Gmail prompt to provide phone number sounds like a threat

  • DoomBot5@lemmy.world
    link
    fedilink
    English
    arrow-up
    218
    arrow-down
    12
    ·
    1 year ago

    Dumb take. All it’s warning you is that without those, you won’t have a way to recover your account it you lose your password or if it’s hacked and someone changes it.

    • Matomo@lemmy.ml
      link
      fedilink
      arrow-up
      76
      arrow-down
      5
      ·
      1 year ago

      Yeah, I’m all for bashing companies regarding privacy and whatnot, but this is just informing/warning you about account security.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        16
        ·
        1 year ago

        It’s facetious though. They don’t need phone numbers to verify you, they can just use TOTP codes which can be used by anybody. Ask yourself why they insist on you giving them your phone to enable TOTP, when there’s no relation between the two. They want phone numbers because lots of people stick with one number all their life so it’s an excellent means of identifying them.

        • fapforce5@lemmy.world
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          I’m not familiar enough with TOTP codes, but they don’t seem feasible for your average user as a reliable way to recover your account

          • /home/pineapplelover@lemm.ee
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            My school is requiring students to instal specifically Microsoft 2fa (uses microsoft’s proprietary algorithm). So I’m sure that people can figure how to download an app and scan a qr code.

            • Trainguyrom@reddthat.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              If this is for a M365 account you don’t have to use the Microsoft authenticator. It’ll nag every login but it’ll let you use a different authenticator. I set up my college email last year with Duo as the 2FA because I already needed Duo for work, and it was fine

                • Trainguyrom@reddthat.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  What you do is when you’re setting up the 2FA token in M365 select the type of 2FA since it supports a wide variety of 2FA types, including SMS

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            4
            ·
            edit-2
            1 year ago

            I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.

            An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.

            The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:

            • Confirmation message sent by email (and let people add multiple address not just one).
            • SMS to phone number (again, let them add multiple numbers).
            • TOTP code generated with authenticator app.
            • One-time-use secret codes written down somewhere.
            • Secret question/answer pairs.
            • Codes generated by USB key fobs.
            • Confirmation on a phone that’s still logged in to that Google account (this doesn’t require the phone number).

            Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.

            I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.

            • Amju Wolf@pawb.social
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Google kinda does do that though. You can have a recovery email (or multiple IIRC), or you can have a phone number.

              TOTP and hardware authenticators are more for second factor authentication; you’re probably more likely to use those than a password, and they don’t really make sense for recovery.

              • lemmyvore@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Why wouldn’t they make sense for recovery? They’re authentication factors just like passwords.

                “Second” factor means you should have multiple, not that one of them is beneath the others. And they all work just as well for authentication and recovery.

                • Amju Wolf@pawb.social
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Because you’re much more likely to lose or break a hardware fob than lose a password, let alone change (lose or whatever) recovery email or phone.

                  Like, it would be a neat option; ideally you could set up literally anything and say what combination of factors you want to use for recovery and which to use for authentication, but it’d be a pretty big change for a tiny minority of users.

              • DoomBot5@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                1 year ago

                Google can use the phone number on file to text a verification code for password reset.

    • Max-P@lemmy.max-p.me
      link
      fedilink
      arrow-up
      30
      arrow-down
      1
      ·
      1 year ago

      People here don’t realize how dumb the average user can be. I’ve helped countless people attempt to recover their accounts to which they forgot the password to because they were logged in on their computer and just went to it, and were shocked once they let the cookie expire.

      Backup security questions? “Oh, I put random garbage there, there’s no way I remember”.

      I’ve known people that end up with a new email more often than they end up with a new phone number for that exact reason. Or worse, they also got a new phone number without thinking about their 2FA SMS and lose a whole bunch of accounts.

      With social engineering attacks all over the place, more and more companies just won’t help you in the name of security.

      Those users absolutely need to be nudged towards adding backup account recovery info.

    • janonymous@lemmy.world
      link
      fedilink
      arrow-up
      17
      arrow-down
      1
      ·
      1 year ago

      Yeah, probably, but I’ve noticed lots of sites use security as an excuse to get your phone number. For my work account Google forced me to enable 2FA for security reasons, but wouldn’t allow the authenticator, only my phone number, until they had it. Then I was allowed to switch to the authenticator. That was not a setting my employer could change, either, they tried for half an hour.

      Phone numbers are used to congregate the your data that’s collected on different sites to one profile. I’m pretty sure that is the main reason Google and others are pushing you so hard to give it up.

      • w2tpmf@kbin.social
        link
        fedilink
        arrow-up
        6
        arrow-down
        10
        ·
        1 year ago

        Nonsense. You don’t even have to use Google’s authenticator when setting up MFA. You can just scan the QR it gives you using any authenticator app. You can use Microsoft Authenticator, Duo Mobile, Lastpass, WatchGaurd, etc, etc

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          3
          ·
          1 year ago

          I don’t think you understand. They don’t force you to use Google Authenticator. They don’t let you use any authenticator app until you give them your phone number.

          This tactic was used in the past by many other sites, off the top of my head LinkedIn, Facebook, Amazon. It’s a scheme to get your number because then it can be used to cross-identify you everywhere.

          Example: if I were to verify my phone number with Twitch, which is an Amazon company, they would be able to correlate everything I ever bought on Amazon with my gaming habits.

    • Blizzard@lemmy.zip
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      8
      ·
      1 year ago

      There are other ways to recover an account. Google just wants to have your phone number, security is an excuse and use of fear mongering to get is pathetic and shameless.

      • Jilanico@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        1 year ago

        Can you describe some alternatives to a recovery phone or email? Honest question.

        • Blizzard@lemmy.zip
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          3
          ·
          1 year ago

          Secondary e-mail address, security questions, recovery key, physical key fob - from the top of my head. Better or worse, the point is - it doesn’t have to be a phone number.

          • newIdentity
            link
            fedilink
            arrow-up
            8
            ·
            edit-2
            1 year ago

            It’s asking for a secondary email address or phone number. Security questions are insecure and probably the worst reset methode there is. Most users don’t even know what a security key is so it’s pretty pointless to mention it if only like 1% are actually using it and it could cause more confusion than it helps.

            Edit: apparently it actually does ask for both. But it’s not even mandatory. Its just a warning

        • LoafyLemon@kbin.social
          link
          fedilink
          arrow-up
          6
          arrow-down
          3
          ·
          1 year ago

          I’m curious about their perspectives too.

          The only other options I can consider are government-issued ID verification, a bank validation process (a fast transfer to confirm identity), or the use of a debit/credit card.

          All of the above alternatives involve significantly more intrusion than requesting a phone number.

          • Jilanico@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Agreed, or a burner alternate email. If Google didn’t give any option other than phone number maybe we could make a case of ill intent.

            I think the main driver here isn’t that they want your phone (although they’re happy to have it, I’m sure), but they don’t want the tech support headache of manually verifying and unlocking accounts for tons of people.

          • fidodo@lemm.ee
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Especially when they already have access to your entire email history. If they wanted your phone number for nefarious means it will probably be somewhere in that history already. Your email already requires complete trust in the email provider service, there’s so much more sensitive stuff they already have access to.

            • lemmyvore@feddit.nl
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              3
              ·
              1 year ago

              Having your phone number means that whenever you get a new Android phone they will instantly know who you are even if you don’t use the same Google account on that phone, or even if you never use any Google account. How does that sound?

              • fidodo@lemm.ee
                link
                fedilink
                arrow-up
                2
                ·
                1 year ago

                There’s also this thing called a phone book which has almost everyone and their number in it. Phone numbers are not sensitive information, period.

                • lemmyvore@feddit.nl
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Phone books don’t show mobile numbers. In Europe at least mobile registries are private and subject to restrictions. Phone numbers are considered personal identification information under privacy laws, because portability regulations have made it possible for people to carry the same number for most of their lives.

                  Heck, I’m not sure phone books are still a thing over here, but if they still exist they’re not allowed to show numbers for private individuals.

                  A few years ago there were websites that maintained phone number databases and would let you search who owns a number but GDPR stopped them cold.

        • Phanatik@kbin.social
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 year ago

          Well the alternative to having to recover your account is to prevent you losing access to it which usually comes in the form of 2FA or MFA.

          If you’re so protective of your personal information that you don’t want to hand over your phone number then you should be taking steps to secure your account.

          Or don’t use Gmail.

    • KhalBrogo@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      Actually I had to let go of an email because Google wouldn’t let me login without giving my number or alternative email

    • wolre@lemmy.world
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      I do agree that adding some kind of backup option is probably a good idea. For many people, losing their email account would mean being locked out of basically all their online accounts (or, in case the account gets compromised, it would mean that all other online accounts would now be compromised too). The majority of people do not use password managers or 2FA, and I’ve made the experience that many people simply cannot be convinced to make online security a priority. While I’m also a FOSS and online privacy advocate and use tons of self hosted services for that reason, having some way to regain access to their Google account is almost certainly worth the extra data point that Google gets access to. Especially since the likelihood of them already knowing about your phone number is basically 100% if you are logged in on an Android device.

    • The Hobbyist@lemmy.zip
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      You dont even need google to access your emails for that. You dont even need to be a google user at all, unfortunately.

      I think the phone number is easily found by google, by all their users synching their contact list… If you’re google and you have 100 people Synching John B. Smith with number 123 in Region A of the world, you’re pretty confident that that the person and the phone number are linked.

      • And that’s terrifying.

        Imagine you didn’t even heard about google, but some of your colleague/friend use Google contact synching (which is very default these days) And ta da! Google knows your name and number with 99% percent of accuracy.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      I used to work in support for a phone manufacturer. I spent more hours than I’d like to know helping people navigate Google account recovery because their only computing device was their phone which they just got replaced under warranty and they don’t remember their Google password. The lucky ones had set a recovery phone number and/or email, the unlucky ones were simply at the mercy of the ivory tower that is Google

  • anteaters@feddit.de
    link
    fedilink
    arrow-up
    37
    arrow-down
    2
    ·
    1 year ago

    Google can close your email account down at any time for any stupid reason they like and their nonexistant support will leave you standing in the rain without access to years of mails. Switch to a paid mailer with actual support ASAP

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      arrow-down
      2
      ·
      1 year ago

      I once paid for Lavabit email and it was then raided by the NSA/CIA/FBI (Snowden case) and they shut everything down. I lost access to my account and to a 3rd party account that had a considerable amount of money pending withdrawal. I was never able to get the money. Lesson learnt: paying for your email won’t save you.

      • ram@lemmy.ca
        link
        fedilink
        English
        arrow-up
        21
        ·
        1 year ago

        Ya, never trust US companies. Their government’s crazy to jump in and take anything they want; you may not even know they took it.

  • ono@lemmy.ca
    link
    fedilink
    English
    arrow-up
    26
    arrow-down
    7
    ·
    edit-2
    1 year ago

    Can confirm.

    Google locked me out of my account for not giving them my phone number. Even though I used the correct password. Even though I verified myself through the recovery email, which has been the same for ages. Even though I wasn’t using a VPN or connecting from a public network. Even though there was no reason to think my account or credentials were compromised.

    They are, in fact, extorting phone numbers from people.

    Thankfully, I don’t depend on my google account for anything, but I’m still stuck receiving spam forwarded by gmail, because I can’t log in to turn off forwarding. (I’ll probably have to filter it out at some point.) I honestly hope they just delete my account after some months without a phone number.

    • scottywh@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      If you can’t login they will definitely delete the account sooner or later.

      They’ve been sending out notices recently talking about changes to their account inactivity policy saying just that.

      • ono@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        4
        ·
        edit-2
        1 year ago

        This has nothing to do with compromise,

        Clearly.

        they just don’t want to deal with this many bot accounts.

        Whatever excuse they might have doesn’t change the fact that they are extorting phone numbers from people.

    • TheProtagonist@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      So Google will not let me log in to my account unless I provide them my phone number? But at the same time they require a regular log in (at least once a year or every two years), so your account doesn’t get deleted?

      I have an old Gmail account, I don’t use anymore, but it’s tied to my name, so I wouldn’t want someone else to use it at some point. I thinks there’s one email client that regularly connects to that account. I hope that will be sufficient to preserve it, but I would not feel comfortable giving them my phone number, when I have no other links to Google services (this may be different, if you use an Android phone anyway).

    • Phoenixz@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      2 years and it’ll be deleted.

      I still have a Gmail account but I’m trying better solutions… Maybe my own hosted system. Whether I pay google or a hosting company with open source software is the same money, the latter means privacy

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        1 year ago

        Get your own domain and use migadu.com. The starter plan is $20/year.

        For extra privacy get a domain in .de, .be, .fr, or .nl, their registries protect owner data automatically.

        If you’re also looking for a registrar check out INWX.

  • Blizzard@lemmy.zip
    link
    fedilink
    English
    arrow-up
    17
    ·
    1 year ago

    You could lose access to your X years of Gmail history with 2FA enabled if you lose your phone.

      • EngineerGaming@feddit.nl
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I wonder if it works in an Android VM. The shittier thing they’ve done is requiring a non-prepaid number for Overwatch 2, locking out people who can’t afford anything else… And some regions as well.

      • Blizzard@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I don’t think that’s true, I don’t have the app and I was able to play SC2 not that long ago. I think you can disable 2FA in account settings.

  • Fleppensteyn@feddit.nl
    link
    fedilink
    arrow-up
    14
    ·
    1 year ago

    Creating a new Google account isn’t even possible without a phone number anymore. I had a new account which I didn’t use in a while and it decided I need some old phone number to confirm my log in. There’s no way to log in, recover or delete the account. There’s no way I’m putting my daily account to that risk by giving them whatever phone number I have now

  • fidodo@lemm.ee
    link
    fedilink
    arrow-up
    25
    arrow-down
    12
    ·
    1 year ago

    Have you people never heard of a phone book? Phone numbers aren’t sensitive information. If they want to scrape your phone number they can legally and trivially do so through public data sources. Google does plenty of sketchy things around privacy, but this isn’t one of them, it’s just about security.

    • janonymous@lemmy.world
      link
      fedilink
      arrow-up
      9
      arrow-down
      2
      ·
      1 year ago

      Is your mobile phone number in the phone book? Mine isn’t. I guess you could use a landline number to prevent giving out information that isn’t publicly available, but I’d wager most people using these sites these days use their mobile phones. Also even my landline isn’t listed in the phone book.

      • Rodeo@lemmy.ca
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I still have a landline which I use specifically for entering into websites.

        At one point I thought it was a really clever thing to do, but now I’m not sure what I’m accomplishing with that, if anything.

    • themakara@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      I mostly agree, however setting your phone number includes the verification process. With that, Google knows for near certain that this is indeed your number.

    • Rodeo@lemmy.ca
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Man I haven’t even seen a phone book in at least 10 years. Do they actually still exist?

    • tim-clark@kbin.social
      link
      fedilink
      arrow-up
      9
      arrow-down
      7
      ·
      1 year ago

      Users are getting dumber by the day!! Half the comments in privacy imply users don’t know what they are talking about and need to see a therapist

      • stratoscaster@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        1 year ago

        Really though people just don’t understand the point of 2FA. There is 0 other way to verify identity. Just use a burner number if you’re so paranoid sheesh lol

      • QuazarOmega@lemy.lol
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        You couldn’t glean the sarcasm from my comment?
        I know that 2FA is important for security

  • KevonLooney@lemm.ee
    link
    fedilink
    arrow-up
    32
    arrow-down
    22
    ·
    edit-2
    1 year ago

    No it doesn’t. It means that your email is encrypted and they don’t have a way to unlock it. If you don’t add recovery info or print out your unlock codes, you will lose access. Just like it says.

    2FA is more secure.

    • The Hobbyist@lemmy.zip
      link
      fedilink
      arrow-up
      37
      arrow-down
      3
      ·
      1 year ago

      What are you talking about? Google is not encrypting their emails, where did you get that info from?

      • nbailey@lemmy.ca
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        6
        ·
        1 year ago

        Yeah, this has nothing to do with encryption, it’s because they refuse to have a support division that would be able to get people back into their accounts.

        • stratoscaster@lemmy.zip
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          2
          ·
          1 year ago

          What? No, that’s the whole point of 2FA. There is literally no other way to verify authorization otherwise because it’s by-default incapable of verifying identity.

          Knowing the previous password doesn’t help because those are often found in password dumps.

          This is true of any email service.

          • Madlaine@feddit.de
            link
            fedilink
            arrow-up
            6
            arrow-down
            1
            ·
            1 year ago

            2FA is just a second password and has nothing to do with encryption. Can simply be removed.

            They could bypass this authentication without problems, if they want. I lost my phone and my google business account got restored regardless of 2FA. It’s just a button for the support. The problem is the identification, especially of private customers (dunno if they would even do that).

            Encryption passwords aren’t time-based either, they must be static.

          • hemko@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            1 year ago

            Yes but that has nothing to do with the data being encrypted and Google not having access to it. Their whole business runs around them having too much access to user data.

            And yeah before you say anything, yeah the data is probably encrypted at rest which means nothing in this case.

    • pe1uca@lemmy.pe1uca.dev
      link
      fedilink
      arrow-up
      8
      arrow-down
      3
      ·
      1 year ago

      Is it really encrypted?

      I’m guessing it’s only for the account recovery to reset your password which should be hashed.

      • Blizzard@lemmy.zip
        link
        fedilink
        English
        arrow-up
        13
        ·
        1 year ago

        Is it really encrypted?

        Of course not, Google has full access to your e-mails and uses it the whole time.

  • 𝒎𝒂𝒏𝒊𝒆𝒍@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    4
    ·
    1 year ago

    BuT cOrPoRaTiOnS tRaCk YoUr LoCaTiOn If yOu GiVe ThEm YouR nUmBeR

    Like they’d need your phone number to do that when you probably already have a smartphone with Facebook installed

  • DarkMatterStyx @lemmy.world
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    1 year ago

    I have been slowly de-googling my life. I bought a domain, and have my email hosted on no-ip.com for like $15 a year now. Has been working great for the past 8 months. I have switched all my important login accounts to those accounts. I’m still keeping the spammy store logins and such on Google. The only thing worrying me about loosing with my Google account are all my app purchases going back back to the day it existed.

  • AdmiralShat@programming.dev
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    1 year ago

    I hate how reliant I’ve become on my Gmail. My banking, all my accounts, my job, etc.

    I think email should be regulated, because of how much of the modern world relies on them and you can get fucked over and locked out super easy, and trying to change the email on some services isn’t just hard, it’s impossible

    • chkno@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Regulation is slow, full of drama, scales poorly, & can result in a legal thicket that teams of lawyers can navigate better than the individuals it’s intended to advocate for. Decriminalizing interoperability is faster & can handle most of the small/simple cases, freeing up our community/legislative resources to focus on the most important regulatory needs.

    • w2tpmf@kbin.social
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Your proton account is susceptible to the same problem if your password gets compromised and you don’t have a backup access method registered.