Google study reveals how criminals break into Gmail accounts

Google, it’s fair to say, is no fan of relying on passwords to secure online accounts.

Reading the recent study the company commissioned on the causes of online account takeover from the University of California, Berkeley, it’s not hard to understand why.

The year-long analysis to March 2017 mostly confirms a lot of bad news that security experts could have guessed, starting with the staggering haul of stolen credentials, covering a wide range of online services, that appear to be circulating on the dark web.

After crawling blackhat forums and paste sites, 1.9 billion credentials were traced to data breaches, 12.4 million to the work of phishing kits, and 788,000 were stolen by keyloggers.

Based on the 751,000 Gmail users within this data, the company was able to work out that for its users phishing attacks are by far the most dangerous of the three:

We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials. Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.

But just having the password and user name (which can be changed) isn’t the whole explanation for the different success rates. It turns out that phishing attacks and keyloggers are further boosted by their tendency to grab data such as telephone numbers, geo-location data and IP addresses.

This makes it much harder for a company such as Google to detect rogue activity simply by looking at where someone appears to be logging in from, say, because this can be spoofed.

The warning:

While credential leaks may expose the largest number of passwords, phishing kits and keyloggers provide more flexibility to adapt to new account protections.

Which brings us back to the perennial angst of passwords.

The study confirmed that large numbers of passwords (including large numbers of terrible ones that appeared to have been poorly stored) are re-used, which means that someone breached in one service has often put multiple accounts at risk.

The researchers’ conclusion is that password-based authentication is dead in the water. Credentials are simply too easy to steal while users don’t make much effort to secure them. No amount of tinkering can save this model.

Enabling multi-factor authentication (MFA) would mitigate much of this, particularly phishing attacks, credential leaks and, to some extent, keylogging. And yet only a minority use it, even after they’ve been the victim of an attack:

Our own results indicate that less than 3.1% who fall victim to hijacking subsequently enable any form of two-factor authentication after recovering their account.

This suggests that people have either not heard of MFA, don’t know how to enable it or really don’t like it.

It makes you wonder why Google doesn’t simply make MFA mandatory and just get on with migrating people for their own good, as Apple appears to want to do.

An intriguing possibility is that companies such as Google might more regularly trawl the dark web for accounts that have been breached, resetting them as they are spotted.

Facebook are already known to do this and Google did it for every compromised Gmail account the researchers uncovered in this study, so it’s not far-fetched that this could happen in future.

Naked Security has written several times on the importance of MFA (including for Gmail) which we’d implore anyone not using it to read and act on.

Google also recently launched something called the Advanced Protection Program (APP) for Gmail users who see themselves as being at high risk of phishing attacks.