Feeds

We've slashed account hijackings by 99.7% - Google

120-variable security checks + 2-factor auth = zapped interwebs pond scum

Intelligent flash storage arrays

Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures.

Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two or three years or so. This meant 419ers and others tried to hijack email accounts before sending fraudulent messages to potential marks, usually the friends and contacts of an account hijacking victim. Using auto-generated newbie accounts no longer works because messages from these accounts were routinely blocked.

Email account hijacks often follow either phishing campaigns or database leaks from insecure websites. Because many people make the mistake of re-using the same password across different accounts, stolen passwords from one site are often valid across many others. This is what made password database breaches involving the Sony PlayStation Network, Gawker, LinkedIn, eHarmony and Last.fm and many more over the last two or three years such bad news.

Using leaked passwords, sometimes purchased in bulk from underground cybercrime forums, the pond scum of the internet then launch various attempts to break into accounts across the web and across many different services.

"We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time," Mike Hearn, a Google security engineer explains in a blog post. "A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct."

Google has introduced a variety of security checks, based on risk analysis and 120 variables, to determine if a sign-in is suspicious or at least worthy of being challenged. Risk factors include attempts to sign-in from a new country, among many others. Users are challenged to supply a phone number associated with an account, or the answer to a pre-agreed security question before they are allowed access to Google accounts.

"These questions are normally hard for a hijacker to solve, but are easy for the real owner," Hearn reports. "Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 per cent since the peak of these hijacking attempts in 2011."

This is a massive win for internet hygiene and privacy but it's worth remembering that no one knows the number of account hijacks to begin with - the Y axis of Google's graph is blank - and a gigantic reduction in the number is still scant consolation to anyone's whose account has been hijacked. Also, the majority of successful hijacks are probably pulled off by shady state-sponsored types looking to break into the email accounts of journalists, human rights activists or business executives rather than ordinary spammers, 419 fraudsters or other ne'er-do-wells.

Google's commendable efforts are certainly no reason for complacency. Users can play a role in protecting their own Google accounts by making sure they use a strong (hard-to-guess) password that they avoid reusing on other sites.

Upgrading accounts to use two-step verification, by associating accounts with a mobile phone number, as well as updating account recovery options to include a secondary email address, also help to make Google accounts more secure - and easier to recover if anything goes wrong. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.