Google 2-step verification

Some of you may remember that my Google account was hacked some months ago. I am still not sure how. I did suspect an app on my Android phone, where I typed in my password out of habit since it was associated with Google – but actually only displayed Google News, which don’t need the password. However, I am not sure that was the reason, or even that it was my password it asked for – there was just an input box that displayed over the screen.

Another possibility is that the thieves simply assumed that I used the same password on Google as I used everywhere else on the Internet. They were right – at the time I did use the same password pretty much everywhere. Then again I did not register at naughty places, having no need for that. The most dubious were probably the message boards for web comics, and those were already getting old at the time. I am not the kind of user who signs up for free gifts at random places. I am not exactly paranoid, obviously, but generally cautious.  Maybe one of those sites were hacked. I run various anti-spyware program on my Windows machines – Linux don’t need those, and that’s a fact for now at least.

In any case, back then I was lucky: The thieves only sent spam to everyone in my rather small contact list, and mostly just random letters at that. But there is now a more cruel and insidious hacker league on the warpath. Once they have control of your Google account – or Yahoo for those who use that – they send mail telling your friends that you have met some dramatic misfortune abroad and need money to get home, could they please lend you some. They also obtain enough information from your mails to answer any simple request from the cautious friend, rather than relying on a fire and forget approach. Mail the stolen account and they will pretend to be you, to the best of their limited abilities.

I am making it quite a bit harder for them, I think, by enabling the fairly new feature of 2-step verification. There are a couple ways of doing the extra verification, but as I have a smartphone, I downloaded the Google Authenticator. It is a small app that is only used for this purpose, to generate a random 6-digit code that is used in a separate screen after mail address and password.

In other words, after logging in normally to Google, you have to supply this pass code. During setup, the account is tied to this particular phone, so the thief also need your phone in addition to your password, to hack your account. Now I just need to not lose my phone!  People do that a lot, I hear.  I lost a mobile phone some years ago, during a train ride.

However, you don’t need to use this code generator every time you want to check your mail. You do it when you would normally need to sign in: When you start using a new computer, or when you have not used this one for a while, especially if you have used another computer in the meantime. For me, logging on seems to be needed mostly after power outages but otherwise a couple times a week.

As for the phone itself, I had to write in a lengthy one-time password. For good measure, the phone was about to run out of power at the time, after only 17 hours of mostly non-use. If I ever go on a long trip again, I should probably have an extra battery. A bit inconvenient to not be able to access my mail because my phone is out of power.

There are a couple back-up measures. The setup generates a handful of pre-defined codes for your account, that can be used instead of those from the authenticator. So you can print those out and put them in your wallet or purse or shirt pocket for when the smartphone app is not available.

Another option is to get them via text or voicemail to a secondary phone, such as work phone or landline. I don’t have a landline anymore, and to my surprise I had a hard time remembering my work phone number, even though I remember it effortlessly when at work. (I have to enter it daily in a program.) I am also wary because I had my mobile phone as backup last time, when my account was hacked, and they never sent the new password even though the number was right. They said they did, but it never arrived. So I might have lost my account for good, had I thrown away the old computer which I used when I first got my Google account. Luckily I had it, and with it all details of when it was first set up. This convinced Google to give me back my account.  But if I had not descended from packrats, I would have been in trouble.

Anyway, I am not sure I have less chance of losing access to my account now. But I have less chance of sending y’all spam if it happens, and that is good.

To do this yourself, open Gmail and choose Settings (at the top). There, choose Accounts and import, and Other Google account settings. A new page opens, which includes “Using 2-step verification”. Or that’s where I did it.