jueves, 20 de marzo de 2014

@Google #vulnerability ... I'm just highly astonished #fail #disappointed

I'm still surprised after what happened to me this afternoon.

I received an e-mail from Google Play about a purchase (Some Game Credits) At first I though it was just a spam/pishing e-mail looking to get my credentials.

Later on I entered to my google play account and ... surprise!! I had a charge from a Japanese company ... I looked to cancel the order, but system fails as you can check on the next screenshot.


I navigated through the different options at Google Play, and then I saw an extrange device related to my account. That scared me,  someone had stole my Google credential.



I took another screenshot of the thief's device location, as you can see the thief was located at China.


I was still looking the way to request the order cancellation or a money refund when I received a second order.


I was in shock and I forgot completely remove my card information and update my password... after that I didn't receive more orders.

To be honest, the Google Customer Care gave me a fast answer and also a fast solution, they refunded me the money and cancelled both orders.

But, maybe you should update a bit the automatic response:

"Debido a las circunstancias especiales de la compra, estaremos encantados de hacer una excepción única a nuestra política de reembolsos y realizarte un reembolso por valor de 4.762 ¥."

Come on, an unique exception? WTF!!!

But Google, At this time I need to ask you something, why always when I arrived to a new portal and saw this, I used the right button?

The reason is because I trusted you. But today, one Chinesse guy was able not just to make two orders of crappy game credits, he also was able to read my e-mail, my contacts information, acces to my analytics, change my password, and so on. In fact, he linked the device to my account a week ago!!!!

So, an "unique exception" is not enough. What I want and I need to know is, if I follow the usually highly security policies to generate and maintain my password. Then...
  • ¿How a guy at China could stole my password?
  • ¿How someone at China could pay with Google Wallet without any extra protection? 
  • ¿What else shall I do to guarantee the security of my account?
  • ¿How I will trust you again? ¿And why?
Facebook, that have "just" my social activity, no credit card, no personal e-mail ... they have context security rules, if I try to access to my account in a non-usual location they will force my to follow some extra security restrictions.

But what about you Google? Are you kidding me? You know how much time I need to arrive at my home, to arrive to the office at the morning on Google Now ... but you don't know that I'm not able to be at the same time at China and at Barcelona ... 

COME ON!!!