Feeds

We've slashed account hijackings by 99.7% - Google

120-variable security checks + 2-factor auth = zapped interwebs pond scum

Reducing security risks from open source software

Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.

Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim. Using auto-generated newbie accounts no longer works because messages from these accounts were routinely blocked.

Email account hijacks often follow either phishing campaigns or database leaks from insecure websites. Because many people make the mistake of re-using the same password across different accounts, stolen passwords from one site are often valid across many others. This is what made password database breaches involving the Sony PlayStation Network, Gawker, LinkedIn, eHarmony and Last.fm and many more over the last two or three years such bad news.

Using leaked passwords, sometimes purchased in bulk from underground cybercrime forums, the pond scum of the internet then launch various attempts to break into accounts across the web and across many different services.

"We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," Mike Hearn, a Google security engineer explains in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct."

Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.

"These questions are normally hard for a hijacker to solve, but are easy for the real owner," Hearn reports. "Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 per cent since the peak of these hijacking attempts in 2011."

This is a massive win for internet hygiene and privacy but it's worth remembering that no one knows the number of account hijacks to begin with - the Y axis of Google's graph is blank - and a gigantic reduction in the number is still scant consolation to anyone's whose account has been hijacked. Also, the majority of successful hijacks are probably pulled off by shady state-sponsored types looking to break into the email accounts of journalists, human rights activists or business executives rather than ordinary spammers, 419 fraudsters or other ne'er-do-wells.

Google's commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.

Upgrading accounts to use two-step verification, by associating accounts with a mobile phone number, as well as updating account recovery options to include a secondary email address, also help to make Google accounts more secure - and easier to recover if anything goes wrong. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.