Google Gets Back to Nick

August 6, 2008 · Comments

Nick Saber just forwarded Google’s eventual response to what went wrong. Because thousands of people wanted to know the answer to the question why, here’s the first part of that letter:

Hello Nick,

I understand that you may have questions about the recent actions taken on your Google Account. We understand and respect your concerns about your account.

Our specialists performed a thorough investigation of your account ID: nick.saber@gmail.com. It appeared that your account was compromised on 08/01, and an unauthorized charge of $490.30 was attempted in your Google Checkout Account. For security purposes, we suspended this account to prevent additional activity and charges.

We’d also like to assure you that the security and confidentiality of your personal information, including your credit card number, is our highest priority. Your information is securely stored on our servers, and won’t be shared with anyone except under the very limited circumstances described
in our Privacy Policy at http://checkout.google.com/files/buyerprivacy.html. To learn more about
the security of your account and personal information, please visit http://checkout.google.com/support/bin/answer.py?answer=29075.

We also understand your concerns regarding your account security. It is difficult to determine the exact nature of your account compromise. Please see below for useful information on safeguarding yourself online.

The rest of the letter reminds us not to fall into phishing scams, etc. Good advice.

But wow. Couldn’t this have started with an email saying, “Looks like someone was messing with your account. We shut it down to investigate.” Seems a little backwards to make Nick sweat for a day and change, only to reveal that someone tried to rip him off, and THAT’S why they shut him down.

Special note: Matt Cutts came by with lots of information once this story broke, and I’m grateful for that. Note to ALL companies: if you don’t have a respected face person like Matt out there, think about it. It does help.

What’s your take? How would you have handled it, if you were Google?

Lastly, I’m going to talk about this a bit more in my next newsletter, so if you’re not already subscribed, hop in!

If you enjoyed this post, please consider leaving a comment or subscribing to the feed to have future articles delivered to your feed reader.

Tagged as: , , ,

ChrisBrogan.com runs on the Thesis Theme for WordPress

Thesis WordPress theme

Thesis is the search engine optimized WordPress theme of choice for serious online publishers. If you’re a blogger who doesn’t understand a lot of PHP, Thesis will give a ton of functionality without having to alter any code. For the advanced, Thesis has incredible customization possibilities via Thesis hooks.

With so many design options, you can use the template over and over and never have it look like the same site. The theme is robust and flexible enough not only to accommodate a site like ChrisBrogan.com, but also to enable the site to run far more efficiently than it ever has before.

  • Good news. I'll draft a follow-up post as well. Thanks Chris.
  • But honestly, they couldn't really send him an email ahead of time to let him know that they were shutting down his Google account immediately because he would never be able to get it!
    lol
    They had no way of getting in touch with him, it looks like. Which service made you put in a backup email address for emergency contact? I can't remember if it was Yahoo or another.
    The reason, I accept, for how hard it is to get in touch with them? I don't. I suppose it is something we are forced to accept with such an enormous company.
  • The problem is that whatever they said to your friend would also be read by the people who compromised the account. There aren't many options for them at that point, but completely shutting down the account will stop the breaches so it *seems* like they did the right thing.
  • Interesting...a couple of years ago, someone hacked my ebay account, then my gmail. Google got back to me in less than 24 hours, restored my account with very little information (I had my college e-mail address listed as secondary; secondary e-mail is the easiest means of restoration), and were incredibly kind about it.

    Ebay, on the other hand...Apologized, but refused to restore my account even though they recognized it wasn't my fault. Assholes.
  • Ed
    It only gets worse.

    There is NO reason Google couldn't have shared this information with Nick up front.
    Were they not sure it would reach him, rather
    than someone who attempted the breach?
    Then they should have a better security procedure in place UP Front to contact you in these instances.

    So, THEIR checkout gets hacked, at Nick's risk,
    they can't figure out what happened in an account they administer; "It is difficult to determine the exact nature of your account compromise".
    So the easy thing to do since our checkout failed, is to shut you out of your account, and move on like you never existed?


    I love Google for a lot of reasons.
    Mostly for the world information they've put at our fingertips.
    But customer service like Dell would suck. "...understand you may have questions about actions taken..." Huh?
    May have questions?
    Who is this Microsoft on the phone?

    What would have happened if Chris Brogan didn't intervene,
    and this story make the front page of ZDNet thanks to Michael Krigsman?

    Lastly, yes, we're fortunate there is Matt Cutts.
    But one guy, even as bright, knowledgeable,
    well liked and respectful as Matt, can take process
    the entire point for a country the size of Google.

    Thank You for the space Chris.
    ~Ed
  • It seems to me that Google needs a better way of connecting with the confirmed owner of the account. Have they heard of the telephone? Maybe the old "Your first pet's name?" security question would help ensure that they were talking to Nick, and not some hacker.
  • Thanks for posting an update, Chris. I'm sure that we'll get good feedback in the rest of these comments on ways we could have done better on communicating with Nick, but I'm glad that the reason for temporarily shutting down the account was not a false positive, but to try to protect the account owner.

    It's a difficult problem on how to handle a compromised account. You want to help the account owner without tipping any information to the malicious person who hacked the account.
  • Well, not a few of us have had credit cards refused in the middle of a Christmas shopping trip or vacation, and that never begins with notice, either. So maybe expecting notice at the outset is unrealistic.

    But the response, when Nick asked, of "go away," totally sucks.
  • I'm sure a simple email, before the fact, would have made all the difference in the world.
  • Agree with Jack R. Initially their response was HORRIBLE. I like that they are trying to fix it. But also agree they may not be this hot on communications if such a bug stir hadn't already been created.
  • Seems like a simple change to the form message would have avoided this entire mess. Something like:

    "We've detected fraudulent activity on your Google account. Please call us at 800-xxx-xxx to resolve the issue."

    Maybe Google should do some customer service headhunting over at Zappos.
  • BR
    Most of the suggestions (sending emails, warning people via form messages) fail security 101. If the account is compromised, you are just helping the bad guys by doing this.
  • M Burke
    Typical of Google... act first talk later. When I created an Adwords account and put up some ads, I got this message "your budget has been exceeded", just as a test, I kicked the budget way up and saw same message. The following week (Google had taken the busy holiday weekend off), I finally heard back that my ads had "gone under review", but since there were no reviewers over the weekend...

    I stopped using Adwords and have an advertising company handling the drudgery.
  • "It’s a difficult problem on how to handle a compromised account. You want to help the account owner without tipping any information to the malicious person who hacked the account."

    Difficult only because Google (this case in point) has insufficient policies to recover a "stolen" account. Credit card companies, among other industries, have simple procedures in place to recover a stolen account. Why not Google?

    As an aside, this seems to be a clear argument against EVER using Google Checkout. Why give Google your financial info if it runs the risk of having your email shut down?
  • Alright, they had a way to contact nick, but they chose to just leave his account blocked instead of contacting him?

    Google - do no evil?
    Right!

    I'm slowly stepping down.
  • I for one applaud Google's quick shutdown response. If the individual components of google can't be shutdown individually, then it's at least good that they responded so quickly. Timing is often more important in these situations.

    For example; if I discover a network security problem or a virus on one of our network PCs, I'm liable to pull the network cable before I offer explanations. Delays can jeopardise the rest of the network.
  • Hi doug and werwer, in this case I wish we had done more to contact Nick proactively. There are people at Google who are thinking about how to improve this type of situation in the future.

    But in many cases, people don't give us secondary email addresses or phone numbers where we can contact them. In fact, many people view that as a strength--other companies such as Yahoo and Microsoft ask for much more personal information to set up an account then Google does.
  • Matt, thanks for the quick response. I agree with Chris, you do Google a great service here and elsewhere.

    However, I was surprised to read this comment:

    But in many cases, people don’t give us secondary email addresses or phone numbers where we can contact them. In fact, many people view that as a strength–other companies such as Yahoo and Microsoft ask for much more personal information to set up an account then Google does.

    You need to use your own products! ;)

    The problem in this case arose with a transaction in Google Checkout. And guess what's required when you sign up for Google Checkout...an address and phone number. Heck, it even does a ZIP code check against the city entered (I just tried entering dummy data).

    It would appear that this whole brouhaha was completely avoidable since Google actually did have contact information for Nick Saber, no?
  • Ray
    Never would have happened if Google had Verify by Visa as part of their Google Checkout. It's there to combat fraud and a lot of other places use it.....
  • Beau
    as someone who has worked in internet security before, Google did exactly what they should have done

    They assumed their customer's information was compromised and that in turn their system was compromised. They have to assume any contact with the account on their system would be intercepted or received directly by whomever had compromised the account.
    They would not want to give up any information on how or when they discovered the problem/intrusion so as not to allow the people who had done so to learn anything about their detection abilities.
    They would assume (and in this case rightly so) that the real user would immediately contact their customer support to find out why they could not access their account.
    After some verification and explaining, the user would gain the re-use of their account, or in extreme cases told that the account would be closed while an investigation occurs.
    This has nothign to do with Google owning the account, it has everythign to do with you signing up for their service, allowing them to control the management, administration, and security of your use and information.
    If you wished to handle your own accounts, you should get your own server with it's own security and administrative software to handle emails, document storage, and whatever else you currently use Google for...
  • metacritic
    Why does an e-mail account need to be locked if a credit card number was compromised?

    I had my gmail account locked, and I recieved the first e-mail. I kept asking what caused it but never heard back from Google. I've archived all of my e-mail messages and use SMTP to access gmail now. If I can't use it in the future, I'll just use my own domain instead. I've never had a problem with Yahoo mail like this.
  • Kristian
    "But wow. Couldn’t this have started with an email saying, “Looks like someone was messing with your account. We shut it down to investigate.”"

    Well - if they were gonna shut down his account, how could he have read that mail? ;)
  • Daniel
    I realize that this is a very rare incident for Google Accounts considering the huge number of times everything works brilliantly throughout each day.

    But this does indeed get at the heart of the criticism over giving Google so much of your data and resources, and frankly I'm hugely disappointed by the way this incident played out as described.

    Others have noted that the response was appropriate since the various services cannot be unbundled on Google's end -- but why can't they be? I have had my bank account freeze if there is suspicious activity (usually it is just me spending too much at once), but why should this also suspend access to my e-mail (for me, my daily business and personal communication), my documents (I do store all of my docs and photos on Google's servers and haven't always had a recent backup), web history, reader, notebook/bookmarks, etc.? I use all of these services daily.

    I too am a total Google fanboy and promote their services as the best out there precisely because they are all free. The test of this is not the magical way that everything "just works" every minute of every day -- I take this feat of engineering genius entirely for granted. The test is when something does not work: how is it handled, and how am I assured that my all-too-blind trust in handing over so much to this one entity is thoroughly justified?

    Criticize the poor choice made as a consumer on my part, fine, but this is what Google is "selling" and this is what I'm buying: you can trust us with your most important stuff; we work our brilliant magic so you don't have to worry.

    This is not Google "doing evil," (I wish people would stop jumping to that charge whenever they possibly can), and nothing is failsafe 100%, but hopefully Google will have learned about 10 really important lessons from this one tiny incident. Frankly, I'm feeling silly for not taking more precautions with my data.
  • Joy
    Well, I think that the employees of Google are just using an answering machine to reply Nick until they received his bunches of mails.
  • Most of you miss the real point. Google's inital response is not really a problem. Any vendor will from time to time disable an account, etc. What really matters is how they follow it up when you contact them to resolve it.

    As one poster pointed out previously, they had a problem with both gmail and ebay. The gmail problem was fixed within a day and the ebay problem was never fixed. Have you ever tried to resolve a problem with PayPal. They just don't care. I applaud Google for it's quick response in this case.
  • Just scored this error: "We're sorry but your Gmail account is currently experiencing errors. You won't be able to use your account while these errors last, but don't worry, your account data and messages are safe. Our engineers are working to resolve this issue."

    Normally I'd think, oh, just a glitch, but after reading all about Nick I just feel a horrific panic. Seems to only be Gmail and not anything else, but oh my, if all that's lost...

    Cross your fingers for me!
  • Fred
    Hi,
    I have a friend (Barbara )who recently had the same problem..
    Account got deactivated "due to security beach " !!
    Ok but there are important bits of information in there like for flights booked and account inforamtion for other services. !!
    So surly there has to be a way for google to assist someone in migrating to a new account at least..
    Its not far off being told you dont exist and you need to get born again.
    With all the services they have piled up on the heap of the google experience, people live large parts of their lives through google.
    Barbara works for a charity. She puts in an incredible amount of personal time and manages that time with google calendar. She spent 3 days not knowing what was going on with her email let alone her work.
    Google were about as helpful as they were for Nick. Generic emails almost from an auto reply bot.
    The info for a round the world trip is still locked away in the old account !! If you get any joy Nick.. I would really like to know so Barbara can have some hope too.


    All the best,

    Fred.
  • Scott
    If you trashed the original verification number, is there a way to get it or request another?
  • Vanessa
    I have a solution. It's called Wordpress or get your own domain. I used Blogger.com off and on since 2003. I was locked out today from Google accounts and that means all services. All I did was delete 2 blogs under another username. The blog I was locked out of was under a Google account and over a year old. I know the problem is not me because I had access until late this morning.

    They sent me through the mill today and mangled my account via their own instructions. I contacted them and they sent me some of the dumbest solutions and they did not work. It's worse now. I'm done. I'm going over to Wordpress. They can have it and do what they like with it. I'm sorry to have to join the chorus of exiting bloggers from Blogger.com but it's not worth the bother any longer.

    A long time user of Blogger.com
    moving on...
  • Good luck with Wordpress.

    I started a Wordpress account a couple of months ago to see what all the fuss is about. It's nothing compared to blogger. Hardly any functionality at all and minimal support for google apps.

    Those Wordpress people don't know what they're missing.
  • Vanessa
    I prefer Blogger.com. The press about Wordpress is overrated. I had a blog there before and you're right it is severely limited and functionality is rigid and controlled. But since the migration to Google Blogger has lost their distinction. It's just apps and development for Google. Publishers no longer matter. Blogger was the best hosted blog platform on the Web. It is sad to see what is happening to it, bloated but no real innovation.

    Google has one goal, global control of information. In the process they have become--evil.

    I still have all my posts because I sent them to my email program. Google is intimidating the entire Internet community. I have had to re-think putting all my eggs in one basket--on the Internet. It would be wise for small businesses to stay vitally linked offline as far as making profits are concerned. One click, an error, a virus etc. can ruin small businesses online.

    I came to this site through search and think the original title was on.

    Has anyone thought of how much revenue has gone back to Google as a result of bloggers losing their sites leaving Adsense earnings behind? I didn't until today. I'm done. I have a savior and it ain't google. My income is not dependent on the Internet. God help those who are.
  • "Google has one goal, global control of information. In the process they have become–evil. "

    That's a very narrow view of the future of computing.

    In fact, if you look at what's happening;
    IBM have finally gotten their act together and stopped trying to change Notes/Domino into Workplace. Instead, they've started moving the Lotus platform to Eclipse and Web 2.0 integration - essentially creating a collaborative cloud computing capable platform which enables corporations to start plugging their own systems into its service orientated architecture.

    Google have done the same with the integration of their various technologies. Google Gadgets is a miniature version of SOA.

    Microsoft has been trying to develop their cloud computing plaform for years but Windows Live has remained ..well, dead. It remains to be seen whether their latest - as yet unnamed attempt will succeed.

    Google only looks like it's bent on world domination because it's collaborative cloud computing platform is the most mature available to the general public. In fact, it's IBM who is leading the way in the corporate world with some very mature technology.
  • Vanessa
    "That’s a very narrow view of the future of computing."

    Perhaps. But I would look at where a thing is headed, as to not be blinded by what it's doing along the way. Where is computing headed and why?

    Progress, research, development and innovation are good things when they truly have the end goal of serving people. The average person on the street could care less about that process or the technology that comes out of it.

    In the final analysis we are always like the proverbial frog in the lab jar, unaware it is being boiled to death until it's too late.

    Computing is the first and only innovation to force feed the entire world into a machine. No other invention in the history of mankind has ever required an entire society to depend on it for their very existence.

    Society has always had choices and fought to maintain that freedom. When you remove choices, what's left? The computer age has left people with no choices. In less than a decade the entire world of business and every household in the world will be dependent on computers, but a 16 year old kid can create a virus, crash an entire business network and they can't even catch it before it does.

    It is not about why and what...exclusively. "Where" is an appropriate question. Where is it headed and what will the average non-technical person (most of us) do in such an age?

    "Google only looks like it’s bent on world domination because it’s collaborative cloud computing platform is the most mature available to the general public. In fact, it’s IBM who is..."

    If it looks like a duck...
  • Bruce
    You get what you pay for.
  • Exactly, free service/software means less/no support.
  • Chris K
    This has happened to me EXACTLY the same. Google checkout compromised, my Gmail account instantly closed. I thought that the hacker had compromised both the checkout and Gmail accounts, until I found out how to contact google checkout about this...that in itself is laborious to say the least. So, I am currently waiting for my Gmail to be activated, my Banks Fraud team to investigate as to why this happened from Checkout...and finally..once its sorted..they can stick their Checkout where the sun dont shine!!
blog comments powered by Disqus

Previous post:

Next post: