Google and researchers at the University of California , Berkeley , teamed up to study how Google account become compromised , shedding light on how the party finds young ways to agitate back .
“ The lifecycle of hijacking begins with password larceny , ” Google security engineer Grzegorz Milka aver at theEnigmacybersecurity group discussion in Santa Clara , California , on Wednesday .
drudge utilize several techniques to gather word , including scraping them from data breaches or pull in them with keyloggers , malware , and phishing scheme , Milka explained . Inresearchconducted between May 2016 and May 2017 , the company find 67 million valid Google account credentials on black markets . Google estimates that about 17 percent of its users re - use their passwords across accounts , result their account vulnerable if these passwords are exposed during a datum breach at another company .
“ With millions of stolen passwords out there , just accepting the password as is is risky at skillful , ” Milka said . Ideally , exploiter wouldenable two - factor authenticationon their history to protect themselves against password theft . But not enough users choose to do so — Google estimates that less than 10 percent of its participating users have two - cistron hallmark enabled . ( Although that number is frighteningly downhearted , it ’s deserving remembering that 10 percentage of Google ’s userbase still play millions of multitude . )
Without the protective covering of two - element authentication , Google needs to plunk deeper into user ’ email score data in rules of order to procure their accounts .
At one item or another , you ’ve probably get an email from Google warning that your score had been accessed from a unexampled fix , but hackers have caught on and will attempt to reap an IP address or location datum to spoof a natural - looking login from a place you frequent , Milka explain . Researchers ground that 83 percent of the phishing kits target to steal not only credentials but locating datum as well .
Some phishing kit also set about to harvest phone numbers — another data point that Google sometimes use to help authenticate a login . capture phone numbers can be useful for hackers , even if a drug user has two - factor authentication enabled . In some targeted pillowcase , drudge have win over phone companies to channelise a dupe ’s number to a new SIM , permit them to intercept two - factor certification texts .
Google also looks at business relationship activity for sign of malicious behaviour . Attackers usually fall out a common design , Milka said . They ’ll often edit emails from Google alerting the user to a leery login , seek the account for sensible info such as nude photos or fiscal selective information , export the contact for use in next scams , limit up inbox filters to hide future warnings about the taxi , and send more phishing messages from the user ’s report before logging out . None of those actions are typical for most users , Milka said , and can assist Google actualise that an account takeover is underway .
Google will sometimes present login challenges to users who do n’t enable two - broker authentication , require them to allow a backup email or speech sound number in lodge to verify that they ’re the real owner of the invoice . The ship’s company also uses shaft likeSafe Browsingto discourage users about phishing links and offers anAdvanced Protection Programfor at - peril users to lock down their accounts .
“ The doubt is , why would n’t we make two - factor authentication mandatory ? ” Milka asked . “ The reply is usability . In the end , we want people to use their accounts . How many people would we drive out of using Google accounts if we force them to use additional security measures ? ”
GooglePasswords
Daily Newsletter
Get the best tech , science , and culture news in your inbox daily .
News from the future , pitch to your present tense .
You May Also Like
