Going on two weeks now, I am regularly receiving notifications from Google regarding password assistance and account recovery. I receive these notifications every two or three days in the forms of both email and SMS text messages.
date: Mon, Jun 7, 2010 at 6:36 PM
subject: Google Password Assistance
To initiate the password reset process for your my-email-address Google Account, click the link below:
If clicking the link above doesn’t work, please copy and paste the URL in a new browser window instead.
If you’ve received this mail in error, it’s likely that another user entered your email address by mistake while trying to reset a password. If you didn’t initiate the request, you don’t need to take any further action and can safely disregard this email.
Thank you for using Google.
For questions or concerns about your account, please visit the Google Accounts Help Center at http://www.google.com/support/accounts/
This is a post-only mailing. Replies to this message are not monitored or answered.
Your Google Account recovery code is: some-numeric-code. If you did not request this code, you can safely ignore this message.
I was mildly concerned when I received the first Google Password Assistance notification. It was certainly possible that someone mistakenly entered my Google username instead of their own and eventually click on the password recovery link.
As a precaution, I went ahead and changed my Google account password; making it longer and even more complex than before. Not only did I feel better, changing my account password is something I should do more regularly anyway.
Unfortunately, this wasn’t a one-time mistake. Now that I’ve received six notifications in the past two weeks, I’m concerned that someone is actively attempting to hack, guess, phish, or otherwise can control of my Google account.
I visited Google’s Help Desk on this topic, which wrote:
The Gmail Team isn’t able to provide you with information about attempted logins including, but not limited to, the IP address from which the attempted login was made, and the time and date attempted logins occurred.
Unfortunately, it appears there’s nothing more that I can do to better protect myself than to simply change my password. I feel helpless.
It’s coming home every day and seeing evidence that someone attempted to break into your house. Perhaps you’d find their lock-picking tools on your front door step one day and their fingerprints on your sliding glass door the next day. But until you find evidence that the bugler was in your living room, no crime has been committed.
I understand Google’s plight. I’m sure thousands of users forget their passwords every day. If Google didn’t have a highly engineered and automated self-help password recovery process, they wouldn’t be able to keep up with these requests in an affordable way.
But I still feel hopeless. It would be nice if Google provided a way for me to report this suspicious activity and perhaps temporarily raise the security level of my account.
Google should create a “fraud alert” feature that I user could place on their own account much the same way we can do for our credit reports.
During my Google “fraud alert” period, perhaps my account would require two levels of authentication (two passwords, password and a text message code, etc.) or access would be limited to a small range of IP addresses that historically access my account.
Just about any added measure of security would make me feel better and more secure.