Gmail accounts are high-priority targets for attackers of all stripes, particularly spam crews and state-sponsored attackers who use them to monitor the activities of activists and journalists. Hijacking those accounts can be quite useful for spammers and malware gangs as well, but Google said that it has put security measures in place that have greatly reduced the number of successful hijack attempts.
In the last few years, the company has added a number of security systems to Gmail and its other services to help protect users’ accounts. The most well-known and visible of those is the Gmail two-factor authentication option that requires users to enter a code that’s either generated by an app on their mobile phones or sent via SMS, in addition to entering a password. That system helps prevent account compromises through the use of stolen passwords because even with the password, the attacker would still need the code in order to access the account. That system isn’t enabled by default, however.
In addition to the two-factor authentication system, Google also has a number of less-visible back end technologies in place that help protect against account hijacks. The company said that these systems have helped reduce the number of successful hijacks by more than 99 percent in the last two years.
“Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made,” Mike Hearn, a Google security engineer, said.
“If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.”
The number of attempts to compromise Google accounts every day is staggering. Hearn said that the company has seen a single attacker attempting to break into more than a million accounts every day for several weeks. Much of this activity relies on the use of databases of stolen passwords that attackers steal from various Web sites and enterprises. Those password lists are bought and sold by attackers, spammers and other criminals.
Google doesn’t disclose much information about the kinds of tools and algorithms it uses to protect accounts on the back end, but some of the known systems look at where a user last logged into his account and matches it up with where he’s trying to log in now and determines whether the log-in attempt looks suspicious.