I am sure that Google does not want me to tell you this story, but I need to do so. It’s a public service announcement for people who keep credit card numbers in the Play store. I didn’t think anything of it because Apple requires a credit/debit card to get started with an iTunes account. When Google’s screen came up to enter the information, I did not realize it was optional. So, I entered in my credit card information, and they just use the address you have on file from when you first opened your account, which was in Portland, Oregon.
The reason that I am publicly talking about this is that you cannot imagine how difficult my Google password is. I use LastPass to create 25 characters so there’s no way to look up anything I use in the dictionary. It would take a computer days to decrypt them. I also log out of the password vault after I’m finished using it, which is also encrypted. I thought I had it wired.
Then, when I came home from Paris, I tried to Uber to the Metro, and my card was declined. I knew there was money in the account because it had just been transferred. So, I logged into my bank account only to find that two transactions from Google had zeroed me out.
My account was hacked and my debit card was used to sign up for Google Cloud, and the bandwidth chosen was $100/day. I didn’t catch it the day it happened because I was in Paris, but I caught it within three days. I got on the phone with customer service, where they canceled my card and gave me a link to the fraud forms I would need to fill out to start the investigation. I was given provisional credit pending their findings so that I had access to my funds.
Several weeks later, Google sent my bank a report that said there was no evidence of foul play, that I was the party responsible. My provisional credit was yanked back, again emptying my account. So, I started my own investigation because theirs was so shoddy.
First of all, the billing address on my card did not match the billing address Google had on file. Secondly, while I was the “owner” of the Google Cloud account, there were at least 10 projects with two people who had added themselves as editors, with e-mail addresses that clearly looked like spam, e.g. email@example.com. And no address was used twice.
I then contacted Google tech support, where a very nice man named Jeremiah was absolutely sympathetic. I was able to lay out my concerns, and use technical language that he would understand, whereas my bank totally wouldn’t.
I sent the transcript of our conversation to my bank, and my money was returned. That being said, it took a few days to resolve because Google absolutely screwed me…. it made no sense, because the original report Google sent my bank should have set off alarm bells just for the billing address alone.
The bank’s next step is to report the incident to the police, because what the hackers did was a felony. However, having been in IT myself the chance that a hacker would ever get caught is less than zero. My first instinct is that it was done through a double VPN (worth every penny for your own privacy on the Internet), which makes finding physical location damn near impossible. Plus, no identifying details in the e-mail addresses, et cetera, et cetera, et cetera.
When I was talking to Jeremiah about all this, I said, “I don’t even know how to program. It would never occur to me to buy virtual server space, especially not that much bandwidth.” After we talked about tracking down IP addresses and such, he joked, “are you sure you don’t know how to program?” I said, “no. I’m in tech support. I bail out programmers when their computers break. They can write, but God forbid the operating system throws an error.” He laughed his ass off and said, “welcome to my life.”
So, even though this was a very serious situation, I could still laugh about it (somewhat).
I am just angry that a company whose motto is “don’t be evil” didn’t even take the time to beat down the evil that was happening to me. I had to figure it out on my own. Thank God I had the technical smarts to do so. I was able to learn the web interface quickly, so that I could find all the information I needed to prove my case. It’s sad, because it was so easy that if I did ever want to purchase virtual server space (like to be able to use the full version of WordPress and tailor it on my own rather than the limitations of WordPress.com), it’s definitely the easiest panel I’ve ever used. But I just cannot justify giving them any money, no matter how small the amount.
After this happened, I changed my password to another 25 character random string and instituted two factor authentication. This means that whenever I log in on my desktop, I have to prove it’s me on my phone. If I’m using my phone, they send me a text verification code. I am not playing around. It occurred to me that if someone could get into my Google account, they could also get into my calendar and mail.
So, I created an account with ProtonMail, which encrypts e-mail going out. Privacy is built in, as opposed to Gmail, which needs a plugin called “Enigmail” (link is to the full version, Gmail web interface uses a Chrome plugin). But even ProtonMail has its limitations. If both people aren’t using secure e-mail, it can only encrypt the text on the way out.
I also prefer to use Signal on my phone, which handles text messages, but if the other person has Signal as well, the messages are encrypted. For those who use iOS, iPhone messages are already secure. Basic SMS is not. If you communicate with both iOS and Android users, I highly recommend downloading Signal or WhatsApp (I’ve tried both, and Signal won). That way, information is encrypted no matter who you’re texting.
There’s been some chatter about campaigns to get iMessage ported to Android, but I highly doubt it will gain traction. WhatsApp has nearly all of iMessage’s features, but Signal won for me because I don’t need fancy. It’s a simple text interface, and that’s what I like about it.
I’m just sorry that it took a financial disaster to get me on my soapbox about privacy, because if it could happen to me, it could happen to you, too. This is an entry I should have written years ago.
I apologize. Those responsible have been sacked.