It was 2011, and if you were a Gmail user you might have found things had begun to turn ugly.
Spam messages, spear-phishing attacks, and bogus “I’m stranded in a foreign country” scams, began to appear in some users’ inboxes, defeating Google’s anti-spam systems.
The reason why the messages reached their intended targets? They were sent from the legitimate Gmail account of one of your contacts rather than a third party who had never been in touch with you before.
The problem was that it wasn’t your friend or colleague who physically sent the message. Rather, a cybercriminal had hijacked their account and sent you the message posing as your email buddy.
Because this tactic was working so well for the spammers, some cybercriminals focused their efforts on stealing databases of usernames and passwords to get into those legitimate Gmail accounts.
People who committed the sin of password reuse on different website accounts made it all the more easy to steal Gmail account login information.
So Google gritted its teeth and got to work – work that’s paid off big-time, Google reported this week.
Google Security Engineer Mike Hearn reports in a Google Online Security Blog posting that the company has managed to shrink the number of compromised accounts to practically nil – a 99.7 percent reduction, to be exact – since the peak of hijacking attempts in 2011.
Part of the defense is that Google is now performing complex risk analysis to determine whether an account sign-in might be suspicious or risky – say, if it’s coming from a country far away from your last sign-in.
If so, it asks simple questions about the account, such as the account’s associated phone number, or the answer to a security question.
We should all commend Google for squashing the number of compromised accounts, but it’s up to all of us to do our part in keeping our accounts safe.
Sophos’s Graham Cluley has written some explicit advice on how to protect your Gmail account, and Google suggests the following security-strengthening steps:
- Use a strong, unique password for your Google account. Graham teaches you how to create easy-to-remember, hard-to-crack passwords in the article I cited above. Otherwise, password management programs can cook up impossible-to-remember, hard-to-crack passwords for you, as well as store them all away where you don’t have to think about them. They’re God’s gift to those with “I will subscribe to anything on the planet” syndrome, such as yours truly.
- Turn on two-step verification.
- Update the recovery options on your account, such as your secondary email address and phone number.
Finally, consider whether Gmail is the safest place for your data.
As Graham suggests, a cloud email service may provide less security than your regular work email system, so if you have that option, think of limiting the type of data you send over a web email account.
5 comments on “Google says it is winning the war against Gmail account hijackers”
My account and phone were compromised and there is no way I can recover my phone as every time I open a new account, they know and use the new e-mail and password. I have received e-mails from Google and even submitted a credit card number but I never heard of them. So I am left out with a phone that's almost unusable except to phone. Any hint on how I could recover from this?
I don't like Googles two-step verification system of using one's mobile phone number. Who knows what Google Analytics will do with it, let alone the other outfits that place tracking cookies in one's browser. A strong and unique password is, in my humble opinion, the best defense.
Two-Step verification is great, but *please* people, make sure any recovery email address is well protected. Far too often, the password recovery options are the weak link in the chain.
The concept of Two-Step verification is great but putting thought into practice is so simple, if when told not to ask for verification on certain machines, I was forced to do so time & time again!
2 Stars up for the concepts
3 Stars down for the practical application – ceiloazule
All this work is worthless as long as Google continue to check the box to keep the users logged in by default on the computers they use. Its even checked for the 2 step verification!!!