Smartphones

Google Voice number forwarding could be a potential liability

Donovan Colbert forgot to disable Google Voice forwarding when his regional number lapsed and was assigned to an underage girl's phone. Find out what happened.

google-voice-forwarding.jpg

I use Google Voice along with other apps on Android (like GrooVe IP) and Windows 8 to leverage the VoIP features that Google offers. One of the most valuable features is how easy Google Voice makes it to give out a single number that can be programmed to forward voice calls to multiple different numbers. This can free you from the need to pay porting charges and allows you to configure your Google Voice number to ring incoming calls to other locations. With many contacts and friends in Sacramento, I keep my Google Voice number so that my friends in California will be sure to reach me, regardless of what phone I currently carry and what area code it is assigned.

My first indication of the potential trouble came when I was reviewing phones for TechRepublic. I'm normally paranoid about demo phones, but in order to review a mobile device accurately, you’ve got to use the way you normally would. This means taking the device with you when you walk out the door. After a very hectic prior day, I woke up and could not find the demo device I was reviewing. I dialed the number in a panic, hoping to hear it ringing. I walked around the rooms listening for it, letting it ring, and was shocked to hear a voice answer. The person on the other end seemed unintelligible and disoriented. Figuring I must have misdialed and woken a complete stranger, I quickly hung up.

Later, I confirmed the number I had dialed was correct. When I realized they matched, it dawned on me that I had called the person who had physical access to the phone.

I called back and the same person answered. This time she was coherent and upset about being called at 4:00 AM. Confused, I explained that I reviewed mobile devices for an online technology blog. I had misplaced a demo device I was trying to track down, and I didn’t understand why dialing that device was ringing her home. Surprised, she said that she was also a technology blogger, but she couldn’t see any other connection. She was still relatively upset about being disturbed.

 It was only later that I realized she must be forwarding her devices through a service like Google Voice to ring to her home. I considered calling her back to explain, but I figured after enough 4:00 AM wakeup calls from other bloggers, she would put it together herself.

Months passed, and the story slipped my mind until recently. A friend sent me a series of texts involving an elaborate prank that culminated with an inappropriate picture. The image never arrived in my inbox though. Instead, I received two delayed and cryptic responses. The first, “Ha ha… hook line and sinker… u can use the joke;” and the second, “note taken… number deleted.”

Figure A

Following up with the sender revealed that after he sent the picture, he received a response never to text to that number again or that I would call the police. The only problem was, I never sent that response. My friend had deleted my contact information and de-friended me on Facebook by the time I responded, certain that he had offended me.

Unfortunately, I was on the road at the time and had limited resources to figure out what was going on. It took me a while to realize that my friend was sending texts to my Google number, and that was what any response was listed as originating from. My texts were going to him, but his texts were going to me and someone else. In addition, when that other person responded, their texts only went to him. Neither the mysterious third party nor I ever saw the other side of the conversation, leading to a very disjointed exchange.

Figure B

Here's what happened. Recently, I activated an old Droid X on an inexpensive pre-paid regional carrier. These carriers have smaller pools of phone numbers and a high turnover rate. When I settled in Arizona, I activated a Droid DNA on Verizon and allowed the regional number to lapse. The number was quickly put back into the available pool, and someone in NE Ohio selected it as their new one. Unfortunately, I had enabled Google Voice number forwarding to make my transient number transparent. Worse, I had forgotten to disable the number when I switched. All of my voicemail, texts, and even phone calls were still ringing through to that old number, which was now the number of an underage girl’s phone. Worse yet, her irate father was threatening to call the police on my friend over a very unfortunate misunderstanding.

As soon as I was back at a PC and could fix the issue, I did. I also sent a very apologetic text to the actual number, explaining the situation and assuring the recipient that the issue was fixed.

I'm troubled that the person on the other end had access to all of my texts, voicemail, and incoming calls and never followed up with senders until offended. It speaks to the basic insecurity of text messaging and why it's really unsuitable for sending sensitive data. I know how to manage these features, and it simply slipped my mind. Google’s ubiquitous services make it easy for BYOD employees to enable solutions like these without notifying IT, so these services are a legitimate threat. Although the experience was embarrassing and unfortunate, I thought it worth sharing to help other IT professionals put this on their radar as a potential liability in keeping their confidential company data secure. 


About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

30 comments
dwoodeson
dwoodeson

I think this story is made up.  


In addition to the MMS issues already raised, why didn't the issue of the other party taking your calls come up before you called your own number?  It seems like your contacts would have let you know about this at some point.  Unless no one calls you? 


If my calls or texts were being answered by someone else, I'd know within 90 minutes (not that this would or could ever happen to me; GV has a max of six forwarding phones, and they're all very plainly displayed on the setting page when setting up a new forwarding phone).

TreePapa
TreePapa

This sounds like a strong argument for phone number portability. i.e. keep your phone number when you change carriers, and for being VERY careful when using "burner" phones and other transient numbers, such as (apparently) Google Voice. I am sure it is not limited to Goo's services. I don't speak, though, from personal experience. I've never seen any reason to have more phone numbers than I already have (home, cell, office). I have friends who still have their Florida cell numbers even though they've been in Calif. for years. It doesn't cost me any more to call them than it does to call my next door neighbor.

I have the same cell # I've had since I first got a "regular" (not prepaid) cell phone. We have the same home phone # we've had for over 15 years, and if phone number had been as portable 15 years ago as they were today, we'd have the same # for over 20 years. After reading this, I will be even more inclined to hang on to both, or at least to cell number (if I can ever convince my wife to ditch the landline and save the $$).

Also seemingly obvious is informing your friends and associates when a phone number you were using is no longer yours. This seems so obvious it's almost not worth saying, but apparently it is.

rynosaur
rynosaur

It's amazing how much ire this post generated.  I wouldn't say I'm Google's #1 fan, but I have been with commercial Android since the beginning and Google Voice from just about the time it switched from Grand Central, and I can pretty authoritatively state that it is a totally, awesomely convenient (mostly) free service that has the potential to undermine the privacy of anyone who uses it.

I'm not sure that even sets it apart as a class in VoIP/SMS/Telco technologies.  Does anyone really know how to follow the breadcrumbs?  At least a few engineers at Google do, I assume, but is it such a stretch to allow that, like tailgating, no one's very well vetted for security, hygiene, or safety--it's kind of a big egalitarian scrum.  Who owns a phone # if they're free?  Is there any non-repudiation left in this n-th degree digital, non-circuit switched cloud?

I would like to see Google clean it up, standardize it more, maybe set a $$ value on the service, and make sure I'm not trading phone calls with the last 6000 users' forwarding, home, work, office, webkin phone # . . .

dcolbert
dcolbert

I'd like to add that this isn't really Google's fault. I can't see how they can detect a phone number being deactivated and reactivated with a new user or otherwise manage how a verified number on your approved list of forwarded devices handles the data send through your Gvoice #. 

The responsibility is really the end user's to manage these features themselves. But that doesn't negate the risk that this service poses to confidential information for the corporate IT security policy.  

slam5
slam5

I just won't use Google's service beyond iGoogle.  I've a Gmail account and I get email for somebody who has the same name as I do.  And I think their email list probably very close to mine.  My email is like joe.blow@gmail.com.  I recently learn that joeblow@gmail.com and joe.blow@gmail.com is the same email account and hence I get his email!  Imagine if you have sensitive email that only you suppose to read?!!!  Yes, I know email is like a postcard but usually nobody spend the effort to read your email but in this case, there is a person who NEEDS to read the email to sort out their email to yours.  And I don't think there is a way to change that right now in Google's system.  Also, a lot of Google's features are "experimental" and they can discontinue it without any notice.  I've senior friends who got very confused when they change or outright re-design their UI.  Google needs to slow down a bit and think about how their services link together.

naplesjoe
naplesjoe

I for one, am becoming very leery of Google products as several strange things have occurred since I last upgraded phones. Backup and restore for example. I can clean out my unused phone numbers over and over and they always come back. Yes I have disabled all backup programs I know of. Also, Google+ seems to have a mind of it's own. In spite of turning off photo backup numerous times, it just seems to start itself up again. I even attempted to totally delete my Google+ account, and guess what? Two days later I get a message from Google that I have new photo's to view.  I really don't need or want every photo I take backed up to the "Cloud". So, I found myself dusting off the good old SLR and no longer trust the camera on the phone. Some people may have time to putz with their phones endlessly and have become very savvy with the nuances of it, but I don't. I believe Google has gone overboard with trinket software. I wonder how well they test the interaction of each? And, since the NSA fiasco, I simply would not trust Google's, or anybody else's "Cloud" service at all. I can easily  see how Mr. Colbert could have an issue.  

My opinion of a large IT Director trusting this stuff? Well, let me just say he wouldn't work at my large firm.

Joshua Morden
Joshua Morden

I'm not sure how you can forget to disable it. When you go into Google Voice to add your new number, wouldn't you see the old number right there? This seems like more of a newb error to me.

misko9
misko9

How did Google Voice forward an MMS message? I didn't think this was possible.

Nathan Weber
Nathan Weber

Wow, that's rather embarrassing. I myself would never use such a convoluted system as I am well aware of how absentminded I am. Still, Google should be made aware of such a pitfall.

Soni Thompson
Soni Thompson

The blog post isn't about the kid in this pic... it's an iStockPhoto image that I put together with the Google Voice logo. I was hoping that folks would talk about the technology and its vulnerability. Obviously, it's an important discussion to have (before something like this happens at your organization).

Alison Corp
Alison Corp

is this a boy or a girl and is it young or old

Julian White
Julian White

Haha, never xD I just use GVoice for pc comms

dcolbert
dcolbert

@TreePapa All good observations...

One observation:

When I got my first Cell phone on Cellular One, my monthly bill was a minimum of $300 and if I roamed and talked a lot it could triple that cost, just making local calls. 

When I first moved to Ohio, a little more than 6 years ago, nation-wide free long distance required "in network" recipients. 

We forget how much the market has changed, so rapidly.

I've had the same cell phone number since 1991. I hate when I go to dial a friend and I've either got a number that no longer goes to them, or I've got a list of numbers and I'm not sure which one is the current one. "Go through the list and try to remember which one is the right one so you can remove the wrong ones AFTER the conversation is over..."

There are a number of reasons that Google Voice's forwarding makes sense. I have a private domain registered with an e-mail address, and that email address can be forwarded to whatever my current physical e-mail box is. I give it to friends and tell them, "no matter WHERE I go, this e-mail address will always work and always get to me..."  That way, even if Google were to decide to shut down Gmail tomorrow, the people who send e-mail to the other address wouldn't change a thing, and I'd still get the e-mail wherever I decided to open my new account.

So there is value... but there is certainly danger, too.  

dcolbert
dcolbert

@Joshua Morden 

I imagine you don't have as many devices as me or change your devices as often, most likely. 

I expected responses like this. I suppose it doesn't matter if it is a "newb error" or not - the point is your employees who have BYOD devices can easily create this situation, and you may not be aware that it is happening. 

dcolbert
dcolbert

@misko9 Google Voice supports text messaging, and will forward text messages sent to your Google Number to whatever device(s) you configure it for. 

My friend was sending a text to my Google number - which was then redirected to the number associated with my Droid X and to the number associated with my Droid DNA. The problem was that someone else had the number on my Droid X now. 

dcolbert
dcolbert

@Alison Corp It was a girl, I didn't have a long conversation with the father. There is an argument that parents need to carefully monitor their children's digital devices, especially a brand new cell phone number that may have belonged to someone else just weeks earlier. 

dwoodeson
dwoodeson

@dcolbert


You use a private domain for email forwarding in case Google decides "to shut down gmail tomorrow"?  I know that Google has a rep for killing off fringe services, but if you really think they're going to pull the plug on email, then you are in the wrong profession.  

watermii
watermii

@dcolbert @TreePapa 


Two Questions to the author (of the Google Voice Liability piece):


In your demo phone example, which number did you use in trying to locate the phone at 4 a.m.? 


I would like to understand what it is I may need to change to improve security/privacy. Unfortunately, I'm still a bit confused.


Some preliminaries for this first question: I assume the demo phone itself had a number, which is different from the following four (pairwise distinct) numbers: 1. your GV number, 2. the GV number of the other blogger, 3. the home number of said other blogger, and 4. any other number you may own.


My confusion is that I cannot see why the other blogger was able to answer your call on her home phone at all: 


Namely, if you had called the demo phone's number, it appears impossible for that demo phone to have forwarded the call to the other blogger's GV number (which would then forward to her home phone). This other blogger would not have been the owner of the demo phone's service plan; consequently, she could not have set up such forwarding under an account she does not own.


On the other hand, if you had called your own GV number which had been set up to forward to the demo phone, I still do not see how the other blogger's home phone could have been rang, unless somehow you already knew her home phone and added her under your GV forward list.


Could you please clarify? Thank you.


Finally, could you also explain what the following quote meant: "Unfortunately, I had enabled Google Voice number forwarding to make my transient number transparent."


As I understand it, you would have only had "to disable the number when ... (you) switched" to avoid the problems you experienced. 


Thanks again.


remingtonmiller
remingtonmiller

@dcolbert 

actually it does matter, and i'm it doesn't matter how many devices or how often their being switched out. when you state that theres a potential Liability Threat to a company thats a serious deal and i'm sorry to tell you this if worked for me and came to me with this story under the pretense of their being a Liability Threat to the company well 1. i would be upset that i wasted 15 minutes 2. i would no longer take anything you said seriously 3. i would immediately fire you for being that very threat. 4. this would become comic relief for reddit.

remingtonmiller
remingtonmiller

@dcolbert @misko9

How would the underage girls father be offended by a joke with a picture when google voice does not support picture messaging at all?

so if your friend was sending the texts to your google voice number as stated and they were being forwarded along to the physical device that was now assigned the new number from your old carrier how would she receive the picture? 

Considering if you send a MMS or picture text to a google voice number it does not get forwarded along to the device whatsoever, meaning the underage girl would never have received the picture your friend sent ever.

dcolbert
dcolbert

@dreagin Don't worry, I wouldn't provide my services to a company that puts people like Remington Miller in a position to hire and fire. I'm very selective about who I work for. There is no use banging your head against the lack of understanding that Remington has displayed here - I bet his company is a joy to work for. 

I find it strange that someone with such a high level position spends time posting comic relief on Reddit. I've got a feeling we're dealing with a frustrated TAC Agent who dreams of being CIO. ;) 

dreagin
dreagin

You must kidding me? You would fire someone because they communicated something that could prevent your company's information from being potentially being exploited? Any situation that might expose a company's valuable & private information is worth bringing up at any time even if it seems so simple and nonchalant. You forget that employees do the simplest of things they think are OK that then cause a major security breach that will then end up in the news. I would think more wisely on this subject since I've seen these things happen.

GaryTheDude
GaryTheDude

I was going to say that the text alone was probably offensive, but you arrived at that conclusion on your own! Lol. I think I'll pass. As a father of a 13 year old girl myself I can imagine the response. And can you imagine explaining this to someone unfamiliar with the tech? It's confusing to the two of us who use the stuff daily! Anyway the original point of your article is still very valid. Be careful with your forwarding if you use GV.

dcolbert
dcolbert

@GaryTheDude I see the mistake I've made above...

If the picture sends via e-mail, then the recipient has to have access to the email address registered to the number to see the attachment, even on Sprint. 

I'll frankly be relieved if the girl did NOT get the image. The fact would remain that the text content of the messages was forwarded to her phone #, which is bad enough, and justification for the entire post. In any case it there is no question that messages that were not intended for her were arriving at her device, and it is easy for any user with a BYOD solution to make that happen.

I'll give you here number, you can call up and ask to speak to her dad to determine if she only got *messages*, or if she saw the image. ;) 

dcolbert
dcolbert

@GaryTheDude But... I'm going to test for myself. I'll have someone send an MMS to my Google Voice # and directly to my actual phone number and see what happens on a variety of devices including phones, tablets and even Windows 8 and RT while paying specific attention to what shows up where, and report back. 

dcolbert
dcolbert

@GaryTheDude 

You know what.... This actually illustrates ANOTHER problem. 

Because of the way that consolidated inboxes and Google Voice for Android works - I can see how this claim is *possible* and I might not *ever* have noticed. 

Allow me to elaborate. I think the sticking point here is the difference between a *TEXT* and a SMS, no? It also depends on WHERE you are reading your incoming texts from Google Voice. Are you reading them in Google Voice (or in Google Mail) for Android or are you reading them in your consolidated Inbox? Because when I get a text sent to my Google Voice account, it shows up in all 3 places, on EVERY device I've got configured. 

So maybe it is possible that for the last 3 or 4 years people have been sending me ONLY texts to my Google Voice number, and MMS messages to my direct number, and I've just never NOTICED that MMS attachments don't come in over my Verizon phone because every MMS has been sent directly. That would certainly explain why I never saw the image in question. 

But it wouldn't explain why the OTHER party did. As far as I know, Page Plus is a CDMA 3G carrier with a focus on older Verizon phones and so I assume piggybacking off of Verizon's network. If what you say is true, I wish that were the case. I suppose it could be that they're on Sprint's 3G CDMA network, which would explain why the MMS arrived at the girl's number, and also why it did not arrive at mine. 

In either case, I think you've established that it is certainly POSSIBLE for the MMS attachment to arrive via Google Voice at a forwarded number. The claim that it isn't supported is false. The confusion surrounding this clearly makes it a difficult challenge for an IT group to navigate and understand for corporate security, and almost guarantees that the average *user* isn't going to understand. 

So, even if I'm wrong about MMS messages the argument actually strengthens the position I am promoting here. It seems like the position I'm seeing is a RTFM attitude. The fact is that for most IT Directors, Managers, and employees, let alone end users, RTFM is not practical with the breadth and scope of products available today. When IT was responsible for deploying a limited scope of select solutions that were without alternative - it was practical to expect someone in the group to become expert of every nuance of a platform, application or solution and make sure the critical information was disclosed and understood by key stakeholders. At this point, chasing important information buried in product forums to find out the specifics of each app that might show up on a BYOD solution seems like something only a developer would suggest. 

dcolbert
dcolbert

@remingtonmiller @dcolbert @misko9 You're sure of this? 

So you don't really know the features of Google Voice either, huh? I'm in Google Voice on my Nexus 7 right now, reading text SMSs that include MMS attachments - and wondering how much more you can discredit yourself in this thread. 

Editor's Picks