back to article How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

Google has teamed up with computer scientists at the University of California, Berkeley, to find out how exactly hijackers take over its users' accounts. The eggheads peered into online black markets where people's login details are bought and sold to get an idea of the root cause of these account takeovers and the subsequent …

  1. Captain Obvious
    Mushroom

    REALLY???

    How about the internal theft of accounts while in China - JUST for starters. It is not just the users doing stupid things, it is also Google doing the same by not having proper internal security.

    Hell, here is a link to their own admission of guilt for at least ONE time (I am sure there are many others - especially judging by how well Android is secured).

    http://www.nytimes.com/2011/06/02/technology/02google.html

    1. bombastic bob Silver badge
      Unhappy

      Re: REALLY???

      "How about the internal theft of accounts while in China"

      yeah, any "firewalled" nation has the ability to play 'man in the middle' with your SSL and slurp every password and credit card number you type in. Just one 'trusted cert' for China's great firewall and you're b0ned.

      Is it time to have a 'droid app for 'droid that uses a secure tunnel? Would it become 'broken' behind the 'great firewall' if you did that?

      So then we might be forced to set up secure VPN tunnels for EVERYTHING when going overseas to certain countries (even the USA it seems). 'droid has Linux under the hood so all of the necessary guts (to set that up) should already be there...

      1. phuzz Silver badge

        Re: REALLY???

        "Is it time to have a 'droid app for 'droid that uses a secure tunnel?"

        No need for an app, there's a VPN client built in to the OS.

        VPNs are illegal in some countries though, so caveat emptor.

      2. Captain Obvious

        Re: REALLY???

        No one does their research, do they? Read the link. All of you MUST be google fanbois. In China, they Google HAD a presence - ie people working for them. They were INTERNAL employees - got that? With INTERNAL access to databases.

        Just like the skeptics site has gotten worse, so has this site. Very disappointed lately in the human race.

  2. GoE

    VPN and Juice

    Well, as if we needed more evidence that everyone needs to use VPNs. I don't think browsers and OS's take fingerprinting seriously enough either. Android practically advertises it.

    1. Mike 16

      Re: VPN

      Hmmm, when I use a VPN, Google sends me yet another "Someone is Using Your Password" 2FA message. Or is that a phish itself? Hard to tell, but the last "legit as far as I can tell" message had a helpful map of just where the miscreant was operating, a mere 180 miles from where the connection actually exited the VPN. Sigh.

      1. Bruce Ordway

        Re: VPN

        I use a PC with a VPN, NoScript and auto-clear my browser cache.

        Google constantly recognizes my device as "different" and presents a series of verification steps.

        I slipped up on a recent trip and ended up being locked out of my account for several hours.

        I have a few backup email accounts but... didn't have those credentials handy on this trip.

        So I'm not currently a big fan of Googles system.

        But don't know what better alternatives there are.

        1. GoE

          Re: VPN

          Google has several subdomains that are required but hidden until other higher-level domains are whitelisted in NoScript. That may be what's causing your issue. I recently had that problem in uMatrix because Youtube has several cookies that aren't accessible unless you whitelist the 2nd-level domain (youtube.com as opposed to https://youtube.com) which then allows any subdomain to load.

          Other than Youtube, I ditched Google long ago. I use Tutanota and Protonmail for email (both end-to-end encrypted unlike GMail and Outlook), and Startpage (which searches Google for you but strips out the tracking) and DuckDuckGo for search. Even on Youtube, if you just create a Youtube account and don't create a channel, it doesn't create an associated Google account.

        2. bombastic bob Silver badge
          Devil

          Re: VPN

          "But don't know what better alternatives there are."

          A lot of ISPs sell e-mail services. you could purchase one of those. Sometimes they come with fun domain names [which was the selling point]. They'll have POP and IMAP and web-mail and whatever else you need.

          like this one: http://libertea.us/ < -- yes, a 'tea party' site

          [at $40/year I'm now considering that for myself...]

    2. Dr Who

      Re: VPN and Juice

      A VPN won't do anything to solve this particular problem. Phishing, key logging and reuse of passwords from compromised sites will all still work.

      1. GoE

        Re: VPN and Juice

        Pretty sure it'll solve this one.

        "We found 82 per cent of blackhat phishing tools and 74 per cent of keyloggers attempted to collect a user’s IP address and location"

        There's no cure for stupid, but having you IP address collected is hardly the user's fault.

    3. bombastic bob Silver badge
      Unhappy

      Re: VPN and Juice

      "I don't think browsers and OS's take fingerprinting seriously enough"

      A simple server-side access log stores your IP address. Beyond that, browser information is nearly always sent, information that identifies your OS and browser make/model. Most people don't delete or block cookies from "trackers" like g00gle and face-barf. And there are those hidden 3rd party GIF files with alphabet-soup URLs, and corresponding server-side logs, for 'beyond cookie' tracking.

      Did your browser just send a 'header request' for that tiny transparent GIF file, because it was already in the cache? TRACKED you! Didn't need a cookie for that, so your cookie blocker was meaningless. You might as well have a fixed IPv4 address. Muahahahaha!

      So then 'whatever tracking service/' gets to store all that, sort it, summarize it, massage it into a product, and sell, sell, sell YOUR online behavior, simply because you visit sites they're connected to.

      Knowing its possible is half the battle, and VPNs (or frequently changed IP addresses), ad/script blockers, and cookie blockers won't protect you from THAT kind of tracking.

      So yeah, most DEFINITELY browsers and OSs don't take fingerprinting seriously enough.

  3. a_yank_lurker

    Not Surprised

    Stepping back for the media hype, these results are not really surprising. Everyone I support I try hammer home the idea of using different passwords on accounts. Thus a breach of at a merchant (Target) is an aggravation because of the merchant's possible sloppy practices. It is not a complete disaster as the other passwords are not known. Phishing gets around this by tricking users into giving up their credentials on for a specific site. Thus, the miscreant is probably getting a login for an active account at say a bank or email account. Keyloggers will do the same thing though they may be harder to use.

    1. JimboSmith Silver badge

      Re: Not Surprised

      Don't talk to me about Target I spent a few hours on the phone to Target one year. There was an order for a cot (or as they called it a crib) to go to our house in the US for my baby niece to sleep on. The order was placed two months before the trip and was being shipped to a friend to hang on to. Target gave us a shipping number with a carrier and all seemed good. Then the thing didn't arrive and I called Target via Skype a few times. They said that they'd checked and the shipping number was still saying "In Transit" and to wait. Not filled with confidence I did wait but it eventually said lost and I called Target again to get a refund but that wasn't straight forward. The person I spoke to said that we didn't need a refund they'd ship another one out to us. The problem was it said out of stock on their website so I doubted that. Under questioning he confessed it might take a three weeks and I said that wasn't helpful when my niece arrived in under two weeks.

      I suggested that if they didn't provide a refund because they still wanted to ship a replacement I would come and find "Carl". I'd ask him in person why my baby niece had nowhere to sleep and clearly he was unhappy with this possibility. He said he'd ask his supervisor and get a refund authorised asap I said I'd wait on the line. He came back and said there would be a refund in the account in under 24hrs. My sister ordered the same thing off Amazon and it arrived 2 days later. The phone calls cost nothing (toll free number) but my annoyance was immense. Never ordered from them since.

      1. a_yank_lurker

        Re: Not Surprised

        I picked Target because they were in the news for a massive breach and their astounding incompetence before the breach. I am not surprised their woefulness extends to other areas as ineptitude seems to flow down hill. If you were a victim of a merchant breach, it is aggravating but if your passwords are distinct for each site then the aggravation only extends to the information the merchant might have like credit card numbers. Monitoring or reissuing credit cards is a pain but much less of one if your other accounts are still secure. For example, by using a password manager, all my logins have unique passwords even to sites like El Reg.

        1. bombastic bob Silver badge

          Re: Not Surprised

          "I picked Target because they were in the news for a massive breach and their astounding incompetence before the breach."

          It could've been Target, Malo Mart (aka walmart), K Mart, or Sears. Hopefully after Target's security problems were laid bare for the world to gawk at, everyone else "got a clue" and fixed their own.

          They have those new "more secure" point of sale machines now, with the chip-on-card readers, but some of them seem to scratch up the contacts on the on-card-chip and make it not work so well any more...

    2. Doctor Syntax Silver badge

      Re: Not Surprised

      "Everyone I support I try hammer home the idea of using different passwords on accounts."

      Go a step further: use a different email for each account. And for one-off uses, use a one-off address or at least set up a temporary address every few weeks and then discontinue the old one.

  4. JimboSmith Silver badge

    For one of my Gmail accounts I have a 28 digit password which includes numbers and symbols. On the rare occasions I use my tablet outside of my home on (trusted*) WiFi google assume that "Someone has your password" and I can't use the account until I verify it's me. If someone worked out or stole that password I'd love to know how. They're also going to be very disappointed because I don't use it for anything exciting or worth stealing.

    *Such as at a relatives where I've set up the security.

    1. Anonymous Coward
      Anonymous Coward

      "For one of my Gmail accounts I have a 28 digit password"

      That's no more secure though in reality than a 9 character or greater complex password. Both are uncrackable via brute force. And it's stupidly inconvenient to have to type in.

      1. bombastic bob Silver badge
        Devil

        "For one of my Gmail accounts I have a 28 digit password"

        That's no more secure though in reality than a 9 character or greater complex password.

        has nobody mentioned "Correct Horse Battery Staple" yet?

        1. Baldrickk

          has nobody mentioned "Correct Horse Battery Staple" yet?

          No, so here we go: https://xkcd.com/936/

          Though really, just use a password manager.

      2. JimboSmith Silver badge

        Given how often I have to type it (once or twice a year) it's not a problem and is actually easier for me to remember because it relates to the account.

  5. Saul Dobney

    Local password mashing

    I use a password masher that takes a plain password, hashes it with the domain name and some hidden personalised fields to create a strong password which is unique to each domain. Runs locally, doesn't store passwords, and copy-pasting the strong password means key-loggers won't see it. https://www.notanant.com/pwdmasher.html

    1. Munkeh

      Re: Local password mashing

      "copy-pasting the strong password means key-loggers won't see it."

      Unfortunately clipboard monitoring is a fairly common feature of keyloggers, which makes that method just as vulnerable as typing the password.

      That said your approach to password selection is solid.

  6. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    Password entered by mistake on another site

    If you enter your gmail password by mistake on outlook.com, that error gets logged, along with your gmail password...

    1. Anonymous Coward
      Anonymous Coward

      Re: Password entered by mistake on another site

      "If you enter your gmail password by mistake on outlook.com, that error gets logged, along with your gmail password..."

      No it doesn't. Microsoft don't store failed passwords. They don't even store your actual password - only a one way hash of it.

    2. bombastic bob Silver badge
      Unhappy

      Re: Password entered by mistake on another site

      "If you enter your gmail password by mistake on outlook.com, that error gets logged, along with your gmail password..."

      if not on 'outlook.com' someone may actually be doing that...

      Like rule 34 for intarweb pr0n, there should be "a rule" that assumes that kind of tracking. It would be right more often than not, that's why.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon