Feeds

We've slashed account hijackings by 99.7% - Google

120-variable security checks + 2-factor auth = zapped interwebs pond scum

Choosing a cloud hosting partner with confidence

Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.

Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim. Using auto-generated newbie accounts no longer works because messages from these accounts were routinely blocked.

Email account hijacks often follow either phishing campaigns or database leaks from insecure websites. Because many people make the mistake of re-using the same password across different accounts, stolen passwords from one site are often valid across many others. This is what made password database breaches involving the Sony PlayStation Network, Gawker, LinkedIn, eHarmony and Last.fm and many more over the last two or three years such bad news.

Using leaked passwords, sometimes purchased in bulk from underground cybercrime forums, the pond scum of the internet then launch various attempts to break into accounts across the web and across many different services.

"We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," Mike Hearn, a Google security engineer explains in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct."

Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.

"These questions are normally hard for a hijacker to solve, but are easy for the real owner," Hearn reports. "Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 per cent since the peak of these hijacking attempts in 2011."

This is a massive win for internet hygiene and privacy but it's worth remembering that no one knows the number of account hijacks to begin with - the Y axis of Google's graph is blank - and a gigantic reduction in the number is still scant consolation to anyone's whose account has been hijacked. Also, the majority of successful hijacks are probably pulled off by shady state-sponsored types looking to break into the email accounts of journalists, human rights activists or business executives rather than ordinary spammers, 419 fraudsters or other ne'er-do-wells.

Google's commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.

Upgrading accounts to use two-step verification, by associating accounts with a mobile phone number, as well as updating account recovery options to include a secondary email address, also help to make Google accounts more secure - and easier to recover if anything goes wrong. ®

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.