Google's account recovery procedure can make it unclear to users that they're giving hackers full access to their account

A technique used by marketers to trick people into signing up for "free" merchandise could easily be re-deployed as an engine for harvesting untold numbers of Google account passwords. Fixing the issue won't be trivial for Google, because the exploit is fundamental to how Google allows users to recover access to their accounts when they lose or forget their passwords.

While others have reported on the use of this exploit by individual hackers, I believe what you're reading now is the first account of how it could be transformed into a mass phishing scam that could dragoon even relatively sophisticated users.

The Hack

Recently, my wife and I both received, within an hour of one another, a text like this:

Your entry last month has WON! Goto http://xxxxxx enter your Winning Code: "1122" to claim your FREE $1,000 Best Buy Giftcard!

Our phone numbers are almost identical, so the fact that we both got this text in a short period of time suggests that someone is auto-SMSing it to every number in a certain range, one after another. Which would make it classic text spam, annoying but not dangerous on its own.

The URL contained in the text goes to this website, http://bestbuy.bestgiftcardsforu.com/ which asks for your email address. The site appears to be affiliated with (or at least is linking to and borrows text from) MyRewardsClub.com. I don't think these people are hackers, just marketers.

But here's how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it's a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password -- one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.

In order for the user to claim their "reward" (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user's phone. As soon as the site has both a user's Gmail address and that verification code, it's game over -- hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account.

Other Examples of The Hack

This exploit appears to be precisely the way that a hacker got access to a number of accounts in the course of obtaining images for the website Is Anyone Up, as described by Camille Dodero in a recent feature for the Village Voice:

Is it really so easy to hack a Gmail account? See for yourself: Go to the Gmail login screen and click on the frequently ignored link underneath the sign-in menu, "Can't access your account?" Three options appear; choose "I forgot my password." Type in a Gmail address—any active Gmail address—and if there's a phone number associated with the account, you're given three more options, one of which is "Get a verification code on my phone." You don't even need to know the phone number. Just hit "continue" and an unrelated six-digit code will appear in a text to the account owner's phone. Type in that verification code—a number easily obtained by a masquerading e-impostor—and you're in. The first thing you're prompted to do is immediately change your password, thereby blocking out the original owner.

In other words, if a hacker knows only your Gmail address and can figure out how to access your phone, he's already most of the way into your shit.

In the case of the hacker collecting images for Is Anyone Up, it appears that he or she chatted up targets via Facebook.

An Increasingly Common Phishing Scheme

This attack has been used by others, and may be widespread. Lokesh Singh, a "professional hacker," describes on the site HackingLoops how one of his clients fell victim to this same hack, only the attacker used Gchat to convince the victim to hand over the verification code that Google had texted to him.

What Google and its users are facing, in other words, is a phishing scheme that appears to work even on relatively sophisticated users, or at least the kind who are smart enough not to click on random links in spam emails. But what I described at the beginning of this piece potentially takes this attack to a whole new level, beyond labor-intensive hacks of individual accounts and into the realm of automated, large-scale password harvesting.

It's great that Google has a way for users to recover access to their Gmail accounts that relies on a secondary device that hackers almost never have access to -- a user's cell phone. The weak link, as always, is the human who already has access to all their supposedly secure touch points -- the user himself. Perhaps this attack can be stymied simply by raising awareness of the fact that no one should ever, ever hand over their google verification code.

Throwing another lock on seems like the most logical way to secure an apartment—or a website. But a new attack called "Man in the Browser" allows attackers who have infected a computer with malicious software to get around the bank website security systems that demand, for example, a pin in addition to a password.

A BBC investigation uncovered the vulnerability. Once an attacker has access to the browser, they can ask a user to enter their authentication code or password into an inappropriate field as part of an effort to "train a new security system." If the user falls for it, the attacker gets full access to the bank's website, and can even obscure withdrawals of funds.

This points to a larger issue, says security technology OG Bruce Schneier: All security solutions that consist of adding another password or pin to the process are attempts to authenticate that a person is who they say they are, when the only real solution is to authenticate the transaction itself.

That means what all bank and other secured websites need are elaborate fraud-detection algorithms akin to those used by the financial industry to secure credit cards. Credit cards are easily forged, but it doesn't matter, in part because banks prevent fraud by examining activity rather than trying to directly verify that a credit card is being used by its rightful owner.

Here are two key facts for all those people who are going to be compromised by the breach and subsequent publication of 1.3 million usernames, passwords and email accounts combinations from Gawker.com:

1) Theoretically, this sort of thing could be happening all the time, owing to the large number of websites that now have at least one of our passwords.

2) It is pathetically easy to make sure this kind of attack never threatens your online security.

First, let's start with the briefest possible outline of the facts. If you've already digested the rest of the coverage on this subject, you can skip the next two paragraphs, and if you already grok why it's incredibly unwise to use the same password on multiple sites, you can skip the next four.

Hackers got into the commenter accounts database (and every other database, apparently) of Gawker.com. This database includes not only usernames and passwords, but also email addresses. We know because they made the entire database public--it's available via BitTorrent right now.

Because so many people use the same password for absolutely everything--one survey suggests it could be as high as 75 percent--hackers everywhere now have access to encrypted versions of the passwords used by Gawker commenters and the email addresses for which those passwords are quite likely to work. The encryption on these passwords is weak, but the good news is that Gawker was only storing the first 8 characters of these passwords. If your password is therefore 10 or more characters long, you might be safe even if you didn't change it on all the other sites on which you use it.

Plenty of people are going to change their passwords in response to this security breach. But for one reason or another, many won't, which leaves them vulnerable for the foreseeable future.

More importantly, this attack points out a simple fact that we should all keep in mind when creating passwords online. When you use the same password for a bunch of different sites, you're making that password only as secure as the weakest site on which you use it. Which is to say, the easiest way to hack into someone's Google mail account is to find their password on some site with lesser security: This human element is the number one vulnerability in Gmail.

Here's how you defeat this basic fact of internet security, which is that sooner or later your password will become public, by some means or another:

Guaranty Your Security By Memorizing Four Passwords and Using Them in Tiers

1. All of us have a throwaway password we use on sites we don't care about. Good! Keep using this password on sites you don't care about (like Gawker.com). If it's ever breached, the worst case scenario is that now hackers have the one password you couldn't care less about. Worst case scenario: They hack into your Last.fm account (etc.) and start posting embarrassing "likes."

2. For sites on which you don't want to be impersonated (Twitter, Facebook, etc.) use a second password, different from the first. Make sure it's not a word in the dictionary, make it as long as you are comfortable making it, and make sure it contains special characters in the middle, and not just at the end.

3. For your primary email account, use a totally unique password, and make sure it's long, contains special characters, etc. Your email account may contain information about other accounts you have, even passwords--this makes it a sort of "master key" that you must zealously guard with a password used on no other site.

4. For your really, super important accounts--we're talking bank accounts here--use a fourth password that you don't use on any other kind of site. You don't ever want a hacker cracking that random web app you used, or a snoop using FireSheep, to spy on your Facebook login, to gain access to your bank accounts. (Granted, most of these accounts also have PIN numbers to prevent just such an attack.)

Anyway, that's it. Four passwords: One is garbage, and you might as well scrawl it in plain text across your forehead. One gets used on sites like Facebook that probably have pretty decent security. And two very special passwords lock up only your bank accounts and your email. Contrast this approach with the advice from Lifehacker linked from the Gawker.com post announcing that the site had been hacked and that all users should update their passwords (as in, all of them):

You don't need to remember 100 passwords if you have 1 rule set for generating them. One way to generate unique passwords is to choose a base password and then apply a rule that mashes in some form of the service name with it.

I, for one, prefer not to have to go through any mental gymnastics when trying to figure out what password I used for a site. Instead, I rest easy knowing that my garbage password is vulnerable, and the rest relatively safe.

Follow Mims on Twitter or contact him via email.