Help Few security questions for android/gmail

[Onceuponinthewest]

I bought galaxy edge phone. Althou i've always used android before, i never bothered investibg in sexurity. Since now i have to manage important information, here are few question and pardon me if those questions were already asked.
1. Is it possible someone to bruteforce my gmail, facebook (and other famous social network platforms)? I hqve differentlong passwords on each, containing mixtute of numbers words and big and small letters. The passowrds are randomly chosen and are not linked neither to me or to any logic.
2. If someone manages to log to my gmail, will gmail send me email someone new logged in? I do not log from anywhere else apart from my phone. Also is there a number of wrong passwords someone can force, will gmail like the account or send some warning message?
3. Shall i set two factor security? Everyone i asked advises me not to.
4. If someone somehow manage to log into my gmail, can he install apps without me notice it? I understand that remote install is possible, but will i get notified that something is being installed, or it can happen without even a trace. Alao can malwares be i talled that way? Will i see the apl installed on ny menu.
This is it for now, thanks in advance.

 

[El Presidente]

If you're worried about security, absolutely setup 2 factor authentication, why did people tell you not to?

Anyway, to answer your questions.

1. This is always a risk. If you're worried, different, long passwords is the way to go. As is 2 factor authentication.

2. I believe so, when my Gmail password was bruteforced, I was sent an email and a text message. My wife was sent an email (as she's registered as a backup account). Note, they didn't manage to access my account as I had 2 factor security enabled.

3. I think you know my answer to this one already! 2 factor isn't going to be 100% hack proof , but the risk of having your accounts accessed by a 3rd Party diminishes greatly with this extra level of protection.

4. You'll get a notification that an app's been installed, that's it. From my knowledge, you can only do this with apps available on the Play store. Whether or not they'll be able to take remote control to install malware, I doubt. Unless of course they install a remote access app on your device and install manually from there.

 

[Onceuponinthewest]

Hi El Presidente and thanks for the responce. Now about the 2 factor i was told that the mobile carrier could be compromised. Not to mention that loosing my phone or damaging my sim card may be the end of my account.
About the bruteforce- doesnt gmail have bot proof system? Won't the account get locked if lets say 40- 50 failed attempts are being made? And also- i checked my security showing only one device being loggrd- galaxy edge 7. So if someone else logged and logged out will his device be shown or is there a way he can delete it so i wont notice his entrance.

And about the apps being installed. I mean lets say he installs it in the middle of the night. I usually turn of network when i go to sleep. If he instals something during the night, when i check my phone in the morning i will see some apps are being installed- like notification, right?

 

[mikedt]

Hi El Presidente and thanks for the responce. Now about the 2 factor i was told that the mobile carrier could be compromised. Not to mention that loosing my phone or damaging my sim card may be the end of my account.

If you lose your phone and SIM, should be able to get a replacement from your carrier, with the same phone number, linked to the same accounts. Only time I think that wouldn't be possible, is if it was a pre-paid SIM and you never bothered to register it, i.e. a burner phone. I log into several things, two factor authentication via password and SMS.

About the bruteforce- doesnt gmail have bot proof system? Won't the account get locked if lets say 40- 50 failed attempts are being made? And also- i checked my security showing only one device being loggrd- galaxy edge 7. So if someone else logged and logged out will his device be shown or is there a way he can delete it so i wont notice his entrance.

And about the apps being installed. I mean lets say he installs it in the middle of the night. I usually turn of network when i go to sleep. If he instals something during the night, when i check my phone in the morning i will see some apps are being installed- like notification, right?

Apps shouldn't be installing themselves during the night. Something is seriously wrong if they did. Does anyone else have unlocked unrestricted access to your phone, out of your presence? Is it rooted?

 

[Onceuponinthewest]

Is that so? I thought once you replace your simcard, it becomes like new number, and sms wont be sended to your new card.
About the apps no nothing like that happened. I just wonder how this remote intallations works because i never did it. If hacker or someone acceses my gmail account that i use as google profile on my phone, i just want to know will message or email appear, warning me someone is in so could take action. And if he was in can and installs something remotely, will i see any notice or massege that app was intalled on the device. In other words can my phone get infected if someone logs to my gmail remotely.
And finally, i couldnt get clear answer about failed attempts. Doesnt google lock the account if too many attempts happen. Presidente said his account was bryteforces, are you sure it was bruteforced or somehow your password may have leaked? As i said, all my paasowrds are long mixes of big small letters and few numbers that are illogical and not connected to me by any means. I also change the passwords monthly. I do not use wifi just mobile network, i visit only certain websites and i do not open unknown emails, not to mention attached files. A friend of mine had two factor authentication on all his accounts and his phone was crashed along with his simcard. I remember he never managed to retake some of his accounts. Alsi ive read that the sms that two factor sends can be stolen as well- and also that that if i have phone registered and someone for example from inside the mobile company that owns my numbrer they can actually steal the account easier. Ive read that sms two factor authentication is considered outdated by now. Somethong from the inside tells me not to activate it.

Whcich is way i ask you friends, about how possible bruteforces are and most importantly will i notice that anytging gets installed remotely if someone was in.
Thanks again!

 

[mikedt]

Is that so? I thought once you replace your simcard, it becomes like new number, and sms wont be sended to your new card.

Carrier SIMs are not usually like that, and certainly not if you have a contract with the carrier. Even with pre-paid service, as long as you registered your personal details with the carrier and can prove who you are, the carrier should be able to block the lost or stolen SIM, and issue you a replacement SIM with the exact same phone number, and your incoming SMS go through as usual.

Only couple of times I've had a pre-paid SIM, I never registered and it couldn't be replaced with the same number, was when I bought SIMs from a vending machine at Heathrow Airport, and only intending to use for a few weeks. If lost, those probably couldn't be replaced and still retain the same number.

In China, all SIMs are carrier registered with their subscribers' personal details, and if lost they can be replaced keeping the same numbers.

I use mostly use two factor authentication for my banking. If it was ever locked-out for some reason, like couldn't receive the bank's login SMS or forgot my password, I'd have to go into the bank and deal with a teller, but I shouldn't lose access to my money and any transactions.

 

[Onceuponinthewest]

Possible. I am in bulgaria with contract ofcourse. I knoe it should be like that, but it seems sometimes it doesnt. The friend i am telling you about had her phone destroyed and when they gave the new sim she never recived another sms from her accounts on that number. Probably it was extremly unlucky mistake, but i also see it have happened to other people, ive read on few forums. So as unlucky as i am i just feel something will go wrong. But eventally i may activate it.

 

[mikedt]

I'm familiar with carriers and SIMs in the UK and China, and how these things work here, but Bulgaria I don't know at all. In China the only way to really lose access to a phone number and SMSs, is if I didn't pay and eventually services lapses and number is disconnected permanently, after six months. Buy a SIM here, you must show ID and prove who you are, and carrier retains those details. Which should in theory make it more difficult to have burner phones.

Google can have backup way of getting in, if you can't authenticate by usual methods, like SMS or Google Authenticator. One of them is printing out sheets of one-time-use passwords. But make sure you do it and keep them.

 

[Hadron]

If they didn't update their records so that your friend got her old number back then she should have got onto them and told them to do it. I've replaced SIMs several times (either changing phone or just because the SIM died) and always the number is transferred after a few hours.

If you don't have 2-factor authorisation then it's much easier for someone to hijack your account.

 

[Onceuponinthewest]

She had her old number back, but somehow she couldnt eeciver two factor sms on her new device. Maybe it was somehow linked to her old one. About mobile carries in Bulgsriai am pretty sure they are same in uk, since both are Eu members- although the kingdom will be out soon .
So guys thanks for your advices i will probably to two factor, but still i already used my phone and accounts without it for like a month, what if someone already hacked the accounts? Which is why i get back to my first questions- if the gmail was accessed is there any danger to my phone, i ve never seen any notification or message to warn me. Could any app have been installed alreadywithout i get notified? I search alot but somehow no where in the web i can find about how gmail warns you for suspicious activity?