How effective are login challenges at preventing Google account takeovers?
Despite implementation bugs that might affect the security of physical security keys, they are the strongest protection against phishing currently available, Google maintains.
On-device prompts and SMS codes are also extremely successful at blocking account hijacking attacks effected via automated bots and bulk phishing attacks, but can be bypassed by some skilled attackers that focus on targeting specific users.
Some knowledge-based challenges (recovery phone number, last sign-in location) are fantastic at stopping bots, but fare much poorer when it comes to bulk phishing and targeted attacks.
“In the event of a suspicious sign-in attempt, Google’s risk analysis engine selects the strongest challenge that an account’s legitimate owner should ideally be able to solve. For accounts with an associated device or phone number, the risk engine exclusively allows device-based challenges. Absent a device, the engine falls back to delegation-based challenges, then knowledge-based challenges, and ultimately additional resource challenges,” researchers from New York University and Google explained.
“As such, even though a hijacker may know a victim’s phone number or backup email, the risk engine will only present such a challenge if no stronger option exists. Failing a challenge does not allow an actor to subsequently select a weaker class of challenge; for legitimate users, this may mean account lockout until the user can regain access to a trusted network or device.”
Their research has shown that simply adding a recovery phone number to one’s Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.
Different protections for different types of users
Google has been urging high-risk users to start using Advanced Protection Program, which requires the use of a physical key, limits full access to users’ Gmail and Drive to specific apps, and adds extra steps to the account recovery process.
For regular users, who are more likely to be randomly targeted by bot-powered account hijacking attempts than state actors or well-organized criminal groups, this program is an overkill. They are, instead, advised to choose strong and unique passwords, set up a recovery phone number or email address and to set up two-factor authentication (2FA).
While 2FA can be thwarted by knowledgeable attackers, regular, low-risk users are unlikely to be targeted by them. In fact, even if someone wants to break into their account but doesn’t know how to do it and then turns to a hacker offering the service on underground forums, odds are good that they’ll get ignored or scammed.
The retail email account hacking market is still small
Researchers from University of California, San Diego and Google have explored the retail email account hacking market by setting up “honey” accounts and websites with information about the supposed target, then contacting 27 providers of these (illegal) services and paying them to hack 34 different victim Gmail accounts.
“Of the twenty-seven services engaged, ten refused to respond to our inquiries. Another twelve responded to our initial request, but the interactions did not lead to any attempt on the victim account. Of these twelve, nine refused up front to take the contract for various reasons, such as claiming that they no longer hacked Gmail accounts contrary to their contemporary advertisements. The remaining three appear to be pure scams (i.e., they were happy to take payment, but did not perform any service in return),” the researchers shared.
Only five of the service providers actually made attempts to hack into victim accounts. Some of these were successful and others not, but their attempts allowed the researchers to see the approaches used.
While one of the attackers attempted to deliver a remote access trojan to the victim, the rest opted for targeted phishing email messages.
“The attackers customized their phishing lures to incorporate details of our fabricated business entities and associates, which they acquired either by scraping our victim persona’s website or by requesting the details during negotiations with our buyer persona. We also found evidence of re-usable email templates that spoofed sources of authority (Google, government agencies, banks) to create a sense of urgency and to engage victims,” the researchers noted.
“To bypass two-factor authentication, the most sophisticated attackers redirected our victim personas to a spoofed Google login page that harvested both passwords as well as SMS codes, checking the validity of both in real time. However, we found that two-factor authentication still proved an obstacle: attackers doubled their price upon learning an account had 2FA enabled.”
But even getting the password and second authentication factor is no guarantee that the attacker will be able to gain access to the target’s account: other login challenges triggered by their sign-in attempts (from previously unseen devices or network addresses) were occasionally enough to stop them from trying to get in.
“Google observed that attackers would attempt to access each account a median of seven times before they either succeeded or abandoned their efforts. As such, even though these attacks may be targeted, Google’s existing account protections can still slow and sometimes stop attackers from gaining access to victim accounts,” the researchers noted.