Google study reveals how criminals break into Gmail accounts

科技动态 Naked Security (源链)

Google, it’s fair to say, is no fan of relying on passwords to secure online accounts.

Reading the recent study the company commissioned on the causes of online account takeover from the University of California, Berkeley, it’s not hard to understand why.

The year-long analysis to March 2017 mostly confirms a lot of bad news that security experts could have guessed, starting with the staggering haul of stolen credentials, covering a wide range of online services, that appear to be circulating on the dark web.

After crawling blackhat forums and paste sites, 1.9 billion credentials were traced to data breaches, 12.4 million to the work of phishing kits, and 788,000 were stolen by keyloggers.

Based on the 751,000 Gmail users within this data, the company was able to work out that for its users phishing attacks are by far the most dangerous of the three, accounting for 25% of exposed current passwords.

Keyloggers were the next most effective with a 12% rate, with data breaches further back on 7%.

But just having the password and user name (which can be changed) isn’t the whole explanation for the different success rates. It turns out that phishing attacks and keyloggers are further boosted by their tendency to grab data such as telephone numbers, geo-location data and IP addresses.

This makes it much harder for a company such as Google to detect rogue activity simply by looking at where someone appears to be logging in from, say, because this can be spoofed.

The warning:

While credential leaks may expose the largest number of passwords, phishing kits and keyloggers provide more flexibility to adapt to new account protections.

Which brings us back to the perennial angst of passwords.

The study confirmed that large numbers of passwords (including large numbers of terrible ones that appeared to have been poorly stored) are re-used, which means that someone breached in one service has often put multiple accounts at risk.

The researchers’ conclusion is that password-based authentication is dead in the water. Credentials are simply too easy to steal while users don’t make much effort to secure them. No amount of tinkering can save this model.

Enabling multi-factor authentication (MFA) would mitigate much of this, particularly phishing attacks, credential leaks and, to some extent, keylogging. And yet only a minority use it, even after they’ve been the victim of an attack:

Our own results indicate that less than 3.1% who fall victim to hijacking subsequently enable any form of two-factor authentication after recovering their account.

This suggests that people have either not heard of MFA, don’t know how to enable it or really don’t like it.

It makes you wonder why Google doesn’t simply make MFA mandatory and just get on with migrating people for their own good, as Apple appears to want to do .

An intriguing possibility is that companies such as Google might more regularly trawl the dark web for accounts that have been breached, resetting them as they are spotted.

Facebook are already known to do this and Google did it for every compromised Gmail account the researchers uncovered in this study, so it’s not far-fetched that this could happen in future.

Naked Security has written several times on the importance of MFA (including for Gmail) which we’d implore anyone not using it to read and act on.

Google also recently launched something called the Advanced Protection Program (APP) for Gmail users who see themselves as being at high risk of phishing attacks.


Gmail now detects addresses, phone numbers, and cr... Gmail is easily one of the most important services offered by Google. With so many people using Gmail every single day, any improvements — no matt...
Google adds phishing protection to Gmail for iOS A few months ago, Google brought phishing protection to Gmail on Android . Now the company is doing the same for the iOS version of the app. Th...
Gmail is getting a brand new look — take a peek Google is redesigning its Gmail web interface. The update will include easier access to other apps within Gmail, a snooze...
Weekend Favs September 30 My weekend blog post routine includes posting links to a handful of tools or great content I ran across during the week. I don’t go into depth about...
Google begins rolling out overhauled Gmail iOS &am... By Roger Fingas Wednesday, April 25, 2018, 06:14 am PT (09:14 am ET) Google on Wednesday detailed a series of changes now rolling out to Gmail ...
Naked Security责编内容来自:Naked Security (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » Google study reveals how criminals break into Gmail accounts

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录