Monday, June 18, 2012

Google Purposely Scaring Users with Login-Errors (New Spin on Year-Old Tactics)

Google likes to scare users by displaying red, bold text stating the horrible things that will happen "if" they should lose access to your account.

I reported on this issue last summer, in this article, and the practice is still continuing one year later. The image on the top was taken around 6:00P.M. E.S.T on June 16th, 2012 while attempting to login to my Google (Gmail, and Google Drive) account.

This image appeared after entering the same password 3-4 times, on two different Google login platforms, Gmail and Google Drive. The password was entered manually each time, meticulously as I was thinking I may have been hacked since I knew I was entering the correct password, which on the last attempt worked, and prompted the page screen shot below.

Screen shot taken around 6:00 P.M. E.S.T. on June 16, 2012.
Screen shot is of prompt-screen for phone number in between a successful login to a Go
ogle service, and that services main page. This page would appear in between the login page for Gmail, and the user gaining access to then Gmail inbox. 
This image is very similar to one I post in my previous article, which is shown for comparison below.

Screen shot is of a prompt-screen in between a successful login to a Google service, and that services main page. This would appear between the login page for Gmail, and the user gaining access to then Gmail inbox. No time stamp information is currently available for this image. Image Source

Google has multiple variants of this implementation shown in the image below, also from previous article.

Screen Shot Taken: 8/31/11 12:32 AM Screen shot is of a prompt-screen in between a successful login to a Google service, and that services main page. This would appear between the login page for Gmail, and the user gaining access to then Gmail inbox. Image Source

Last year when I originally wrote about this topic it seemed both benign, and an invasion of privacy. Google wanted to gain information, so they attempted to gain phone numbers. Ultimately they want a database of all human knowledge, including all knowledge that exists anywhere about you. They want to know everything.

A year ago I declined to give my phone number, although as many who attempt to fight the good fight we often have to use the tools of the enemy to our advantage. A year after the first report I have an android phone, of which is already synced to my Google account. It didn't matter this time that they wanted it, I entered it, whatever.

The problem was how Google went about it. I believe they crossed a major ethical line. I believe Google is now operating a moderated script of one that was running last summer causing the phone number prompts.

As of now this is speculation, and I have no proof that it exists or that I will be able to find such proof before it disappears. I welcome any, and all to try to support my hypothesis or disprove it. Please pardon any techno-babble below. Below is my hypothesis on the maliciously designed Google script that is operating in the wild across the Google Umbrella Network.

I believe the script operates after the user enters their credentials. Somewhere along the login process Google checks the account entered against a database of names that they want more information on.

I believe the database in itself is not efficient. For example I was prompted for my phone number, they already have synced to my account, however, they do not have me on record as having entered it during one of their scare prompts. I therefor believe that is the reason for my account being flagged.

The next section of the script I believe involves some sort of randomization algorithm. This may be combined with a fail-safe as well. For example

#if username is on list, then you will be randomly selected for a prompt.
#If you are not on the list, your prompt positive will be negative


Redirect(string prompt)
  if prompt == "Google Mainpage"
       #User is sent to Google Mainpage
  else if prompt == "prompt"
         #Initiates the scare program.
 new int scare = 0
 While (scare > 3)
       Username.Scare(scare) ;
       scare = scare + 1;

Scare(int scare)
  #User tries to login with password, no matter what told password is wrong.
  scare + 1;
  #User tries to login with correct password again, told is wrong.
  scare + 1;
  #User enters same password again, and brought to the mobile phone number page.
  if prompt = answered


LastPrompt(interger number)
lastPrompt = lastPrompt + number)

if Username.OnList =false
   Prompt.positive = false;
   User.Redirect(Google Mainpage)
else if Username.OnList=True      
   Prompt.positive = Ramdomizer();
   prompt.positive = false;

if prompt.postive == false then
   User.Redirect(Google Mainpage)
    new interget lastPrompt = 0;
    lastPrompt = Username.LastPrompt(0);
#Returns days since last prompt. (Arguments, interger = will add that interget to last prompt, and return the number of days since last prompt, Boolean
if (lastPrompt < 5)
    prompt.positive = false;
    Username.LastPrompt((lastPromt +1));
    Username.Redirect ("Google Mainpage");
else if (lastPrompt > 30) 
   prompt.positive = true;
   Username.LastPrompt ((lastPrompt * 0)+1))  #If prompted, resets last prompt to 1.
   Username.Redirect ("Prompt"

Just an a-side while writing this article I realized I did not know how I should be spelling Gmail; Gmail, G-Mail, GMail, G-mail. Ultimately I found that Google prefers the spelling Gmail despite the logo. Source

No comments:

Post a Comment


A new disclaimer is currently being written, and will be posted in this space when available.