Android makes it shockingly easy for phone thieves to also steal your Google account

If you don’t use one, you should consider an alphanumeric password

Apple and Google have made it so easy to load our entire lives onto our phones while also keeping all that information protected with advanced authentication methods. But there’s a crucial weak link that can open up everything within if you’re unlucky enough to be watched and that’s the authentication method you use to unlock your phone. We don’t want to fearmonger you into any unnecessary action, but with a rise of highly-coordinated iPhone thefts in the past couple of years, we do think it’s a good idea that you upgrade from a numerical passcode to at least an alphanumeric password.

The Wall Street Journal’s Joanna Stern reports this week on an uptick in phone thefts that can involve some level of social engineering that allows them to read and remember your passcode — whether it happens to be pure observation of you entering your code in plain view to a sly request to share that photo you just took to plain coercion, it can happen to anyone.

But swift moves like that aren’t just for the sake of reselling your device on the open market: both Apple ID and Google accounts offer account password reset methods that only require users to pass authentication on their device. In gaining access to those accounts, thieves can access other personal information, raid cloud storage, bank accounts, and open up credit lines all the while blocking the victim from being able to regain control.

This is a trend that’s difficult to quantify and while iPhone ownership can be part of the stereotype of a high-value target, we’re likely not getting a full picture strictly from what Stern is reporting through her police contacts and those who have shared their stories.

Whatever the stats are on Android device thefts, you should know that the same essential exploit is also present on Android phones: as the esteemed Mishaal Rahman points out, thieves can gain control of victims’ Google accounts holders by going through the password reset flow and authenticating with their device’s passcode.

Beyond Rahman’s instructions, malicious actors may be able to pass the second factor of authentication if it is required by choosing the “Tap Yes on your phone or tablet” method because the prompt would be sent to the device in hand and the Google app flow would be able to detect it.

It doesn’t matter if you opt for facial recognition or a fingerprint scan because those methods can fall back to either a passcode, a password, or a pattern lock. So, our best advice to you at the moment is to upgrade your device passcode or pattern lock to a password.

We know it’s not a pretty thought especially because in addition to being one of those things you can’t handle with a password manager or authentication app, this will be yet another primary password you’ll need to remember with all the pitfalls that come with complexity and memory, especially if thieves can overcome the best password you can keep in your head. At the very least, Apple and Google should not be accepting basic device authentication methods as checks on resetting your account passwords — we’ve asked Google if it will consider removing device authentication from password reset checks and we’ll let you know if we hear back.

Oh, and one last piece of advice: buy a Yubikey.

Conclusion on Android makes it shockingly easy for phone thieves to also steal your Google account

If you have any query let me know in comment section.