Skip to content
June 09, 2011

Using 2-Step Verification with GMail

In the recount of what happened yesterday regarding my hacked Paypal account, I realized that it was my GMail that was originally compromised and used to reset my Paypal password.


After realizing that, I went and changed my Google Account password and used their 2-Step Verification process.

To those who have been asking in the comments what is and how to activate the Google 2-Step Verification feature, this video should give you the details:

I really don’t know how my GMail was compromised but it could be one of several possible ways:

  • I’ve lost an iPhone 3G, Nexus One and iPhone 4 in the last 12 months and it’s possible its been sold to the grey market with my GMail account still logged in.
  • Public terminal. I remember going to a net cafe last week to have my ID and Passport scanned and emailed. I remember shutting down the browser but could not remember if I explicitly logged out.
  • WiFi Sniffing. This is rare but still possible — my account could have been sniffed over free public WiFi. I even bring my SmartBro Share-It around and leave it without any password so others can use it too (I like to share my net connection). I’m now locking my WiFi.
  • At least 3 of my staff also have access to my GMail account so that’s a huge security hole there as well. I trust them but it’s possible they’re not very careful when they need to access my account online.

In any case, this has been a lesson for me and hopefully a reminder to everyone reading this as well. Go try the 2-step verification process so you have some peace of mind.

Huawei Ascend Mate & Review


31 Responses to “Using 2-Step Verification with GMail”

  1. Paul says:

    As they say, charge this unfortunate event to experience. Stay positive, Abe. We learn better things out of our daily encounters.

  2. James says:

    Wow Yuga for a Tech journalist you are pretty careless with your hardware and your online credentials

    Not to troll but you should have implemented security precautions before all of these things happened to you.

    • Benchmark says:

      Nobody is perfect you know. Even the experts forget some basic things. And like what Si Abe said, “Tao lang po.”

    • imho says:

      I kinda agree with james. how can a recognized tech blogger be careless like that? I guess the word that comes to mind is “overrated.”

      just my 2 cents.

    • daniel says:

      abe is a tech-blogger and he’s careless. then i tell you, SONY is an $88 billion dollar company… bakit sila na-hack? wala namang perpekto eh. exams ko lng ^^

    • William T says:

      Yes. Tao lang naman, but four high-end devices in a year seems much, most people will become paranoid just by losing one of those high-end device. I did, when I lose my e60 a few years back, since then my phone is strapped to my belt wherever I go, there was a time when I even put plastic leash on it. :) Still, us humans, are forgetful creatures, and the information overload of the internet age sometimes leave us less focused than optimal…

    • nameless says:

      I guess, ok lang naman yun. madami naman natatanggap na freebies si sir. ;)

    • gregg says:

      @james sheesh Its like saying when you are a F1 racer champ you won’t get into accident ?

    • James says:

      Haha I’m sorry but that’s really poor analogy

      But to play along, I’m careful with my data and with my hardware. I make sure my phone has the capability to be remotely wiped when its lost, and also 2 step verification is on the moment it was available to Google Apps users.I also make sure SSH is on when I go online on public wifi hotspots

      So in a way, I haven’t been in an “accident” when I’m driving my “F1″ car. And if the event I will meet such an “accident”, I have technology to at least save my ass when it does happen, just like the real F1 cars when they encounter a crash.

      The point I’m trying to drive here is that, for a blog owner and also a coupon discount site owner (or part owner?). Yuga should have been more pro-active when securing his data. He should have known better.

  3. yuga says:

    @james – tao lang po! nagkakamali din.

    • silverlokk says:

      Some other gaffes by people far more prominent than Abe:

      The legendary Ken Olsen of Digital Equipment Corp, who saw no future in personal computers
      None other than Bill Gates, who initailly dismissed the Internet
      I think there is a world market for maybe five computers. — Thomas Watson, IBM Chairman, 1943
      <Hey, we don’t need you. You haven’t got through college yet.> — HP to Steve Jobs on the latter’s request for funding development of what became the Apple

      And the list goes on.

  4. William T says:

    Once you got the mess sorted out, it might be helpful to your readers to write a ‘how-to’ guide on steps to be done after losing a computer or smartphone. In this connected age, many people neglect these security matters, specially when they are busy getting a replacement SIM, restoring their data on their new phones.

    Stuff like changing your password to all website, email linked to your smartphone, and doing this at home on a virus-free PC.

    And just a suggestion, beef up the security of not only your phones but your w2ebsites, especially now that Yugatech has a companion ecommerce site in Yugadeals.

    Here’s hoping Paypal will sort out everything in your favor…

    Now I gotta activate that two-step verification on my gmail account… :)

  5. Messie says:

    Sana meron din ganito for yahoo mail. *sigh*

  6. sherwin
    Twitter: gadgetnet
    says:

    Sirs add ko din puwede din niyo tignan sa may baba ng gmail yun last account activity. dito makikita nyo kung saan ni-access yun gmail nyo and kung anong access type browser or mobile.

  7. say says:

    as soon as I read yesterday’s post, I also switched to Gmail’s 2-step verification method. Yaan ng matrabaho, at least it’s a lot safer. :)

  8. Lawrence says:

    Yuga,

    Is it possible that 3rd-party applications in the Android Market can get hold of your GMail username and password if you sync your Calendar and Contacts on your Android device?

  9. csseyah
    Twitter: goodfilipino
    says:

    I should do this 2-step verification also.. Thanks po sa info na ito….

  10. 1001 says:

    mas simple yung explanantion dito kesa sa lifehacker.

  11. Andre
    Twitter: kzapkzap
    says:

    Facebook just released a security feature where new computers have to type in a code sent to your cellphone to use your facebook. I couldnt get it to send to my Smart phone though.

  12. silverlokk says:

    Looks foolproof, but wait! Far as I remember, Google gives you a set of numbers you can use when you don’t have your phone. Obviously, you wouldn’t keep those on any of your devices. I believe Google asks you to print it out, then delete the file.

  13. Apache says:

    Tips for my own Personal Experience

    1. 24hrs History Only – i never let my Laptop or Desktop or Tablet hold history cause they can use it go get hacked or took information.

    2. CCleaner – Easy access if you use 3 or 5 difference browser and its easy to use just Analyze and Run Cleaner. just before using CCleaner close all application.

    3. Password – Always give your self 5mins to change your password in every 3 months and keep in mind with a great pattern for example ” pAsS0rD3 ” Put Small and Big letters and Numbers but if you can really memorize and type a 5secs add a Special Character for example ” p@sS0rD3 ” imagine if you can do it in 5secs even he can’t imagine that.

  14. thed0t says:

    The alternative to using SMS notifications to get the code is through the official Google Authenticator app for Android, iOS, and BB. However, if you don’t have any of those (like me hehe), there is a j2me app (for Symbian users — Nokia, Sony Ericsson, Samsung, etc). Look for “lwuitgauthj2me” and install it. Not bad!

    • she_ina83 says:

      Wow, di ko alam na may ganito pala na app… Does it work kaya kahit offline? Will check it out later. Hassle din kasi maghintay ng SMS eh, minsan lagpas 5 minutes bago dumating (Smart subscriber)

  15. JC John Sese Cuneta
    Twitter: jcsesecuneta
    says:

    It’s a hassle… a little… but you get used to it after a few months of using the 2-Step Verification. Quite useful and gives you more room to breath especially when logging-in outside of your trusted terminals.

  16. ernie says:

    Abe problema ko di ako makalogin kasi wala na ako nung backup code then I still have my two phones with me peropag nagrequest ako ng other method of verification since nasa akin pa yung two phone, I’m getting this error msg: An unexpected error occured while sending your passcode. Please use a code generated by your mobile application or try again later. I’ve already try this https://www.google.com/support/accounts/bin/request.py?contact_type=two_step_recovery_no_phone&source=no_ts kaso parang wala kasi di ko maprovide yung ibang info. Patay na ako.

  17. Jay Castillo
    Twitter: jay_castillo
    says:

    I implemented this after I read your post and after almost a month, I can definitely say this works. I’m now quite used to the verification code sms. Thanks Abe!

Leave a Reply

*
*