Given how much of people’s lives are now online, security is of paramount importance. New research from Google this week shows how even adding a recovery phone number to your Account can do a great deal to prevent hijackings.
Google worked with New York University and the University of California, San Diego on a year-long study about wide-scale and targeted attacks. The high-level conclusion is that any form of additional security challenge can significantly prevent account hijackings.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 96% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.
The research looked at both knowledge-based and device-based challenges. The former involves Google following up suspicious sign-in attempts by asking for “additional proof that it’s really you.” This could be as simple as entering a phone number or secondary email address that users already associated with their account. Another kind of challenge asks for your last sign-in location, with this blocking 100% of hijackings attempted by automated bots.
Device-based challenges involve texting codes to your phone number that are then entered online. While the security community increasingly regards this method as susceptible to SMS spoofing, Google’s research found that this reduces targeted attacks by 76%.
Meanwhile, on-device prompts that appear natively on Android and through the Google/Gmail apps on iOS increase safety further. The most secure method remains a security key — both physical and phone-based — where all three forms of attacks are impossible when there’s physical authentication of your identity.
However, Google’s research revealed the barrier to requiring challenges by default.
The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.
The findings also detailed the emerging trend of “hack for hire” attacks. Most users do not face this risk, but Google recommends that high-risk targets sign-up for the Advanced Protection Program.
We have been investigating emerging “hack for hire” criminal groups that purport to break into a single account for a fee on the order of $750 USD. These attackers often rely on spear phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target doesn’t fall for the first spear phishing attempt, follow-on attacks persist for upwards of a month.