February 15, 2020
Google's fake security procedures
- Lock account.
- On log in, check for password and then ask for phone.
- Accept OTP via any phone. Note: the phone is not stored as security phone! It's only one time random phone.
So I expect more problems with using gmail to send automatic notifications from my small service installations like personal devops. This means it's much better to discover and move to custom mail server from Gmail. Sounds like a paradise: no more worrying on email account locking, no more "look into spam folder". This is how email is supposed to work :)
The only real big problem is that Google is actually implements fake security, with fake like in "fake news". Something in the shell called "security" but not actually that. So it lies its users covering intentions with "security" topic, like "we've blocked your account to increase security". Or wait, that's not account's security, but a Google one (like secure our infrastructure with getting rid of bots)?
Labels: account, email, fake security, google, lock
October 20, 2018
Example of bad security model and "We have noticed an unusual activity in your account."
Of course sometimes companies use any little reason to get more pieces of personal information, like the mobile phone number. For example, it makes absolutely no sense to ask for a phone number after "unusual account activity" has been already detected. Asking the one user who is logging in to provide his phone number (and possibly linking it to the account as 2FA or account recovery channel) actually is very bad idea in this situation! Because if attacker already has password on hand he can also link his phone number thus effectively preventing the account owner from logging into account forever.
Threat modelling can help understand such situations and prevent them.
Labels: account, security, threat model
