This week ZDNet tech journalist Matt Miller wrote how a SIM "hack" of his T-Mobile account lost his GMail account. And because he'd stored passwords, financial documents, and tax returns in Google Drive in plain text, pretty much everything else.
He was very lucky his bank's fraud unit intercepted a $25,000 purchase of Bitcoin that would have been charged to his associated credit card through overdraft protection.
If you want to learn specifics about Matt's story, I'd recommend starting on the Chromebook blog post published by his podcasting partner, Kevin Tofel. Kevin's coverage seems clearer than Matt's own; it includes a link to their podcast discussion:
- Disable SMS, known to be vulnerable, from two-factor authentication.
- Perhaps go further, and disable use of voice calls to your cell phone.
- Pre-encrypt any password files uploaded to any cloud service. Same for any confidential documents.
- Disable overdraft protection on your bank accounts. Check back from time to time to be sure it stays disabled. Better an overdraft charge than a large theft from your account you have to pay back.
I'm still puzzling over risks from how my varied accounts inter-connect. My Google accounts refer to my iCloud email, and iCloud back to Google.
Not long ago, I set up some new iPads. When Apple asked for a confirmation phone to send, I used Google Voice, which worked. Since I'm not deeply embedded in iOS and Apple's authentication systems, I don't know if that's a particular risk after initial setup, if the related Google account is hacked?
Working through steps to "harden" my Google accounts, I visited privacy settings. They're quite different in G Suite and my personal GMail account, with free GMail being far more wide open.
I've tried to corral my exposure to tracking and data exfiltration by using Firefox for browsing and search through the EU version of Startpage. I use Chrome for G Suite email and services, Chromium for my personal "free" GMail and services.
Yet the following setting (which reminds of Ric's post about Apple settings) was On by default in my personal GMail. I don't know if it just happened before without Google telling us, or if the notice was always there, and though I'd set privacy terms up in the past, just hadn't noticed it, or if it's new:
No idea how far out of Chromium's (or Chrome's) "sandbox" that enables Google to roam. Does the reference to "phone or tablet" exclude computers? Seems that's a lot of "stuff" many computer users think is local-only that Google is authorizing itself to harvest.Google Support Accounts said: