Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures. Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last two …
Chain of emails
My missus had about 4 email accounts, each with the other as the 'reset password' email account.
I knew the password to one of them, one she seldom used. Using this, I could've taken control over her entire digital life. Scary.
(For the record, no I didn't!)
It's a Y axis
I'm curious, what makes you think that "the majority of successful hijacks are probably pulled off by shady state-sponsored types" rather than spammers? Because you hear more about it in the news?
According to my research, only rich people get married and have children. You never hear of these things happening to poor people in the news.
Good on Google for pushing things forward.
When you hear of some of the horror stories it's amazing that other major providers don't even offer two-factor auth on their email products.
Yes, the intermittent requirement to authenticate via app or phone call is irritating, especially when you have multiple devices that are in a constant state of flux, but the alternative is far more troublesome.
The main problem is the classic 'explain it to your dear old mum' quandary. How can I express the benefits of the likes of one-time passwords and two-factor auth to her in a meaningful way that allows her to
a) take the benefits on board, and
b) see that they outweigh the inconvenience
And that is before expecting that she'll actually be able to navigate what is, for most people, quite a convoluted process to get it all set up, plus the ongoing maintenance.
Two factor good - biometrics bad...
I've used the Google Authenticator for a couple of years now with various accounts (not all Google) and while it is a bit of a pain to set up on multiple devices, I'm happy with the solution. I have one of my phones with me nearly all the time, so there is no need for an extra token like the one I have for work access.
Biometrics on the other hand is something I remain deeply suspicious of - what happens when my 'password' is stolen and gets onto the internet? I haven't got an unlimited supply of fingers or irises etc that I can use as a replacement.
Re: Two factor good - biometrics bad...
I've never really bought into this two-factor authentication fad. Sure on a physical admittance system where you have to provide a voice key to one system and a passcode to an independent system you've significantly increased security. And maybe for the log in to a physical computer (although direct access to the PC is a whole other level of potential compromise). But on the other end of the ether stream it's still all just 1s and 0s so you can equally call it two sequential passwords. Unless they mean something like: you try to log in and we send a text to your phone from a different system and you don't get in until we get the reply from your phone.
Is very good, but gets VERY annoying VERY quickly if you access your google stuff from various places.
Still it's good that Google offer me the option. I turned it off after a while, it's much easier to use a very secure password that's not used anywhere else.
That includes obfuscation in the set of best practices for deploying android applications, is it?
The main problem w/ proposed security "defense" is that it works mostly against mass-targeting attacks not against prolific ones and against the former strong password is all you need.
Re: Same google
Security through Obscurity is fine as an additional measure. It's just a problem if you're relying on it as your only defence.
The idea of providing Google with your phone number is not very appealing.
Re: Phone numbers
You don't have to provide Google with a phone number, doing so simply provides one method of enabling two-factor authentication and one method of regaining access to your account in the case of lost credentials. The former can be done via the Authenticator Android app (verified by a single-use activation code) and the latter via another e-mail account or single-use login codes.
Too right, Google are no angels and I doubt they really give a stuff about our privacy, but for the vast majority of people who use the net for significant aspects of their life an e-mail account is almost certainly the most important attack vector for the bad guys to pinch your identity and your money.
It's all very well to take a privacy holier than thou (or worse a lazy "it's a pain to use all the time") attitude but balancing minor privacy and inconvenience issues against your life being in the hands of some anonymous criminal is a no-brainer and that's how we should be educating lay users.
Re: " I doubt they really give a stuff about our privacy"
No reason to doubt. The Great Schmidt declared publicly that we HAVE no privacy, and get over it. So he certainly couldn't care less.
There is no doubt. This is not about privacy (at least not ours, Schmidt's privacy - and that of the Google Board - is something else entirely), this is about CYA and staying away from Facebook-level headlines.
I've had more and more trouble logging in to Google services over time. Now, when using mobile, more often than not I'm locked out of my email. It's a good thing I've recently had a free weekend to set up a personal email server.
And you would trust these people?
They were so crap that with a few basic precautions they managed to stop almost all of the hijacking that they were allowing to get through.
Crap analogy time - it's like the bank saying they have now started locking the doors at night and much less of your money gets nicked.
99.7% seems to be a suspiciously high number, I wouldn't give a second glance to an ~80% number, but 99+% seems to have an air of "well we can't say 100%, let's knock a bit off..."
Not to worry though, it's 99.7% of a number nobody knows.
In the best of worlds, it means that they have cut down attacks that they can detect by 99.7%. Those they cannot detect . . .
Business as usual then.
Perhaps the should patent it and sell it to HSBC-CA
HSBC-CA uses a very 'secure' system: DoB and Mother's surname. If you forget them, simply look up your genealogy on a certain massive web site and give them a call.
And the last 10-digits of your plastic is all that is required to open up InterNet banking - the cards, of course, contain the full account name just to make it that much easier to hack the accounts.
100 per second
Presumably if you can detect that a "gang attempted sign-ins at a rate of more than 100 accounts per second", you can throttle the attempts to one per 10 seconds, and/or at least stick in a non-graphical CAPTCHA, something that requires some human input.
harder for the gangsters...
but it also got harder for me, as a user, to log into my account (using 2-factor authentification). Particularly annoying is the application specific password, graciously handed to me with the statement "No need to memorize this password. You should need to enter it only once." Turns out you need it about once a month, depending on what it is used for.
Most annoying, I need the stupid code for my phone whenever I go roaming (i.e., travel to another country) ... so the phone leaves me the very moment when I need it most and have no other devices on me. I HATE them with a passion for that one!
"...attempted sign-ins at a rate of more than 100 accounts per second."
Google Sekurity botnoids need to crack open a copy of 'The Art of War'.
After the first 15 minutes of attempted sign-ins, they should let the hacker into a honeypot if for no other reason than to waste his/her time. The honeypot system would be designed to consume hours and hours of human lifespan while subtly accomplishing nothing whatsoever. Only after a day or two (in the ideal case) should the hacker eventually figure out that he or she has been had.
Yeah, that's great.
Now I only need to worry about getting my account hijacked by Google itself. They randomly decide I'm up to no good and lock me out.
Why use Gmail anyway?
To all those who signed up for gmail because it was cool, stop. It is safer to use a different ISP. Google has huge databases on all with accounts. I am doing my best to keep as much of my info from them as possible. One day, the Chinese government will have it or, maybe, my own government. None of their business!
2 is indeed larger than 1
Because 2 is larger than 1, the two-step verification should help increase security. For the same reason the two-step verification is more inconvenient, possibly discouraging the users from signing out.