Feeds

We've slashed account hijackings by 99.7% - Google

120-variable security checks + 2-factor auth = zapped interwebs pond scum

Top 5 reasons to deploy VMware with Tegile

Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.

Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim. Using auto-generated newbie accounts no longer works because messages from these accounts were routinely blocked.

Email account hijacks often follow either phishing campaigns or database leaks from insecure websites. Because many people make the mistake of re-using the same password across different accounts, stolen passwords from one site are often valid across many others. This is what made password database breaches involving the Sony PlayStation Network, Gawker, LinkedIn, eHarmony and Last.fm and many more over the last two or three years such bad news.

Using leaked passwords, sometimes purchased in bulk from underground cybercrime forums, the pond scum of the internet then launch various attempts to break into accounts across the web and across many different services.

"We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," Mike Hearn, a Google security engineer explains in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct."

Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.

"These questions are normally hard for a hijacker to solve, but are easy for the real owner," Hearn reports. "Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 per cent since the peak of these hijacking attempts in 2011."

This is a massive win for internet hygiene and privacy but it's worth remembering that no one knows the number of account hijacks to begin with - the Y axis of Google's graph is blank - and a gigantic reduction in the number is still scant consolation to anyone's whose account has been hijacked. Also, the majority of successful hijacks are probably pulled off by shady state-sponsored types looking to break into the email accounts of journalists, human rights activists or business executives rather than ordinary spammers, 419 fraudsters or other ne'er-do-wells.

Google's commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.

Upgrading accounts to use two-step verification, by associating accounts with a mobile phone number, as well as updating account recovery options to include a secondary email address, also help to make Google accounts more secure - and easier to recover if anything goes wrong. ®

Security for virtualized datacentres

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.