pin on my phone account. So how is anyone going to find out my phone number anyway?

    Reply
    • June 18, 2019 at 5:59 pm
      Permalink

      Truepeoplesearch.com, actually. I had my biological grandfather’s name, searched him on that website, and found a list of phone numbers of his. I just started calling them until I got an active number (which was his).

      It was really easy.

      Reply
      • June 19, 2019 at 12:06 am
        Permalink

        OMG, that’s pretty scary except it only lists land lines which are not any use to anyone.

        Reply
    • June 22, 2019 at 6:28 am
      Permalink

      I use Google Authenticator (or Authy) daily, and have never had a problem. I also use a Yubikey, but it cannot be used on every site or app.

      Reply
  • June 18, 2019 at 7:32 pm
    Permalink

    I was checking my 2FA on Google. I have the new Pixel 3A XL phone and now says I can it to my account.

    How safe is the security key in the phone compared to using my Yubikey?

    Brad

    Reply
  • June 18, 2019 at 8:09 pm
    Permalink

    I’m not sure if this would help or not, in this instance, but since signing-up for Google Voice, that’s the only number I give out (other than family). Pretty sure T-Mobile’s response would have been, “….eh, that’s not a real number.”
    Wonder how Google Fi would have handled it?

    Reply
  • June 18, 2019 at 10:44 pm
    Permalink

    Thanks for very good post. However, I do not think the paragraph that begins with the following sentence makes as much sense as the others: “For this reason, I specifically follow an approach of “if it’s important, don’t store it locally on the Chromebook…”

    Following that policy would not have protected Matt from his security/information breach. To be sure, in the particular case of Matt that you discuss at length, the reverse could have been true. (*The information and files exposed in Matt’s case were precisely that information and those files stored in the cloud in his accounts.*) In any case, a remote access hack is technical and technically much more difficult than the social engineering hack that you described against Matt. Just to be clear, the social engineering hack against Matt would not have provided access to information and files stored offline in folders on his computer and that hack would only have provided access to information and files stored online in the compromised accounts. The sim hack counts as a social engineering hack. What devices that sim hack further compromises depends on the particular connections between accounts on the sim device and accounts on other devices. Apart from outright stealing/gaining physical access to a device (which is the crudest kind of hacking if it counts as hacking at all), although some people might want to protect data stored on a device, it is not so clear that the reasons for wanting to do so follow from the previous paragraph when you typed, “For this reason, I specifically follow an approach of “if it’s important, don’t store it locally on the Chromebook…”
    Peace.

    Reply
  • June 19, 2019 at 12:21 am
    Permalink

    Of course, this assumes Google follows their own rules. I changed phone numbers and despite not using SMS authentication Google decided to use that method to make sure it was me logging in. They had my old phone number stored as a backup phone, which I had forgotten to change. No matter what I did I was unable to get Google to let me use the prompt, or the authenticator app, or the one-time codes. Google also decided several “trusted devices” were no longer trusted. This all happened not when traveling, but in my own home. I was finally able to login from work where my phone once again was recognized as a trusted device.

    Reply
  • June 19, 2019 at 1:54 am
    Permalink

    Kevin the issue with Matt’s scenario seems not related to 2FA… to use 2FA you need to have the account password which the hacker didn’t.

    The issue is with the recovery settings in case of password lost etc… where you only have 3 options (as far as I can see). Phone number (dangerous as witness by Matt), another email account or a security question (not too secure in my mind as well)

    You cannot use authenicator or physical key or backup codes as recovery backup…

    Reply
  • June 19, 2019 at 7:25 am
    Permalink

    In fact, this issue seems to show the disadvantage of 2FA because of the use of your phone number for SMS codes and/or the recovery number. If instead a person had just a username and a decent password and no recovery phone it wouldn’t have happened. I’m not arguing against 2FA. But for many sites your phone number remains an Achilles heel. Using someone else’s phone number is sure to cause problems. What happens when they change the number without telling you? Or you are in Australia and you need a SMS code from someone sound asleep in New York?

    Reply
  • June 19, 2019 at 12:22 pm
    Permalink

    One thing has always confused me about these SMS code attacks. If I have Google Prompt set up as my default 2FA, Authenticator as a second backup, and then SMS and Backup Codes as additional options, what is to keep someone who gained access to my phone number and knew my email address from resetting my password by simply continuing to click on “Try another way” at the password field until they get to the SMS code option even though it’s not the default. Is the only way to make the account secure to completely remove SMS codes as an option and limit myself to only three ways?

    Reply
    • June 19, 2019 at 12:43 pm
      Permalink

      In my experience, you have to remove BOTH SMS as a 2FA option and a phone number as an account recovery option. As I stated above, despite only having my phone number as an account recovery option Google for some reason decided that the only way I could login was having an SMS code sent to my recovery phone. When I clicked “try another way” I was only given the option to have the SMS sent to my old phone number, no longer in service. Maybe that was just a bug, but it indicated to me how tied to our phone numbers life has become, and despite all of our best preparations for security there are always holes we can fall into.

      Reply
  • June 19, 2019 at 2:22 pm
    Permalink

    Important! I just listened to the discussion about this in MobileTechRoundup #472 podcast.

    In conjunction with the fortunately aborted attempt to steal $25,000 from Matt, he mentioned the bank suggested the transaction would go through and be funded by his “Overdraft on his Credit Card.”

    “Overdraft protection” is a huge banking industry consumer rip-off. Imagine not only having $25,000 stolen, but having to pay it back to the bank at a high rate of interest. Go into your bank accounts, and turn “Overdraft Protection” off. It is far better to pay a bounced check fee than find yourself in debt to your bank because it blessed you with “Overdraft Protection” when a criminal transfers money out of your account.

    Data in the cloud: can we say “Duh?” Matt and Kevin, you’re both geeks. It is reasonably safe to store data in the cloud if you encrypt it locally with a good encryption program and password before moving to the cloud. 7-Zip is available on Windows, Linux, and Mac (Keka on Mac). It does not seem to be available on iOS but is on Android which may be the path to use it on ChromeOS (Linux on a Chromebook is another).

    Same for all those documents in the “Iove you letter.” Put them in a password manager, e.g., the free and excellent KeypassXC. Use a good KeypassXC password and your password files can be stored in the Cloud, though I recommend keeping them locally only.

    Reply
  • June 19, 2019 at 2:42 pm
    Permalink

    Despite all this valid discussion about how to secure cloud accounts I am convinced that storing everything in the cloud is far, far more secure for most people. Yes, geeks here are disciplined and organized enough to properly utilize multiple layers of backups, including local and cloud, and encryption, but 99% of the computer using public is not. I have assisted many friends and even co-workers who did not have any sort of backup in place, cloud or local. And, even if they do, it is often set up incorrectly and barely secured with terrible passwords and physical security. Most phones I see are unlocked and ready to steal. It is a wonder more people aren’t hacked daily, though probably the biggest danger to most is losing their data due to human error or hardware failure. I have personally had multiple computers and remote hard drives fail, and all it takes is one fire, flood, or major power outage and your previous local backup is toast.

    Reply
  • June 20, 2019 at 9:54 am
    Permalink

    Toward the end of the podcast Kevin correctly notes passcode stolen or forgotten locks the user out of local storage on a ChromeOS device. True, that’s Google’s initial ad for Chromebooks. Stolen, lost in the river, your data is safe in the cloud. But there’s Matt, locked out of both device and cloud by a password thief.

    Local backup of critical files is basic.

    Reply
      • June 22, 2019 at 12:01 pm
        Permalink

        Thanks, John. Spent some time yesterday “hardening” Google accounts. Found there are some differences between free GMail accounts and GSuite. A potential weak point is payment for the GSuite accounts I manage goes through card attached to free Gmail, and that’s also the recovery email.

        That recovery question “first date of account” isn’t available to even logged in users. If, like me, you’ve ha an active Gmail from the beginning of Gmail, and pruned thousands of old and inactive emails, that date’s just not available. As one angry post on Google support complained, why would Google use an unanswerable question?

        Reply
        • June 24, 2019 at 4:19 pm
          Permalink

          Google should be more proactive and tell people to make a note of when they first signed up for the account. I was able to find that by searching for and finding emails from Google when I first signed up. Another possibility might be asking a friend or relative to search for the earliest email from you sent from Gmail. My son had one I sent as a test when I first signed up. I have also removed my phone number as both an authentication option and as a recovery option. I have a recovery email address with another service that is also pretty well hardened. I periodically use Takeout to download all my Gmail, files, and photos to be stored on local hard drives, though there would be gaps if I lost my actual account.

          Reply
  • June 28, 2019 at 5:50 pm
    Permalink

    I have a Pixelbook, obviously previously set up for my account. I just got a new Titan Security Key bundle and I cannot figure out how to force my Pixelbook to require providing my Titan key (either BT or USB) on log in even though I have them configured for 2FA in settings. No matter whether I enable just password or password & pin, I never get prompted to provide the second factor. Documentation is awful and frankly this article is not very specific either. Need something very step by step to troubleshoot.

    Reply
    • June 28, 2019 at 6:34 pm
      Permalink

      I don’t think this is available with consumer level accounts and I’m not necessarily sure you get this with GSuite or not. If you powerwashed your CB, when you first go through setup, you would be prompted for your key. After that, you only need your key for your Gmail login. If you log out of your Gmail account and log back in you will be prompted. One thing to be aware of is that there is a “Don’t prompt me” checkbox that I always need to uncheck to force requiring the key at every Gmail login. It has been this way for years. I have no idea why one would want to disable this security feature.?????
      Also, I don’t believe the Titan Bluetooth key works with Desktops or Chromebooks. I had hoped this would work with my CB but I think it is strictly Android Phones.
      If you are using another Gmail account as your account recovery email, make sure you also add the key to that account as well. Make sure you have at least backup codes as a redundant 2fa method.

      Reply
  • June 28, 2019 at 6:38 pm
    Permalink

    I should add that the Titan BT key does work with a Chromebook, but only if attached by the USB cable.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: