Security or convenience. Pick one.
Last week for me was a stark reminder of how quickly we can become far less confident about everything we do on a computer and the internet. My goal in this post is to document what happened to me and what I’ve done since. Hopefully someone else finds it helpful but additionally if someone who knows better reads this I’d be interested to hear about what I’m still doing wrong. So here it goes…
On Wednesday April 22nd 2020 I was checking the transactions in my bank account to update my budget with some online spending that I had done. It was then that I noticed a negative balance on my account. At first I was wondering what bill I had forgotten. Did I forget about a multi-year hosting renewal? What I found though was even more confusing. I found a $690 charge from Google. I have a Google store account for a Google Pixel 2 phone I bought a while back so I immediately went there first and that’s when I found it.
At first I started to doubt myself. Did I order this phone by accident? I was looking at the discounted nest speakers for $29 the day before and was wondering if I really wanted to get more of them in my house. So did I somehow click something and not realize? No, that didn’t make sense. It would take a lot to accidentally check out an item.
Then my next thought was if it was my daughter playing on my computer but she knows better than that and really it would be out of character for her.
My last hope…
It had to be an error. I was hoping it was a glitch in Google’s ordering system because the next thought brought chills to my spine. Because the next thought was that someone was in my Google account.
Gmail is now my enemy…
To know just how chilling that thought was you have to know a few things about my Google account. First my Gmail account is my longest standing email account by far. I had emails in there dating back to 2006 and I rarely delete anything. I was always fascinated by the collective history of my communications indexed and easily searchable by myself. Which now was the first terrifying part of this endeavor. 14 years of rich communication history about me. If someone wanted to be me online that was a treasure trove of information gold and as it stands I still don’t know how much was accessed and/or copied.
In Google we trust…
I’ve always held a lot of trust in my Google account too. The password was always different from every other password I used. I figured other places I could be ok with password reuse but not on my Google account. I also had 2 factor authorization setup so if someone got that password I would still have to hit yes on my phone to confirm the login attempt and that would stop them from getting in and give enough time for me to reset my password.
Next steps…
Immediately after I found this transaction I contacted both Google and my Bank and explained I did not make this transaction. I had to get a new bank card and Google made me fill out a form for the claim. As extra precaution I requested new card numbers on all of my accounts and changed my credentials on Google.
That’s when it dawned on me…
Something still didn’t feel right about this though. How could they order from the Google store? My login to the Google store is my Google account and my Google account never prompted me that someone was trying to login. Even if they had my password I would’ve been asked to approve it on my phone. That’s when it dawned on me. The only explanation that made sense was the explanation that really made my heart sink into my stomach. They had access to one of the computers on my home network. You see I had so much blind trust in my Google account that I was signed into Chrome and I never signed out. And of course all of my passwords were saved in Chrome too. I did however add the extra passphrase to make sure that even if I sync Chrome to another computer that you have to enter an additional password to sync the encrypted passwords but none of that matters if the hacker has access to a device that you’ve trusted with everything.
One Chrome to rule them all
Once an attacker had access to my computer all they had to do was open Chrome and everything was already signed-in and ready to go. This was the only thing that made sense to me and worse yet I confirmed the breach of my account with another finding in my Gmail. Digging through the contents of my account for hints to how the attack was carried out I went into the Gmail Trash and that’s when I found a confirmation from my 401K provider that my phone number had been changed. I immediately called my 401K provider and confirmed the breach in security and changed the information back along with adding additional security measures to my account.
Just when it can’t get worse…
The final discovery in this attack was in my Gmail filters. It was there that I had found the attacker had added rules to mark all emails from either the Google Store or my 401K account as “read” and move them to the trash. I’d hate to know what the next step(s) in all this was going to be.
It was at this point I pulled out all of the stops…
Feeling a bit hopeless after these discoveries I started to do everything I could to secure my digital life.
I put off real password management too long…
I immediately bought a LastPass family account for a year. Imported my passwords from Chrome to Lastpass and completely wiped Chrome of all saved contents and intent to save information. I then proceeded to change all of my known passwords to randomly generated passwords thanks to the LastPass password generator and I made sure that LastPass does not automatically login when the browser is opened. Where possible I’ve also enabled 2 factor authentication.
Bad Tablet…
I had a Windows tablet that had shown signs of malware from an android emulator download gone wrong so I immediately put a Windows 10 USB installer in it and completely reformatted it just in case that was the culprit. Previously I had removed the bad application and scanned with Windows defender but now I had lost confidence in that resolution.
TeamViewer is just another attack surface…
I then remembered a post in a local IT group on Facebook where someone mentioned TeamViewer encryption keys becoming public. I had changed my TeamViewer password since that article and couldn’t find other articles to back up that story so I didn’t think much of it but after being attacked I decided it was time to lower my attack surface and I uninstalled TeamViewer from all machines.
Trying to prevent an inside job…
Another question was how they got through any router firewalls and with some malware on the inside of my network I had also let my guard down for a game. When an Xbox One game wouldn’t connect I did something I told myself I wouldn’t and I turned on UPNP in my router so the Xbox could open the ports it needed and it worked. Leaving it on though means that any computer on my network can open any port they want and that day has now come to an end. I’ve disabled UPNP in my router and I intend to leave it that way.
You used your bank card for what!?…
I really took for granted that I would enter my debit card into my Google account for recurring transaction like my Google Music but after this I decided to also take Citi bank up on something they have offered me for a while now and that’s a virtual card number. I simply click to generate one on their website and I use that number online instead of any real card. I can even set spending limits on the virtual card too. Also most banks and credit cards offer alerts for transactions over a certain amount so I’ve activated a lot of those now too.
It’s time to put Pandora in a VirtualBox…
My 14 year email history on Gmail was way too much information about me and my patterns to risk anymore but I didn’t want to lose this archive of myself so I decided on the best way to lock it away from malice.
I fired up an Ubuntu Virtual Machine in VirtualBox, generated a 90+ character random password in LastPass and used it as a key to a 256-bit VM encryption.
Then I installed the Thunderbird email client in my minimal and encrypted Ubuntu VM and proceeded to download and delete 14 years worth of email history.
After it was done downloading I made sure it was gone from Google and created a copy of the encrypted VM disk onto another backup disk.
Aftermath
I now treat my computers as if they are computers in a public library that anyone has access to. I don’t leave anything logged in anymore and as such my digital life sucks a little more but I feel a bit more confident moving forward. I should also probably make my account a basic user and not an administrator like the Linux and Mac world but I’m not quite there yet.
It only took a few days and a few calls to Fedex (to cancel the phone shipment and return to sender) and Google but I did get my money back and thanks oddly enough to the world situation with Covid-19 my bank is not charging NSF fees at the moment so I didn’t have to get any fees reversed either.
I still wonder if someone has access to a PC on my network. The other machines I have are much more of a difficulty to reformat with the data they have and I’ve run several scans on them in an attempt to find anything malicious. I still think Windows Defender is the best Anti-Virus option out there but this was a gut wrenching reminder that no Anti-Virus is perfect.
When you think about it we’re kind of crazy to have always on internet connections with our digital lives hanging on trusting that someone doesn’t get past our cheap router or convince us to download the wrong executable. This was eye-opening for sure.
Leave a Reply