Ugh. File this on under #FirstMilleniumComputingRIP or #YosemiteRequired or #iOSForEveryone or #aWatchFuture.
A friend got an email a few weeks ago from Google, warning her that some had tried logging into her account from Galati Romania and somewhere in Kyrgyzstan. I didn’t see the original email, but I gather Google recommended she change her password. I don’t know if Google said anything about other consequences. The implication was that Google blocked those accesses [1], much as your credit card company routinely blocks the Moscow charges you never hear about.
By the way, if this happens to you, walk through the Gmail security checklist.
I don’t know if Google mentioned anything in the email about additional security measures, but what she noticed was that she couldn’t use Gmail on her home computer. It said “password incorrect” though she was using the right password.
It took me 30-40 minutes to figure out what was going on. I created a new user account to confirm it wasn’t anything on her Mac running OS X Lion [2]. Then, guessing that Google had enrolled her in some new enhanced security program, I went looking around Google’s security settings and I found an “Access for less secure apps” setting [4]
I also found this notice …
and I could see where our legitimate logons had been blocked (but marking those as legitimate did nothing) …
I can’t find Access to Less Secure Apps controls on my own Google accounts [3]; I think it’s automatically enabled after an account hack or if you click the “Secure your account” link in “Notifications and Alerts” or in the “Devices & activity” above. (Maybe this was mentioned in the email from Google? That would be nice.)
If Access for less secure apps is on, then this article applies:
Allowing less secure apps to access your account - Accounts Help
Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer.
Some examples of apps that do not support the latest security standards include:
The Mail app on your iPhone or iPad with iOS 6 or below
The Mail app on your Windows phone preceding the 8.1 release
Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird ……
To help keep your account secure, we may block these less secure apps from accessing your account, and you’ll see a “Password incorrect” error when trying to sign in. If this is the case, you have two options:
Upgrade to a more secure app that uses the most up to date security measures. All Google products, like Gmail, use the latest security measures.
Go to Allow less secure apps and choose “Allow” to let less secure apps access your Google account. We don’t recommend this option because it may make it easier for someone to gain access to your account…
Yeah, all you get is a “password incorrect” error. Which is wrong of course, your password is fine. Problem is, Mail.app for OS X isn’t designed to say “Google doesn’t like me”. It tries to connect, gets rejected, and renders this as “password incorrect”.
Once I figured out the problem I found Google’s April 2014 security blog announcement:
Google Online Security Blog: New Security Measures Will Affect Older (non-OAuth 2.0) Applications
… beginning in the second half of 2014, we’ll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.
To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.
You do know what version of OAuth OS X Mail.app uses, don’t you? Oh, wait, does Mail.app even use OAuth?! It appears so as of 10.0.3 (Yosemite); I suspect Google considers any OS X app (Mail, Calendar, Contacts) prior to Yosemite to be less secure.
There’s a bit more useful information in this April 2014 ghacks.net article. I’m sure you read that one regularly to keep your Google services working smoothly! As noted in the article, you can enable Access for less secure apps [5]. That took care of my friend’s problem.
Sigh.
My friend asked me what regular people do. My answers was, unfortunately, they don’t/can’t. The writing has been on the wall for a few years — civilians should not own “computers”. They should a single iOS device [6] and do everything through Apple [7]. This kind of thing is only going to get worse.
- fn -
[1] But what about the accesses Google might not have blocked? Google Account security now lets you see what devices have signed in from where over the past 28 days as well as review your security notifications. Between those and reviewing your Account Permissions you can get a rough idea if an unsophisticated attacker got by Google’s secondary defenses.
[2] I also have a Lion machine the kids use a bit. It’s no longer being updated of course, and I should probably retire it.
[3] I checked both my 2FA and non-2FA Google Apps/Google accounts and didn’t see it on any of them.
[4] First I went through her access history and authorized a number of them. Turns out that’s pointless, Google just provides that to keep us confused.
[5] Or enable 2FA. Google 2FA is less of a PITA than it once was, but it’s not ready for civilian use. Too many ways to go wrong, especially when a device is stolen.
[6] I don’t think Android is a good choice. Sorry. The single best choice for most is probably an iPhone 6+. There’s an unmet need for an flip-phone-like compact device that provides simple phone services to a companion iPad. Maybe Apple Watch version 3 will do that.
[7] if Apple doesn’t do it, then give up.