Gmail securityGmail accounts are high-priority targets for attackers of all stripes, particularly spam crews and state-sponsored attackers who use them to monitor the activities of activists and journalists. Hijacking those accounts can be quite useful for spammers and malware gangs as well, but Google said that it has put security measures in place that have greatly reduced the number of successful hijack attempts.

In the last few years, the company has added a number of security systems to Gmail and its other services to help protect users’ accounts. The most well-known and visible of those is the Gmail two-factor authentication option that requires users to enter a code that’s either generated by an app on their mobile phones or sent via SMS, in addition to entering a password. That system helps prevent account compromises through the use of stolen passwords because even with the password, the attacker would still need the code in order to access the account. That system isn’t enabled by default, however.

In addition to the two-factor authentication system, Google also has a number of less-visible back end technologies in place that help protect against account hijacks. The company said that these systems have helped reduce the number of successful hijacks by more than 99 percent in the last two years.

“Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made,” Mike Hearn, a Google security engineer, said.
“If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.”

The number of attempts to compromise Google accounts every day is staggering. Hearn said that the company has seen a single attacker attempting to break into more than a million accounts every day for several weeks. Much of this activity relies on the use of databases of stolen passwords that attackers steal from various Web sites and enterprises. Those password lists are bought and sold by attackers, spammers and other criminals.

Google doesn’t disclose much information about the kinds of tools and algorithms it uses to protect accounts on the back end, but some of the known systems look at where a user last logged into his account and matches it up with where he’s trying to log in now and determines whether the log-in attempt looks suspicious.

Categories: Social Engineering, Web Security

Comment (1)

  1. Google User
    1

    Lies. Gmail is highly vulnerable to brute force attacks, without any excuse to. It seems they are trying to “force” people to put their cell phone number for extra data cross.

    It was an account I didn’t log on for many months, with a nickname I don’t use for years, got hacked this month.
    The so called security got broken by forced login attempts from Chinese IPs for many months. I always logged from Europe, so Google decided those attempts were suspicious (duh) and put mails with that information on the inbox, but other than that took no security measures.
    Instead of blocking IPs from that area, which is no way close to mine, they allowed them to keep trying different passwords. Mind you, it wasn’t an easy pass composed by several letters and numbers interchangeably, so I can’t be amazed enough to the number of forceful tries Google allowed.
    They weren’t stupid enough to make all the tries from the same IP, but the IPs were always from the same area on China.
    If you don’t want to be so much proactive then at least put an option for users to block logins from IPs of A,B,C countries. At least let the users protect themselves without giving you extra personal information to whatever end.
    BTW, no, I’m not angry for the hacked account, I still have it and it didn’t have any contacts nor personal information there. But that could be different, which makes me consider not having any personal info in any Google service.
    The fact that Google keeps threading this cloudy path is worrisome specially to me that use their services for more than 10 years (yes at the time most people used Yahoo!)

Comments are closed.