Computer security is difficult, and sometimes erring on the side of caution only gets in the way of the users you’re trying to protect, giving them unnecessary headaches.
Pretty much every August, I leave for the holidays, often to go and visit my parents in Italy. Pretty much every August, I get locked out of my Gmail accounts because Google detects a login from a different IP address than the usual, and prevents the login as a precautionary measure because it thinks someone else is hacking into my account.
When I voiced my frustration at the beginning of the month, a few people contacted me, all suggesting I turn on two-factor authentication, which is perhaps the swiftest way to put the whole issue at rest. But I’m not comfortable with giving Google my mobile phone number, and my medium-to-long-term plan is to solve the problem in a totally different way anyway — by getting rid of all my Gmail accounts.
But let’s get back to the problem. Every Gmail account I have has a recovery email account associated with it. To these secondary email accounts I receive the standard warning email from Google: Suspicious sign-in prevented. The links provided in such emails basically help me regain control of my Gmail account by resetting the password. Again, good practice in theory, hugely annoying in practice when the person trying to log into my Gmail account is just me but from an ‘unusual’ location. Annoying because I have to update the password on every other device and computer I use to access that account. And of course Google won’t let me revert to the old password once I manage to access the account.
When I was finally able to access the first Gmail account I had been locked out of, there was a scary-sounding email message from Google: Someone has your password. You can follow the link provided in this message to review your devices and — more importantly — tell Google that the ‘suspicious activity’ was actually yours. This is the crucial point: if Google flags a login attempt because it came from an IP address that is not in the usual range of addresses associated with your activity, but you indicate that such address was in fact okay, the flagged IP address should get whitelisted. But it doesn’t. Not in my case, at least. On a hunch, I went back and checked my Gmail inboxes on August 2014 and August 2013, and I found an eerily familiar situation: suspicious sign-ins prevented, activity originating from basically the same IP addresses (only the last number changed).
Google is all about learning patterns, yet it doesn’t seem to understand that a user logging into his own accounts from a different IP address but always from the same place every August might in fact be the legitimate owner, accessing his email from the site he’s spending the summer holidays. Especially after the user himself indicated that that IP address was fine and not suspicious.
After begrudgingly resetting the password of the first Gmail account I was locked out of, and unwilling to undergo the same annoying process for the remaining two accounts I still had to check, I got an idea which fortunately saved me from further trouble and I wished it had come to me before — I connected to the VPN of the university where my wife works, and logged into my Gmail accounts from there.
Before this little ordeal started, I had figured I’d spend 10–15 minutes to check my email and, if need be, respond to any urgent message. Instead I lost almost two hours. But oh yes, I felt very protected all the time — apparently even from myself.