How Google Fights Password Thieves

Kate Conger today at 11:35. 0 comments
Phishing Account Takeover Google Passwords 2fa

Google and researchers at the University of California, Berkeley, teamed up to study how Google accounts become compromised, shedding light on how the company finds new ways to fight back.

“The lifecycle of hijacking begins with password theft,” Google security engineer Grzegorz Milka said at the Enigma cybersecurity conference in Santa Clara, California, on Wednesday.

Hackers use several techniques to gather passwords, including scraping them from data breaches or collecting them with keyloggers, malware, and phishing schemes, Milka explained. In research conducted between May 2016 and May 2017, the company found 67 million valid Google account credentials on black markets. Google estimates that about 17 percent of its users re-use their passwords across accounts, leaving their accounts vulnerable if these passwords are exposed during a data breach at another company.

“With millions of stolen passwords out there, just accepting the password as is is risky at best,” Milka said. Ideally, users would enable two-factor authentication on their accounts to protect themselves against password theft. But not enough users choose to do so—Google estimates that less than 10 percent of its active users have two-factor authentication enabled. (Although that number is scarily low, it’s worth remembering that 10 percent of Google’s userbase still represents millions of people.)

Without the protection of two-factor authentication, Google needs to dive deeper into users’ email account data in order to secure their accounts.

At one point or another, you’ve probably received an email from Google warning that your account had been accessed from a new location, but hackers have caught on and will attempt to harvest an IP address or location data to spoof a natural-looking login from a place you frequent, Milka explained. Researchers found that 83 percent of the phishing kits aimed to steal not only credentials but location data as well.

Some phishing kits also attempted to harvest phone numbers—another data point that Google sometimes uses to help authenticate a login. Capturing phone numbers can be useful for hackers, even if a user has two-factor authentication enabled. In some targeted cases, hackers have convinced phone companies to transfer a victim’s number to a new SIM, allowing them to intercept two-factor authentication texts.

Google also looks at account activity for signs of malicious behavior. Attackers usually follow a common pattern, Milka said. They’ll often delete emails from Google alerting the user to a suspicious login, search the account for sensitive information such as nude photos or financial information, export the contacts for use in future scams, set up inbox filters to hide future warnings about the hack, and send more phishing messages from the user’s account before logging out. None of those actions are typical for most users, Milka said, and can help Google realize that an account takeover is underway.

Google will sometimes present login challenges to users who don’t enable two-factor authentication, asking them to provide a backup email or phone number in order to verify that they’re the real owner of the account. The company also uses tools like Safe Browsing to warn users about phishing links and offers an Advanced Protection Program for at-risk users to lock down their accounts.

“The question is, why wouldn’t we make two-factor authentication mandatory?” Milka asked. “The answer is usability. In the end, we want people to use their accounts. How many people would we drive out of using Google accounts if we force them to use additional security?” - Download Hi-Res Songs

1 Alan Walker

Different World flac

Alan Walker. 2018. Writer: Shy Nodi;Alan Walker;Fredrik Borch Olsen;James Njie;Marcus Arnbekk;Gunnar Greve Pettersen;K-391;Corsak;Shy Martin;Magnus Bertelsen.
2 Skylar Grey

Everything I Need flac

Skylar Grey. 2018.

Tell Me It's Over

4 Ariana Grande

​Thank U, Next flac

Ariana Grande. 2018. Writer: Crazy Mike;Scootie;Victoria Monét;Tayla Parx;TBHits;Ariana Grande.
5 Julian Jordan

Glitch flac

Julian Jordan. 2018.
6 Mesto

Wait Another Day flac

Mesto. 2018.
7 The Chainsmokers

Hope flac

The Chainsmokers. 2018. Writer: Kate Morgan;Chris Lyon;Alex Pall;Andrew Taggart.
8 Anne-Marie

Rewrite The Stars flac

Anne-Marie. 2018. Writer: Benj Pasek;Justin Paul.
9 Ariana Grande

Imagine flac

Ariana Grande. 2018. Writer: Jameel Roberts;Priscilla Renea;Happy Perez;Andrew "Pop" Wansel;Ariana Grande.
10 Rita Ora

Let You Love Me flac

Rita Ora. 2018. Writer: Rita Ora;Easyfun;Fred Gibson;Noonie Bao;LotusIV;Ilsey Juber.
11 Alan Walker

Lily flac

Alan Walker. 2018.
12 Alan Walker

Lost Control flac

Alan Walker. 2018.
13 Emma Hewitt

Take Everything flac

Emma Hewitt. 2018. Writer: G. Emery;E. Hewitt;A. Hewitt.
14 Conor Maynard

How You Love Me flac

Conor Maynard. 2018. Writer: Yoshi Breen;Thom Bridges;Hardwell;Rik Annema;Conor Maynard;Cimo Fränkel;Snoop Dogg.

There You Are flac

ZAYN. 2018. Writer: Joe Garrett;Levi Lennox;Michael Hannides;Anthony Hannides;ZAYN.
16 Pollyanna

Starchild flac

Pollyanna. 2018.
17 (G)I-DLE


(G)I-DLE. 2018. Writer: Riot Music Team;Harloe.
18 Fitz And The Tantrums

HandClap flac

Fitz And The Tantrums. 2017. Writer: Fitz And The Tantrums;Eric Frederic;Sam Hollander.
19 Mark Ronson

Nothing Breaks Like A Heart flac

Mark Ronson. 2018. Writer: Thomas Brenneck;Maxime Picard;Ilsey Juber;Conor Szymanski;Clement Picard;Mark Ronson;Miley Cyrus.
20 Alan Walker

I Don't Wanna Go flac

Alan Walker. 2018.

Suggested posts

Other Kate Conger's posts