Google Password

[Chris]

Hello. I was set on buying Ooma when I saw Obi on Amazon. I was happy to learn that Obi has a great forum and customer support. I'm trying to learn about it before I take the plunge.

I'm a little bit paranoid about security and I even set-up my Google accounts for 2-step verification. I know I can create an application-specific password for Obi but I'm not sure how much access this will give someone to my Google accounts.

My questions are:

1. Should I be concered about giving another pary access to my Google accounts? I know Obi is probably trustworth. But still...

2. Should I just create a separate Gmail/Google Voice account just for Obi? What are the disadvantages of creating a separate account?


Thanks for your help!

[infin8loop]

Hi Chris,

I am paranoid about security also.  I had a Google account that I opened a few years ago to take advantage of a Google Checkout offer of a $10 rebate.  I needed a printer cartridge and that's the only thing I'd ever bought on it.  The first thing I did was go in and remove the linked credit card in Google checkout. Then I setup up Google 2-step verification and generated an application password for my Obi110/GoogleVoice.  I didn't have a Gmail account either, so I setup one up one and signed up for GoogleVoice.  The Google documentation that I've seen didn't really go into a lot of detail about what the application password allows and doesn't allow. The application password cannot be used to login to Google through the regular front door (html web pages).  I haven't looked at the Google API, so gawd (and probably a lot of 12 year old hackers) only knows what it exposes you too (if anything).  For now, not having a credit card linked works for me since I'm not making any international long distance calls on GV that cost money.  If I do re-link a credit card it will be a "virtual credit card number" that only Google should be able to use.  Many credit card companies offer these virtual numbers (Discover, CitiBank).  If and when Google decides to change GoogleVoice to a paid model then I suspect we'll all need to have a payment method linked to our Google accounts in order to pay for the service.  I'm not porting my AT&T landline (using the port to cell phone method first) to GoogleVoice until I see what the service is going to actually cost in the future.  When I bought my Obi110 a few months ago, I hoped that I'd be able to get rid of one of the two AT&T landlines I have by now. But due to lack of spousal acceptance, I still have both of them and an Obi110 that just makes my life complete.  One day soon I hope to pull the trigger and just port the landline number to voip.ms and be done with one AT&T landline.  I'm sure that will go as well as at least two space shuttle missions that come to mind. The Pop Tart heat shields will likely fall off the Obi and it will burn up in re-entry. So, I think the biggest risk on a Google account is the attached payment method. Unless you are in the habit of emailing nekkid pictures like some congressmen and athletes.  I see no particularly good reason to have two Google accounts for security reasons.  I'm open to be convinced otherwise.

[Chris]

infin8loop, thanks for your comments. I wish I could find more information about what someone can do with a Google application specific password.

My main concern about someone gaining access to my Gmail is many banks and financial institutions let you change your password by e-mailing you a new password. And many banks use your e-mail as your username. So if someone had your username and then use your e-mail access to change your password, then they can potentially have access to your bank accounts.

[infin8loop]

Chris,

I'd be surprised (shocked actually) if a financial institution would allow a password reset by just sending an email to the client with a password reset link, temporary password, code-number, or some such without also prompting for some additional personal information that should be known only to the client (other than the password the client can't remember) to further authenticate the client. 

You know those pesky personal security questions like:
1. The name of your first boyfriend or girlfriend or sheep friend?
2. Where did you lose your virginity?  Where did you find it?
3. The name of your First Grade teacher that made you wish you had a car and were old enough to date her?

[pc44]

1. Should I be concered about giving another pary access to my Google accounts? I know Obi is probably trustworth. But still...

To my knowledge, if you configure your Obi100 or Obi110 *directly*, Obihai has no access to it.  I'm talking about not using Obihai's online portal and also disabling auto-provisioning.

Could someone please deny/confirm this?

Thanks,
pc44

[QBZappy]

pc44,

They have been able to upload firmware to my OBi remotely with auto provisioning disabled on my unit and they have mentioned a few times on the forum that they can do diagnostics remotely. They need to know your OBi unit number. They will only do so after you send them an email requesting their help.

[QBZappy]

pc44,

I think there is a way to opt out. Undocumented for that purpose, you can just disable the
Voice Services->OBiTALK Service->OBiTALK Service Settings->Enable = uncheck both check marks

By doing that say goodbye to the OBitalk portal configuration abilities. This will remove a very important subset of abilities that OBi has by design.

[Chris]

I did read from an Amazon review that one user believed that by configuring the Obi directly (and not through the web portal), he was keeping his information to himself. It now seems that Obihai can also access that information. Thanks for this info.

I'm sure the folks at Obihai take steps to secure user information but I'm starting to lean towards using another Gmail account for my Google voice.

I really hate having to use a second account but I think I would sleep better at night if I did.

[earthtoobi]

what i like about the obitalk voice service is that, in countries where skype/google voice/VOIP SIP(callcentric etc) are restricted by ISPs, obitalk voice can easily navigate its way(till it gets popular enough to be on the radar of ISPs).
obihai advertises obitalk voice as something that is immune to any NAT issues and by extension more reliable.

[earthtoobi]

i don't think anyone has articulated the reason to secure obi:
1. think we need to articulate where the user does not have control, the absence of which could be detrimental.if we are paranoid, we could add firewall rules on the router to block connections to the device from amazon cloud(or allow only from hostnames with domain names as your service provider).
2. its a given that its wise to use a  non personal gmail account.
3. remote operation of Obi does not mean that there is a backdoor to devices on the LAN, to  be freaked out about.
4. call logging/history purging/data collection needs to be explained as a policy and then discussed specifically towards privacy concerns.
5. wrt hacking etc, am sure the communication between Obi and the cloud is secure.hope they have taken care of Man-in-the-middle attacks.
6. are we concerned that  self destruct switch would being turned on from the cloud  

in general, isn't the above applicable for an Iphone,Ipad or any internet connected device?