When the cloud goes wrong

I’ll admit it – I’m addicted to google and their services. I use Android, which saves my location history (which helps with my travel reports for work – months later I can see when and where I was), provides me with voice searches and contact management. I am a gmail user since they first announced their opening on April 1, 2004 (Ok it took me a week or so to get an invite, but I am one of the first bunch of users). I have a ton of private information here, bank statements, passwords (from sites which send you a password via email in plaintext), work contacts, etc;

Google offers great services for protecting your data as well. I am following all best practices: I have a strong password, I have enabled two factor authentication and regularly review my account activity for anything suspicious.

Or so I thought: I received a troubling email today with the contents that someone is trying to reset my password:

Hi Allen,

Thank you for contacting Google.

We received your report that you’re unable to access your Google account [[email protected]] and we understand that it can be frustrating. We want to help you!

At Google, we take the privacy and security of our users seriously so we need specific details about your account to help us verify that you’re the real owner and not someone attempting to gain unauthorized access.

The next step to recover the account is to file a claim for the account. Can you please file a claim for the account in question,[[email protected]], from the contact [[email protected]].

The process to file a claim for the account is as follows:

1) Visit https://www.google.com/accounts/recovery/ – It’s best to perform the Account Recovery flow from a known device, one you’ve used in the past to successfully logon to the account.

2) Click on “I don’t know my password” (Enter [[email protected]] as the email address).

3) Enter username and captcha if asked else answer all the questions posed by the system with the most accurate guesses.

4) Click  “Verify your identity”, “a different way”  link at bottom of page or “I didn’t enable 2-step verification” option.

5) You will reach a screen where is says “Password help for [[email protected]]”.  Under Contact information, you can enter [[email protected]].

It will take approximately 3 – 5 business days for our technical team to respond.  Please check your junk and spam folder for the response.

Let us know if you have any other questions.

Regards,

Google Accounts Team

After determining this is not a spam/phishing message, I concluded that this is simply a mistake, someone has accidentally tried to reset my account’s password; no big deal I will simply respond to them and explain the situation:

Hi,

This request appears to be fraudulent – I am the owner (since ca. 2004) of the account [email protected], and I have never heard of or seen [email protected]
I am not having a problem accessing my account.
How can I prevent this person from gaining access to my account if they were to follow the listed steps?!
Thanks

Simple, to the point, but what follows is an egregious case of someone following a script and this request is clearly not handled by their script. A number of emails back and fourth have convinced me that in 3-5 days, I may no longer have access to my account.

I will concede that this is not a ‘hardware’ issue, and I’m not sure why this request is being handled by “hardware support” – but this is the email address which originally notified me that my account password can be reset. I would hope that if ‘hardware support’ can start a password reset case, they can also contact a team responsible for it.  This is the first reply:

Hi Allen,

Thank you for contacting Google. My name is [redacted] from Hardware technical support. I was able to review your concern regarding your Google account. If you think that someone is trying to login to your Google account, please follow the steps below in order to make your account more secure: https://support.google.com/mail/checklist/2986618. You can also report this person to this website:http://www.ic3.gov/default.aspx. On that page, you can file a complaint if this person still trying to access your account. Let me know if there’s anything we can help you with.

Thanks,

[redacted]

The Google Support Team

The steps listed on the checklist are useful if you’re not already doing them and I would recommend you follow them; in my case I have every single step already covered, and this procedure would go around them all.

Hi Allen,

Thank you for your reply. Based on the issue that you have, you need to visit the ic3.gov website to file a complain regarding the email address that is messing up with your account. And the reason why the agent sent you an email on how to recover your account, is because as he understand, you’re unable to login or forgot your password. If you’re unable to use the ic3.gov support page, then try to visit our support website: https://support.google.com/mail/checklist/2986618 . If only I have a tool to make your account more secure , I have tried to do that, however, we do value our customer security and privacy on their google account that’s the reason we don’t have a tool. Again, I’m sorry to hear but we can only help you by recommending some steps, but on our end, we cant do much since we are Hardware technical support.

Thanks,

[redacted]

After 11 mails back and fourth between the Google Support Team and myself (each time I wrote I asked to be transferred to the right area), I need to:

  • Contact the US Government to report Fraud (it is important to note here, I am in Germany)
  • Call the Google Device Support in Denmark
  • Pray to the FSM that Big Brother Google doesn’t let an anonymous person into my account

I surely hope that the people handling security/privacy at Google are not this incompetent! If they do mistakenly reset my password, I am not sure what recourse I have either — probably I’ll have to follow the same procedure this person has done, then get flagged that this account was recently reset.

For this reason I have embarked on a personal goal to dump the “cloud” completely; I can’t quit cold-turkey, but a systematic dumping of cloud services is possible.