Public Service Announcement: Security

I am sure that Google does not want me to tell you this story, but I need to do so. It’s a public service announcement for people who keep credit card numbers in the Play store. I didn’t think anything of it because Apple requires a credit/debit card to get started with an iTunes account. When Google’s screen came up to enter the information, I did not realize it was optional. So, I entered in my credit card information, and they just use the address you have on file from when you first opened your account, which was in Portland, Oregon.

The reason that I am publicly talking about this is that you cannot imagine how difficult my Google password is. I use LastPass to create 25 characters so there’s no way to look up anything I use in the dictionary. It would take a computer days to decrypt them. I also log out of the password vault after I’m finished using it, which is also encrypted. I thought I had it wired.

Then, when I came home from Paris, I tried to Uber to the Metro, and my card was declined. I knew there was money in the account because it had just been transferred. So, I logged into my bank account only to find that two transactions from Google had zeroed me out.

My account was hacked and my debit card was used to sign up for Google Cloud, and the bandwidth chosen was $100/day. I didn’t catch it the day it happened because I was in Paris, but I caught it within three days. I got on the phone with customer service, where they canceled my card and gave me a link to the fraud forms I would need to fill out to start the investigation. I was given provisional credit pending their findings so that I had access to my funds.

Several weeks later, Google sent my bank a report that said there was no evidence of foul play, that I was the party responsible. My provisional credit was yanked back, again emptying my account. So, I started my own investigation because theirs was so shoddy.

First of all, the billing address on my card did not match the billing address Google had on file. Secondly, while I was the “owner” of the Google Cloud account, there were at least 10 projects with two people who had added themselves as editors, with e-mail addresses that clearly looked like spam, e.g. 468434471727@cloudservices.gserviceaccount.com. And no address was used twice.

I then contacted Google tech support, where a very nice man named Jeremiah was absolutely sympathetic. I was able to lay out my concerns, and use technical language that he would understand, whereas my bank totally wouldn’t.

I sent the transcript of our conversation to my bank, and my money was returned. That being said, it took a few days to resolve because Google absolutely screwed me…. it made no sense, because the original report Google sent my bank should have set off alarm bells just for the billing address alone.

The bank’s next step is to report the incident to the police, because what the hackers did was a felony. However, having been in IT myself the chance that a hacker would ever get caught is less than zero. My first instinct is that it was done through a double VPN (worth every penny for your own privacy on the Internet), which makes finding physical location damn near impossible. Plus, no identifying details in the e-mail addresses, et cetera, et cetera, et cetera.

When I was talking to Jeremiah about all this, I said, “I don’t even know how to program. It would never occur to me to buy virtual server space, especially not that much bandwidth.” After we talked about tracking down IP addresses and such, he joked, “are you sure you don’t know how to program?” I said, “no. I’m in tech support. I bail out programmers when their computers break. They can write, but God forbid the operating system throws an error.” He laughed his ass off and said, “welcome to my life.”

So, even though this was a very serious situation, I could still laugh about it (somewhat).

I am just angry that a company whose motto is “don’t be evil” didn’t even take the time to beat down the evil that was happening to me. I had to figure it out on my own. Thank God I had the technical smarts to do so. I was able to learn the web interface quickly, so that I could find all the information I needed to prove my case. It’s sad, because it was so easy that if I did ever want to purchase virtual server space (like to be able to use the full version of WordPress and tailor it on my own rather than the limitations of WordPress.com), it’s definitely the easiest panel I’ve ever used. But I just cannot justify giving them any money, no matter how small the amount.

After this happened, I changed my password to another 25 character random string and instituted two factor authentication. This means that whenever I log in on my desktop, I have to prove it’s me on my phone. If I’m using my phone, they send me a text verification code. I am not playing around. It occurred to me that if someone could get into my Google account, they could also get into my calendar and mail.

So, I created an account with ProtonMail, which encrypts e-mail going out. Privacy is built in, as opposed to Gmail, which needs a plugin called “Enigmail” (link is to the full version, Gmail web interface uses a Chrome plugin). But even ProtonMail has its limitations. If both people aren’t using secure e-mail, it can only encrypt the text on the way out.

I also prefer to use Signal on my phone, which handles text messages, but if the other person has Signal as well, the messages are encrypted. For those who use iOS, iPhone messages are already secure. Basic SMS is not. If you communicate with both iOS and Android users, I highly recommend downloading Signal or WhatsApp (I’ve tried both, and Signal won). That way, information is encrypted no matter who you’re texting.

There’s been some chatter about campaigns to get iMessage ported to Android, but I highly doubt it will gain traction. WhatsApp has nearly all of iMessage’s features, but Signal won for me because I don’t need fancy. It’s a simple text interface, and that’s what I like about it.

I’m just sorry that it took a financial disaster to get me on my soapbox about privacy, because if it could happen to me, it could happen to you, too. This is an entry I should have written years ago.

I apologize. Those responsible have been sacked.

The FDB

Fanagans’ Daily Briefing

Getting into the spirit of living in DC………

  • I can’t decide if I am more or less afraid of Donald Trump being impeached. There are just too many people we’d have to get rid of in the line of succession before we reached the legal definition of “a reasonable person.” The news that Mike Pence thinks we can end abortion in America is what did it for me, because he’s not going to make it happen by creating a social safety net for poor mothers. If Republicans were actually pro-life, they’d be lined up around the block with bottles and blankets for the children living in poverty right now. The classic line about not creating a government safety net is “that stuff should be taken care of by private charities.” It won’t, because charity donations are dependent on a good economy, and even then, there’s no guarantee that people will donate enough.
  • Jared Kushner having his security clearances revoked is the best news I’ve heard in a long time, because he never should have gotten them in the first place. That being said, it literally makes no difference because the president has no qualms about saying whatever he wants without a filter. Well, I guess it does make one difference. Bad things happen to people who leak Top Secret information to ordinary citizens, and it only has to happen once to get on intel’s radar. Additionally, I didn’t mean to or I didn’t know is completely invalid. Idiocy and malice are treated exactly the same way.
  • Since the idea of arming teachers has been tossed around, one has accidentally shot themselves in the classroom, and one has barricaded themselves into a classroom, waving a gun to keep the children out. This is obviously a brilliant idea, as is Florida’s idea to budget $67 million to give teachers hand guns. Thinking they should probably start with pens & pencils….. maybe some Crayons. If they want to get really crazy, why not raise teachers’ salaries to six figures, because without them, we can’t do anything else. Before you can run a Fortune 500 company, my guess is (and I’m just spit balling here…) you have to learn how to read at some point.
  • I’m starting to hope that Eli Pope and Jake Ballard exist.