How the Equifax Hack scared me into installing Google Search and may have saved me $55

39

This story involves an aging dog, the Google Search app, a Citibank credit card perk I’ve never before used, and the infamous Equifax Hack (for the latter, see: Is the Equifax cure worse than the hack?).

While doing research for my “Equifax Hack Rx” series, I learned how insecure SMS is for two factor authentication, and that led me to change security on my Gmail account.  Did I lose you there?  Let me back up…  The main thing I’m worried about with the Equifax Hack is the likelihood that our personal information will be used by criminals to get access to our accounts: bank accounts, digital currency accounts (BitCoin, for example), frequent flyer accounts, etc.  All they would need to do is to try to log into our accounts and click the “forgot password” link.

Equifax Hack
Thanks to the Equifax Hack, criminals may now have all of the information they need to reset our passwords.

After clicking “forgot password” the criminal may have to answer some questions to prove that they are you.  Well, thanks to the great security forces at Equifax, the criminal may now have the information needed to do just that.  In many cases, though, the way a criminal must “prove” they are you is by receiving a text or email message containing a one-time code.

Equifax Hack

Regardless of whether the criminal must answer security questions or get access to a one time code, the end result if they are successful is a new one-time password sent by email.

If the criminal gets that one-time password, then they are in.  Most financial institutions have additional safeguards to prevent people from suddenly cleaning out your account, and federal and state laws are likely to protect you anyway.  But other forms of digital valuables are not so well guarded.  Digital currencies like BitCoin can be instantly and irrevocably liquidated.  And loyalty rewards (frequent flyer miles, store rewards, etc.) can often be cashed out quickly and easily as well.

All of this shows how critically important it is to safeguard your email account.  A strong password isn’t enough. A hacker can use the “forgot password” exploit to still get in.  For years, I thought that I had properly secured my Google Gmail accounts by enabling two-factor authentication.  Anytime I logged into my Google account from a new device, Google would send me a code via SMS text message.  The only way into my inbox was by entering that code.  That’s safe right?  No… it turns out that it’s not safe at all.

Just last week, Forbes published “All That’s Needed To Hack Gmail And Rob Bitcoin: A Name And A Phone Number“.  Apparently it’s easy for an expert hacker to intercept text messages!  The article describes a hacking demonstration by researchers from Positive.  Here’s a summary quoted from the article:

In their attack, the Positive researchers first went to Gmail, using Google’s service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim’s phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they’d compromised.

Yikes!

Fixing the hole where the hackers get in…

Immediately after reading this article, I browsed to my Google account (myaccount.google.com) and ran their Security Checkup.  At the end, I had a chance to change my 2 Factor authentication settings.  I removed my phone as an option and instead setup both Google’s Authenticator app and the Google prompt options.  I installed the Google Authenticator app on my iPhone for the former, and installed the Google Search app to enable the latter.

I’m sure that I’m nowhere near completely safe from hackers, but by changing my 2 factor authentication to less vulnerable options, I should be significantly safer than before.

How to setup 2-Step Verification with Google

  1. Browse to your Google account (myaccount.google.com)
  2. Run the Security Checkup
  3. At the end, click the link for 2-Step Verification settings (this link might take you right there, but it’s better to run through the whole security checkup)
  4. Turn on 2-Step verification and then select how you want to handle the 2nd step (the first step is entering you password. The second step can be something like a code sent to your phone or to an app, or something else.
  5. For my 2nd Verification step, I chose “Google prompt“.  This way, when I log into Google from a new device, a prompt pops up on my phone asking me if I intended to do that.  I just press yes.  If you have an Android phone, you don’t need to install anything on your phone to make this work.  If you have an iPhone, you need to install the Google Search app to make this work.
  6. As a backup, I also setup Google Authenticator.  Authenticator is an app that shows a code that can be typed in for the second verification step.  It’s a bit more work than Google prompt, but it works with some other non-Google programs (such as LastPass).  Note that I do not have to use this to log into Google from new devices. I use it only as a backup in case something goes wrong with the Google prompt.

    NOTE
    : Reader Russ recommends Authy instead of Google Authenticator.  I’m considering switching to Authy as my backup 2nd step.

About that Google Search app…

One of the things that the Google Search app can do is to hack your life… but in a good way (albeit creepy).  Within minutes of installing the app, this alert popped up: “Update on a product you researched: Price drop

When my dog isn’t busy photo bombing my credit card photo shoots, he spends his time getting older instead.  We don’t know how old he is — he was a rescue — but we know from his behavior that his attempt to get older is working…

Photo bomb!
Rough day
Really rough day

In addition to aging, our dog’s other favorite hobby is to sleep.  And as he gets older, he has a tougher time each day jumping up to our bed.  Even though he sleeps most of the day wherever he is around the house, nothing is as good as sleeping in bed.  So we bought him foam doggie stairs that we found on Amazon.  He hated them.  Despite treats, goading and cajoling, he wouldn’t climb those stairs.

So, we tried a more expensive option: Drs. Foster & Smith Dura-Ruff® Indoor Ramp.

See that happy dog on the ramp? That’s NOT how our dog uses it. He jumps up to the landing and from there jumps up to our bed.

Well, it sort-of works.  Our dog won’t use the ramp part of the thing at all, but he does jump to the midway point and from there jumps up to our bed.  Mission accomplished (as long as he doesn’t get any older).

So… back to that Google price drop alert…  I had paid $135, but the same ramp was now being advertised for $79.99.  That’s a $55 difference.

I had paid for the ramp with a Citibank card.  That was good news since Citi has a nice “Price Rewind” feature for all of their cards.  Theoretically you can have Citi watch prices for you and automatically pay you when the price drops.  In this case, Drs Foster & Smith products are apparently not in their search zone.  Instead, I filled out a Price Rewind Benefit Request Form and emailed it to Citi.  While they haven’t responded yet, I do expect to get the difference back.

As an aside: I probably should have contacted the online store’s customer support to see if they would refund the price difference directly.  I was curious about using credit card price protection, though, so I decided to try out that benefit.

Wrap Up

All of the above was a long way of saying that you should do the following:

  1. You should setup two-factor authentication to protect your email accounts
  2. Whenever possible, don’t use SMS (phone texts) for two-factor authentication.  Instead, use something like Google’s Authenticator app.and (less importantly):
  3. If you’re going to buy something that is likely to drop in price, use a credit card that has some form of price protection (many do).
  4. Consider allowing Google to mine your life (they’re doing it for good, right?)
  5. Do whatever it takes to make your dog happy.

See Also

Email:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

39 Comments
oldest
newest most voted
Inline Feedbacks
View all comments