Google's account recovery procedure can make it unclear to users that they're giving hackers full access to their account

A technique used by marketers to trick people into signing up for "free" merchandise could easily be re-deployed as an engine for harvesting untold numbers of Google account passwords. Fixing the issue won't be trivial for Google, because the exploit is fundamental to how Google allows users to recover access to their accounts when they lose or forget their passwords.

While others have reported on the use of this exploit by individual hackers, I believe what you're reading now is the first account of how it could be transformed into a mass phishing scam that could dragoon even relatively sophisticated users.

The Hack

Recently, my wife and I both received, within an hour of one another, a text like this:

Your entry last month has WON! Goto http://xxxxxx enter your Winning Code: "1122" to claim your FREE $1,000 Best Buy Giftcard!

Our phone numbers are almost identical, so the fact that we both got this text in a short period of time suggests that someone is auto-SMSing it to every number in a certain range, one after another. Which would make it classic text spam, annoying but not dangerous on its own.

The URL contained in the text goes to this website, http://bestbuy.bestgiftcardsforu.com/ which asks for your email address. The site appears to be affiliated with (or at least is linking to and borrows text from) MyRewardsClub.com. I don't think these people are hackers, just marketers.

But here's how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it's a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password -- one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.

In order for the user to claim their "reward" (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user's phone. As soon as the site has both a user's Gmail address and that verification code, it's game over -- hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account.

Other Examples of The Hack

This exploit appears to be precisely the way that a hacker got access to a number of accounts in the course of obtaining images for the website Is Anyone Up, as described by Camille Dodero in a recent feature for the Village Voice:

Is it really so easy to hack a Gmail account? See for yourself: Go to the Gmail login screen and click on the frequently ignored link underneath the sign-in menu, "Can't access your account?" Three options appear; choose "I forgot my password." Type in a Gmail address—any active Gmail address—and if there's a phone number associated with the account, you're given three more options, one of which is "Get a verification code on my phone." You don't even need to know the phone number. Just hit "continue" and an unrelated six-digit code will appear in a text to the account owner's phone. Type in that verification code—a number easily obtained by a masquerading e-impostor—and you're in. The first thing you're prompted to do is immediately change your password, thereby blocking out the original owner.

In other words, if a hacker knows only your Gmail address and can figure out how to access your phone, he's already most of the way into your shit.

In the case of the hacker collecting images for Is Anyone Up, it appears that he or she chatted up targets via Facebook.

An Increasingly Common Phishing Scheme

This attack has been used by others, and may be widespread. Lokesh Singh, a "professional hacker," describes on the site HackingLoops how one of his clients fell victim to this same hack, only the attacker used Gchat to convince the victim to hand over the verification code that Google had texted to him.

What Google and its users are facing, in other words, is a phishing scheme that appears to work even on relatively sophisticated users, or at least the kind who are smart enough not to click on random links in spam emails. But what I described at the beginning of this piece potentially takes this attack to a whole new level, beyond labor-intensive hacks of individual accounts and into the realm of automated, large-scale password harvesting.

It's great that Google has a way for users to recover access to their Gmail accounts that relies on a secondary device that hackers almost never have access to -- a user's cell phone. The weak link, as always, is the human who already has access to all their supposedly secure touch points -- the user himself. Perhaps this attack can be stymied simply by raising awareness of the fact that no one should ever, ever hand over their google verification code.

Photo: Andrew Braithwaite

In 2009, the Pew Internet Trust published a survey worth resurfacing for what it says about the significance of Facebook. The study was inspired by earlier research that "argued that since 1985 Americans have become more socially isolated, the size of their discussion networks has declined, and the diversity of those people with whom they discuss important matters has decreased."

In particular, the study found that Americans have fewer close ties to those from their neighborhoods and from voluntary associations. Sociologists Miller McPherson, Lynn Smith-Lovin and Matthew Brashears suggest that new technologies, such as the internet and mobile phone, may play a role in advancing this trend.

If you read through all the results from Pew's survey, you'll discover two surprising things:

1. "Use of newer information and communication technologies (ICTs), such as the internet and mobile phones, is not the social change responsible for the restructuring of Americans’ core networks. We found that ownership of a mobile phone and participation in a variety of internet activities were associated with larger and more diverse core discussion networks."

2. However, Americans on the whole are more isolated than they were in 1985. "The average size of Americans’ core discussion networks has declined since 1985; the mean network size has dropped by about one-third or a loss of approximately one confidant." In addition, "The diversity of core discussion networks has markedly declined; discussion networks are less likely to contain non-kin – that is, people who are not relatives by blood or marriage."

In other words, the technologies that have isolated Americans are anything but informational. It's not hard to imagine what they are, as there's been plenty of research on the subject. These technologies are the automobile, sprawl and suburbia. We know that neighborhoods that aren't walkable decrease the number of our social connections and increase obesity. We know that commutes make us miserable, and that time spent in an automobile affects everything from our home life to our level of anxiety and depression.

Indirect evidence for this can be found in the demonstrated preferences of Millenials, who are opting for cell phones over automobiles and who would rather live in the urban cores their parents abandoned, ride mass transit and in all other respects physically re-integrate themselves with the sort of village life that is possible only in the most walkable portions of cities.

Meanwhile, it's worth contemplating one of the primary factors that drove Facebook's adoption by (soon) 1 billion people: Loneliness. Americans have less support than ever -- one in eight in the Pew survey reported having no "discussion confidants."

It's clear that for all our fears about the ability of our mobile devices to isolate us in public, the primary way they're actually used is for connection.

On average, the size of core discussion networks is 12% larger amongst cell phone users, 9% larger for those who share photos online, and 9% bigger for those who use instant messaging.

The Pew study is full of factoids like this one. Bloggers are more likely to have confidants of a different race, people who upload photos online are 61% more likely to have a confidant with different political views, etc.

Humans are a social species, and we will use any outlet we're offered to connect with one another. Cultural shifts, the flight to the suburbs and our short-sighted investments in fossil-fuel based infrastructure put up barriers to social connections that we are only now coming to grips with. For all the hand-wringing over how we connect online, it's clear that the one unalloyed good social networks have accomplished is a net increase in our interdependence.

The question worth asking is: How did it occur to a generation raised in the suburbs that they could have the kind of civic life that can only be achieved in people-centered neighborhoods? Isn't it possible that in the 21st century we expect more of our physical environments because that kind of connectedness is what we've come to expect from our our virtual ones?

Zuckerberg (Photo: Scoble)

Farhad Manjoo has pointed out that for Facebook to maintain its share price, it needs to figure out how to increase its revenue by a factor of ten. Going from $5 per user per year in advertising revenue to $50 per user per year is about as likely as Facebook going from 1 billion users to 10 billion, which I suppose is the other way the company could increase revenue proportionally, even if it requires an alternate Earth's worth of additional human beings.

So! Either this IPO is, as the Wall Street Journal has suggested, the biggest shell game in the history of stock offerings, pushed along by those who want to cash out their shares in the company at the expense of unsophisticated investors who are piling on, or Facebook has a plan.

I don't think Facebook actually has a plan. I think it's the new AOL. But if it did have a plan, this is what it would look like.

Facebook Must Become A Bank

Forget Square, the credit card processing dongle for mobile devices produced by a company headed by Twitter alum Jack Dorsey. What the payments industry needs is a fast follower with serious reach and the desire to vanquish every other player in this space.

Or, as Dan Hon, interactive creative director at Wieden and Kennedy recently told me, "It would be really interesting if Facebook launched a credit card. In fact, it would be terrifying."

Facebook already has a credits system designed to fuel the compulsive addictions that afflict some of its users (and which are otherwise known as games like FarmVille). Tim Carmody did a good job of explaining the possible scenarios for an expanded credits system, but that's not what I'm talking about.

The appropriate analogy is Apple and iTunes.

"iTunes has so much credit card information that if they weren't such a singly focused company you could imagine them taking on the retail banking business, and Apple-ifying it." says Hon.

An Apple-style stunningly easy and simple to use payments system has the potential to take over, but the result would be something that only worked in one way -- as the ghost of Steve Jobs intended it. Facebook's take on this system would probably be a lot less tightly controlled (and not nearly as inspired). There's also the small matter that, unlike Apple and Amazon, Facebook doesn't have your credit card -- yet.

Under Zuckerburg's leadership, Facebook remains a surprisingly nimble company, considering its size. But as Manjoo points out, going public means, inevitably, bowing to the pressures of shareholders, who want their money's worth. Look for Facebook to acquire Square -- or try to kill it. Or, if they're really savvy, make a lateral shift on a scale of Apple's entrance into the phone market.