www

Member Article

$3,500,000 Anyone?

As an avid Google Calendar user and (almost) paranoid information security adherent, I was dismayed to learn that someone had deposited $3,500,000 in my bank account.

Dismayed? Well the message said the money had been deposited, confirmed by the notification from my Google Calendar messaging system, and because my Google account is locked down with mobile phone dual verification, which means that even when I want to get in for legitimate purposes, I have to enter a newly generated passcode from Google each time, I was concerned.

You expect spam in your emails, even with the best of spam checkers and trappers, but I thought that my GCal was fairly secure.

I have Google Calendar configured so that it works with my online ‘To Do’ System, which I use daily to schedule my events and then remind me to do them. Reminders come in the form of text messages to my mobile and the system works really well. The little ‘ching’ I get on my iPhone at predetermined times before I am supposed to either leave for an appointment or carry out some task works perfectly for me.

The little ‘ching’ I got to tell me that I had $3,500,000 in the bank set off all kinds of alarm bells – had my Google account been hacked giving the hacker access to my Google account?

A second reminder from Google Calendar for me to collect the money from an ATM did nothing to allay my fears.

Back in the office, I set to work investigating the ‘hack attack’, but eventually found a remarkably odd feature in Google Calendar that allows anyone to add event reminders to your Google Calendar without your permission.

To see how it works, try this yourself:

Create a new event in Google Calendar Invite another Google Calendar user to that event by typing the user’s email in the guest list Your ‘event’ will automatically show in that user’s Calendar, and if, like me they are set up to receive text reminders, your message will show on their phone – and also in their email account.

This is exactly the methodology that spammers are now using to populate your Calendar with false alerts or events. Because they have obtained your Google email address they can spam you at will through Google, by posing as the host of an event. With Google hangouts growing in popularity, this problem will only get worse.

However, there is a really simple way to stop this at source.

Go to your Google Calendar settings and under ‘General’ section headed ‘Automatically add invitations to my calendars’ select the setting ‘No, only show invitations to which I have responded’.

That’s it!

Pity about the $3,500,000 though.

This was posted in Bdaily's Members' News section by James McRoy .

Our Partners