Google Wants Your Phone to Protect Against Account Takeover Attacks

Post a Fraud Alert:

In a report on Friday, Google highlights the importance of linking a phone to an account when it comes to fighting hijacking attempts from automated attempts from bots, phishing, and targeted attacks.

An email address is at the center of our online life, essential for creating accounts to web services and for receiving communication more or less sensitive in nature.

Moreover, providers of a large host of services, like Google and Microsoft, have moved to the single sign-in system where the same username and password to access all services from the same provider. On top of this, these accounts can be used to sign up or log into third-party services.

It’s no wonder email accounts are coveted by hackers of any sort. Account hijacking attempts occur every day, by the hundreds of thousands, and companies like Google have developed defenses against these threats.

Anti-hijacking proactive protection

Adding a recovery phone number to the Google account seems to be an effective way to win against take-over attacks, especially if they are not targeted.

A study from academic researchers shows that where a Google account was linked to a phone, the takeover prevention rates went up as much as 100% in the case of automated bots, as high as 99% with run-of-the-mill phishing, and up to 90% with targeted attacks.

The research took into account over 350,000 real-world hijacking attempts on a sample of 1.2 million users.

Google is proactive in securing user accounts and relies on user routine to determine the legitimacy of a login attempt in a passive way. Among the signals employed is the origin of the login request, which includes both device and location.

In simple terms, when users log into their accounts from a different device or location, they are asked to prove that they are the legitimate owner by solving a second authentication challenge.

When a suspicious login is detected, users go through an extra verification step, which can be knowledge-based (answering security questions, providing a recovery phone number or email address) or device-based (prove access to a registered device).

Device beats knowledge-based challenges

According to a study from researchers from New York University and Google real-world efforts to hijack a Google account were mostly ineffective against device-based challenges.

On-device prompt, a protection measure that authorizes the login by confirming it on the phone, had a success rate of 100% against automated bots, 99% against bulk phishing attacks, and 90% against targeted account takeover attacks (ATA).

More successful was authorizing the login with a security key. Where this protection was enabled, all ATA attempts failed because the physical device was required for the login process to continue.

Unfortunately, security keys add friction to the authentication challenge that most users are not willing to accept. This is why they are typically used by a category of users that are more likely to become victims of a targeted attack. For most users, even having the phone at the ready is not possible at all times.

The weakest form of protection resulting from the study was the common SMS-based authentication, which can be defeated if the attacker in a man-in-the-middle position deploys a live phishing attack and intercepts requests and running validity checks in real-time.

“If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to ? 2-Step Verification? via device-based challenges,” say Google researchers.

The alternative of not having a phone connected to the Google account is that recovery needs to rely on weaker, knowledge-based challenges that may be known to an attacker, or very easy to discover. While this is works against automated bots, phishing can be successful in as many as 90% of the cases.

If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defense against bots, but protection rates for phishing can drop to as low as 10%. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for.

It’s important to note Google provides other means for users to protected their accounts against takeover endeavors. Relying on authentication app that generates codes for the second factor login and using single-use backup codes are also available options. However, both of them are considered less convenient from the point of view of an average user because it takes longer to complete the challenge.

Related Articles:

Google is using Your Gmail Account to Track Your Purchases

Scammers Create Google Search Ads to Lure PayPal, Amazon Clients

Chrome Bug Causing Address Bar to Show Searches Over Site History

Google Payment Privacy Settings Hidden Behind Special URL

Google Discloses Bluetooth Flaw in Titan Security Key, Issues Recall