HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Graham CLULEY @gcluley
4 Comments
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Industry News

Don’t have your account hijacked. Secure your online accounts with more than a password, says Google

May 20, 2019
4 Min Read

Research published at the end of last week argues that the typical user can significantly harden the security of their online accounts by linking a recovery phone number that can send an alert if there is suspicious activity on the account.

The research, conducted by a team from Google alongside researchers from New York University and the University of California, San Diego, found that when a Google account was linked to a phone, account takeover attacks by automated bots were prevented 100% of the time.

What is more, as a blog post from Google’s security team describes, there’s clear evidence that using two-step verification via a smartphone can help prevent the majority of vast majority of even targeted account takeover attacks:

“We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”

The research, which examined over 350,000 real-life hijacking attempts on a sample of 1.2 million users, underlines the importance of being proactive in using *some* method to protect your online accounts – even if you aren’t prepared to enable two-step verification or Google’s Advanced Protection feature for users who might be at most risk.

Google claims that during its study it found no users who exclusively used hardware security keys to authenticate logging into its online services fell victim to targeted phishing attacks.

Securely protecting an email account is, of course, of paramount importance to even the typical internet user as it is the centre of their online life.

A compromised email account doesn’t just allow a malicious hacker to peruse through your private communications, steal the addresses of contacts, and even send emails appearing to come from a particular individual. It also opens a backdoor into other online accounts, many of which will be using your email address as your username, and be willing to send the hacked email account a password reset link.

And if, for any reason, you haven’t shared your number with Google and enabled a recovery phone number to harden the security of your account, automated bots can still often be defeated through knowledge-base challenges (such as asking you to confirm your last sign-in location or secondary email address if you are logging in from a different device or part of the world)

Unfortunately, such information can itself be coaxed out of unsuspecting users in phishing or targeted attacks which aim to trick users into revealing additional identifying information.

So, why doesn’t Google simply make security challenges compulsory? Why isn’t it forcing its many millions of users into solving a challenge when they log into the system in order to keep malicious hackers out?

The answer, of course, comes down to human nature.

In its experiments, the academic researchers found that 38% of users did not have access to their phone when challenged. Another 34% were unable to recall their secondary email address.

“Our results illustrate that login challenges act as an important barrier to hijacking, but that friction in the process leads to 52% of legitimate users failing to sign-in – though 97% of users eventually access their account in a short period.”

Personally I have enabled two-step verification or two-factor authentication on all accounts where it is supported, and have never felt frustrated that I might need to take a few extra seconds entering a six digit number alongside my username and password at login. In some of my most critical online accounts I also defend them with a hardware key.

If that’s not for you though, please do *something*. Have some additional level of security enabled if possible – even if it’s just an additional security question asking you a question that a hacker is unlikely to know the answer to.

Some hackers are getting more devious and more sophisticated in their attacks. It’s time for you to modernise how you protect your accounts against them.

Tagsaccount takeover email google two-step authentication

You may also like

Digital Privacy • Industry News

Two Dutch Public Health Workers Arrested for Selling Coronavirus Patient Information

1 hour ago
Industry News

Cybercriminals Impersonate UK’s National Health Service to Spread COVID-19 Vaccination Phishing Emails

1 day ago
Digital Identity • Digital Privacy • Industry News

Hacker Releases Dating Site Data Belonging to 2+ Million Users

1 day ago

About the author

View All Posts

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment
  • Alejandro Sánchez says:
    May 23, 2019 at 10:47 pm

    Still think it should be mandatory. They are totally right. I use it in every app or website supported for years, never experienced inconveniencces.

  • Leena Joseph says:
    May 24, 2019 at 9:29 am

    Great post Graham, I really like this post. You have explained the details in a different and interesting way. Thank You.

    • Janean Knowles says:
      June 2, 2019 at 8:07 pm

      I was not aware that I had all this information available to me. Thank you)

  • Anjali Raveendran says:
    May 30, 2019 at 1:06 pm

    Hey Graham, Really nice post. This is so chock full of useful information. Waiting for the next post like this.

Google Working on AI Algorithm that Detects Lung Cancer
Ransomware recovery firms often just pay attackers’ ransom demands
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
104.7k
Followers
Follow
2.7k
Subscribers
Subscribe
19
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

January 2021
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Dec    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok