Skip to main content

Like iPhone, a stolen Android phone’s PIN could be used to change Google account password

A report from The Wall Street Journal last week sounded the alarm on an obvious, but frightening issue on iPhone that would allow a criminal to take over your Apple account. But that’s not something exclusive to iOS. Your Google account could be compromised if a criminal stole your Android phone and its PIN, but there are ways to protect yourself.


9to5Google has a rebooted newsletter that highlights the biggest Google stories with added commentary and other tidbits. Sign up here!


Last week’s WSJ report cited experiences of iPhone owners who had their iPhones stolen, only to later see their Apple account compromised, the password changed, and further accounts – including bank accounts – accessed as well. These weren’t cases of advanced hacks, but rather a simple security loophole. Using the passcode (PIN) on the iPhone, the criminal who stole it was able to change the account passwords and access other accounts, all without knowing the owner’s passwords.

How? On iOS, users are able to use their phone’s PIN to change the password to their Apple ID, and getting a PIN is as easy as watching the phone’s owner input the number, or tricking the phone’s owner into sharing their PIN.

WSJ’s Joanna Stern used the example of “the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes” as one scenario where this could happen. And further, some of these criminals enabled Apple’s Recovery Key feature, which effectively locks users out of their account without the stolen iPhone.

Related: Apple should invest in anti-theft security features for iPhone and iPad

Frighteningly, this can also happen on Android phones, as a PIN is all that’s needed to change your Google account password.

Mishaal Rahman highlighted how this works on Twitter, with an option in Google account settings to use your Android phone’s screen lock to change the account password. Google permits this as the password change request is coming from a device that “is yours,” but there’s no further verification beyond your PIN. Google’s process, notably, first prompts you to input your current password first, but using the “forgot password” option allows the PIN to be used instead.

This is obviously concerning, as it means a stolen smartphone could mean losing access to your Google account and much more, but it was noted in the report that the main target for this kind of practice seems to revolve around iPhones, as they tend to hold higher resale value in the United States. Apparently, 99% of cases seen by a detective were iPhones.

In a statement to WSJ, a Google spokesperson said:

Our sign-in and account-recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping the bad actors out.

So even if it’s not all that likely to happen on Android, what can you do to protect your phone, and your account?

For one, You can also stick to using biometrics – like your fingerprint – to avoid snooping eyes from seeing your PIN in the first place.

It also wouldn’t be a bad practice to avoid storing sensitive data on your device, such as in notes apps or your photo library. This might include social security numbers, passport images, or other forms of ID, as these criminals can do even more damage if they have easy access to that information.

Next, you can strengthen your phone’s protection. By default, Android only asks for a four-digit PIN, but you can make that much longer. Pixel phones support PIN codes as long as 17 digits. Android’s pattern unlock is also harder for someone to steal by looking, and you can use a full password to make a very complex code.

Other ways of securing apps might include turning off biometric/PIN login for those apps, or at least making those PINs different from the one used to unlock your phone. A dedicated password manager can also go a long way over using the one built into your device.

Another option is to use Google’s “Advanced Protection” option. This blocks the ability to change your password using a PIN, but it does require that you use two physical security keys.

More on Android:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.