U2F is the fix for this.
What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.
A 2 factor recovery flow would be 1) verify an email that was sent to your recovery email address that triggers 2) this account recovery code sent to your phone.
While I'd have thought entering your email password would have been red flag galore, my mom and her friends were all exploited by the social trust aspect "I figured if it was coming from you it would be real."
You should set up a strict DMARC policy (p=reject) to prevent people from spoofing your email address. It appears that you have not[1].
Additionally, you should harden your SPF record: change ~all to -all.
It also was my mom that was phished, not me.
I subsequently set them up with two factor almost everywhere, but I'd give at least even odds they'd fall for this, too. Sigh.
Since the security key works with the browser to ensure its communicating directly with a specific site, you can't MITM them like you can mobile app (TOTP) or SMS-based two-factor codes.
I wish more browsers would add support for them.
Even if an attacker gets the phone code, they should still need your password to sign in. How do they get past that?
I'm saying that people cannot send emails to your mother pretending to be you if you were to implement the changes I have suggested.
I didn't say you were phished, I said you were spoofed. Judging by your first comment, your email address being spoofed is how your mother was phished.
Not really, they could just charge people $100 to retrieve a lost password and then do it manually.
I would even make it $100 + skype and show live on skype your passport.
Stealing credit cards is cheap, yes, but the additional cost to using such a card on a password reset would still be a deterrent.
If it's come to this, to using "something you have", then we can all go back to using paper password notebooks. They offer the same security, surprisingly.
I would posit that even with this social engineering exploit, Google's two-factor SMS authentication is still more secure than charging people for password recoveries (and thus encouraging password reuse).
Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager. You could even make it free for the first few hours after the account is created or the password is changed in case the user pastes it into their password manager incorrectly.
Oh, so in other words; a tiny fraction of the internet using public?