South San Francisco, CA July 1, 2015 Submitted by Sheri Boles, CPUC
A Text Message Mess
by Kristin Cohen July 2015 Office of Technology Research and Investigation, FTC
Let me set the scene: your friend John is rushing to get his daughter from school and his son to the soccer field, and he still needs to stop at the grocery store because there’s nothing in the fridge. In the midst of this everyday madness, he gets a text message from Google with a verification code. He thinks, “That’s weird. Maybe I should log in to my email and see what’s going on.”
Before he has a chance, he gets another message. It says:
Google has detected unusual activity on your account. Please reply with the verification code sent to your mobile device to stop unauthorized activity.
What should John do?
It’s quite possible that he might reply with the code — especially while he’s distracted, and worried that he might lose access to his email. Unfortunately, if he sends the code, he’ll be giving a hacker access to his email account.
Here’s what happened behind the scenes:
- A hacker who has John’s email address and mobile number went to the email login screen, clicked “Forgot Password,” and asked for a verification code via text message.
- John got the verification code on his phone.
- The hacker — pretending to be John’s email provider — sent him a text message and asked for the code.
- John forwarded the code to the hacker, and the hacker had everything he needed to complete the login process.
The hacker could gather a lot of information about John while snooping through his email. He also could change John’s settings, so future emails sent to John are forwarded to the hacker. It could be a long time before John notices this change.
So, what can you do?
Don’t send verification codes to anyone via text or email. Use these codes only on the login page. And if you get a verification code that you didn’t request, let your provider know about it. That could be a sign that someone is tampering with your account.
If you suspect that someone has hacked into your email, here’s what to do:
1. Update/install security software from a company you trust.
-Set it to update automatically.
-Scan your computer and restore it.
2. If you can get into your email account, change your password.
-If you use similar passwords for other accounts, change them, too.
-Use a strong password, i.e. avoid using family/pet names, birthdays, anniversaries; TIP: Passwords need to be memorable to you but hard for someone to guess.
-Check your account settings to ensure that no links have been added to your signature and that your emails are not being forwarded to someone else.
If you cannot get into your email account, check with your email service provider to find out how to restore it.
3. Notify your family and friends that your email has been hacked.