We've slashed account hijackings by 99.7% - Google Google appears to be making strides in the war against account hijacking. The ads, search and webmail giant recently announced that it had reduced takeovers by 99.7 per cent since introducing tighter security procedures. Improved spam filtering meant spammers switched to more aggressive account takeover tactics over the last …
I'm curious, what makes you think that "the majority of successful hijacks are probably pulled off by shady state-sponsored types" rather than spammers? Because you hear more about it in the news?
According to my research, only rich people get married and have children. You never hear of these things happening to poor people in the news.
Good on Google for pushing things forward.
When you hear of some of the horror stories it's amazing that other major providers don't even offer two-factor auth on their email products.
Yes, the intermittent requirement to authenticate via app or phone call is irritating, especially when you have multiple devices that are in a constant state of flux, but the alternative is far more troublesome.
The main problem is the classic 'explain it to your dear old mum' quandary. How can I express the benefits of the likes of one-time passwords and two-factor auth to her in a meaningful way that allows her to
a) take the benefits on board, and
b) see that they outweigh the inconvenience
And that is before expecting that she'll actually be able to navigate what is, for most people, quite a convoluted process to get it all set up, plus the ongoing maintenance.
I've used the Google Authenticator for a couple of years now with various accounts (not all Google) and while it is a bit of a pain to set up on multiple devices, I'm happy with the solution. I have one of my phones with me nearly all the time, so there is no need for an extra token like the one I have for work access.
Biometrics on the other hand is something I remain deeply suspicious of - what happens when my 'password' is stolen and gets onto the internet? I haven't got an unlimited supply of fingers or irises etc that I can use as a replacement.
I've never really bought into this two-factor authentication fad. Sure on a physical admittance system where you have to provide a voice key to one system and a passcode to an independent system you've significantly increased security. And maybe for the log in to a physical computer (although direct access to the PC is a whole other level of potential compromise). But on the other end of the ether stream it's still all just 1s and 0s so you can equally call it two sequential passwords. Unless they mean something like: you try to log in and we send a text to your phone from a different system and you don't get in until we get the reply from your phone.
You don't have to provide Google with a phone number, doing so simply provides one method of enabling two-factor authentication and one method of regaining access to your account in the case of lost credentials. The former can be done via the Authenticator Android app (verified by a single-use activation code) and the latter via another e-mail account or single-use login codes.
Too right, Google are no angels and I doubt they really give a stuff about our privacy, but for the vast majority of people who use the net for significant aspects of their life an e-mail account is almost certainly the most important attack vector for the bad guys to pinch your identity and your money.
It's all very well to take a privacy holier than thou (or worse a lazy "it's a pain to use all the time") attitude but balancing minor privacy and inconvenience issues against your life being in the hands of some anonymous criminal is a no-brainer and that's how we should be educating lay users.
No reason to doubt. The Great Schmidt declared publicly that we HAVE no privacy, and get over it. So he certainly couldn't care less.
There is no doubt. This is not about privacy (at least not ours, Schmidt's privacy - and that of the Google Board - is something else entirely), this is about CYA and staying away from Facebook-level headlines.
They were so crap that with a few basic precautions they managed to stop almost all of the hijacking that they were allowing to get through.
Crap analogy time - it's like the bank saying they have now started locking the doors at night and much less of your money gets nicked.
HSBC-CA uses a very 'secure' system: DoB and Mother's surname. If you forget them, simply look up your genealogy on a certain massive web site and give them a call.
And the last 10-digits of your plastic is all that is required to open up InterNet banking - the cards, of course, contain the full account name just to make it that much easier to hack the accounts.
but it also got harder for me, as a user, to log into my account (using 2-factor authentification). Particularly annoying is the application specific password, graciously handed to me with the statement "No need to memorize this password. You should need to enter it only once." Turns out you need it about once a month, depending on what it is used for.
Most annoying, I need the stupid code for my phone whenever I go roaming (i.e., travel to another country) ... so the phone leaves me the very moment when I need it most and have no other devices on me. I HATE them with a passion for that one!
Google Sekurity botnoids need to crack open a copy of 'The Art of War'.
After the first 15 minutes of attempted sign-ins, they should let the hacker into a honeypot if for no other reason than to waste his/her time. The honeypot system would be designed to consume hours and hours of human lifespan while subtly accomplishing nothing whatsoever. Only after a day or two (in the ideal case) should the hacker eventually figure out that he or she has been had.
To all those who signed up for gmail because it was cool, stop. It is safer to use a different ISP. Google has huge databases on all with accounts. I am doing my best to keep as much of my info from them as possible. One day, the Chinese government will have it or, maybe, my own government. None of their business!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
