Google has published βHow effective is basic account hygiene in preventing account theftβ about what an account owner can do to prevent it from being stolen by intruders. We present to your attention the translation of this study.
True, the most effective method used by Google itself was not included in the report. I had to write about this method myself at the end.
Every day we protect users from hundreds of thousands of account hacking attempts. comes from automated bots with access to third-party password cracking systems, but phishing and targeted attacks are also present. We have previously described how , such as adding a phone number, can help keep you safe, but now we want to prove it in practice.
A phishing attack is an attempt to deceive the user so that he voluntarily gives the attacker information that will be useful in the hacking process. For example, by copying the interface of a legal application.
Attacks with the help of automatic bots are massive hacking attempts not directed at specific users. They are usually carried out using open source software and are available for use even by untrained "crackers". Attackers do not know anything about the characteristics of specific users - they simply run the program and "catch" all the poorly protected scientific records around.
Targeted attacks - hacking of specific accounts, in which additional information is collected about each account and its owner, attempts to intercept and analyze traffic are possible, as well as the use of more complex hacking tools.
(Translator's note)
We teamed up with researchers from New York University and the University of California to find out how effective basic account hygiene is in preventing account hijacking.
Annual study about ΠΈ was presented on Wednesday at a meeting of experts, politicians and users called .
Our research shows that simply adding a phone number to your Google account can block up to 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.
Google's automatic proactive protection against account hijacking
We implement automatic proactive protection to better protect all of our users from account hacking. Here's how it works: if we detect a suspicious sign-in attempt (for example, from a new location or device), we'll ask for more proof that it's really you. This verification could be making sure you have access to a trusted phone, or answering a question that only you know the correct answer to.
If you're signed in to your phone or provided your phone number in your account settings, we can provide the same level of protection as two-step verification. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. And device confirmation requests, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of mass phishing attacks, and 90% of targeted attacks.
Protection based on both device ownership and knowledge of certain facts helps to counter automated bots, while protection based on device ownership helps prevent phishing and even targeted attacks.
If you don't have a phone number set up on your account, we may use weaker security measures based on what we know about you, such as where you last signed in to your account. This works well against bots, but the level of protection against phishing can drop to 10%, and there is practically no protection against targeted attacks. This is because phishing pages and targeted attackers can force you to reveal any additional information that Google may request for verification.
Given the benefits of such security, one might ask why we don't require it for every login. The answer is that it would create additional complexity for users (especially for the unprepared - approx. translation.) and would increase the risk of account suspension. During the experiment, it turned out that 38% of users did not have access to their phone when logging into the account. Another 34% of users were unable to remember their secondary email address.
If you've lost access to your phone or can't sign in, you can always go back to the trusted device you previously signed in on to access your account.
Understanding hack-for-hire attacks
Where most automated defenses block most bots and phishing attacks, targeted attacks become more detrimental. As part of our ongoing efforts to , we are constantly identifying new βhack-for-hireβ criminal groups that are asking for an average of $750 USD per account to be hacked. These attackers often rely on phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target does not give up on the first phishing attempt, subsequent attacks continue for more than a month.
An example of a man-in-the-middle phishing attack that checks the validity of a password in real time. The phishing page then prompts victims to enter SMS authentication codes to access the victim's account.
We estimate that only one in a million users is at such a high risk. Attackers don't target random people. While studies show that our auto-protection can help delay and even prevent up to 66% of the targeted attacks we studied, we still recommend that high-risk users register with our . As noted during our investigation, users who exclusively use security keys (that is - two-step authentication using codes sent to users - approx. transl.) were victims of spear phishing.
Take some time to secure your account
You use seat belts to protect life and health while traveling in cars. And with the help of our you can ensure the security of your account.
As our research shows, one of the easiest things you can do to protect your Google account is to set up a phone number. For high-risk users such as journalists, community activists, business leaders and political campaign teams, our program help ensure the highest level of security. You can also protect your non-Google accounts from password breaches by installing the extension .
Interestingly, Google does not follow the advice that it gives to its users. for two-factor authentication for over 85 of its employees. According to representatives of the corporation, since the start of using hardware tokens, not a single account theft has been recorded. Compare with the numbers presented in this report. Thus, it can be seen that the use of hardware tokens for two-factor authentication the only reliable way to protect both accounts and information (and in some cases also money).
To protect Google accounts, tokens created according to the FIDO U2F standard are used, for example . And for two-factor authentication in Windows, Linux and MacOS operating systems, .
(Translator's note)
Source: habr.com