What you need to do to prevent your Google account from being stolen

Google has published a study on “How effective basic account hygiene is to prevent it from being stolen” about what an account owner can do to prevent it from being stolen We present to your attention a translation of this study.
True, the most effective method used by Google itself was not included in the report. I had to write about this method myself at the end.

Every day, we protect users from hundreds of thousands of hacking attempts. Most attacks come from automated bots with access to third-party password cracking systems, but there are also phishing and targeted attacks. Earlier we talked about how just five simple steps , such as adding a phone number, can help you protect yourself, but now we want to prove it in practice.

A phishing attack is an attempt to trick a user so that he voluntarily passes information to an attacker that will be useful in the process of hacking. For example, by copying the interface of a legal application.

Attacks with automatic bots - massive hacking attempts not aimed at specific users. They are usually carried out using publicly available software and are available for use even by untrained "crackers." Attackers do not know anything about the features of specific users - they simply run the program and "catch" all the poorly protected scientific records around.

Targeted attacks are hacks of specific accounts, in which additional information is collected about each account and its owner, attempts to intercept and analyze traffic, as well as the use of more complex hacking tools, are possible.

(Translator's note)

We teamed up with researchers from New York University and the University of California to find out how effectively basic account hygiene prevents them from being hijacked.

A one-year study of large-scale and targeted attacks was presented on Wednesday at a meeting of experts, politicians, and users called The Web Conference .
Our research shows that simply adding a phone number to your Google account can block up to 100% of attacks from automated bots, 99% of mass phishing attacks, and 66% of targeted attacks that occurred during our investigation.

Google’s automatic proactive protection against account hijacking

We implement automatic proactive protection to better protect all our users from hacking an account. Here's how it works: if we find a suspicious login attempt (for example, from a new location or device), we will ask for additional evidence that it is really you. This confirmation may be the control that you have access to a trusted phone, or the answer to a question that only you know the correct answer.

If you logged in to your phone or entered the phone number in the account settings, we can provide the same level of protection as with a two-step verification. We found that the SMS code sent to the recovery phone number helped block 100% of automated bots, 96% of mass phishing attacks and 76% of targeted attacks. And requests on the device with the requirement to confirm the operation, which are a safer replacement for SMS, helped to prevent 100% automatic bots, 99% of mass phishing attacks and 90% of targeted attacks.



Protection based on the possession of certain devices, as well as knowledge of certain facts, helps to resist automatic bots, and protection based on the possession of certain devices helps to prevent phishing and even targeted attacks.

If your phone number is not configured in your account, we can resort to weaker protection methods based on knowledge about you, such as where you last logged in to your account. This works well against bots, but the level of protection against phishing can drop to 10%, and there is practically no protection against targeted attacks. This is because phishing pages and targeted attackers can force you to disclose any additional information that Google may request for verification.

Given the advantages of such protection, one might ask why we do not require using it for every login. The answer is that this would create additional difficulties for users ( especially for unprepared ones - approx..) and would increase the risk of account lockout. During the experiment, it turned out that 38% of users did not have access to their phone when logging into their account. Another 34% of users were not able to remember their alternate email address.

If you have lost access to your phone or are unable to sign in, you can always return to the trusted device from which you previously logged in to access your account.

Understanding hack hired attacks

Where most automated defenses block most bots and phishing attacks, targeted attacks become more harmful. As part of our ongoing efforts to monitor hacking threats , we are constantly identifying new “hacking” crime groups that ask for an account to hack for an average of $ 750. These attackers often rely on phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target does not give up on the first attempt at phishing, subsequent attacks continue for more than a month.


An example of a man-in-the-middle phishing attack that checks for the correct password in real time. After that, the phishing page invites victims to enter SMS authentication codes to access the victim's account.

According to our estimates, only one in a million users is at such a high risk. Attackers are not targeted at random people. Although studies show that our automatic protection can help delay and even prevent up to 66% of the targeted attacks that we studied, we still recommend that high-risk users register with our additional protection program . As noted during our investigation, users who use only security keys (that is, two-step authentication using codes sent to users - approx. perev. ), became victims of targeted phishing.

Take some time to protect your account.

You use seat belts to protect your life and health when traveling by car. And with our five tips, you can ensure the security of your account.

As our research shows, one of the easiest things you can do to protect your Google account is to set a phone number. For high-risk users such as journalists, community activists, business leaders, and political campaign teams, our Advanced Protection program helps ensure the highest level of security. You can also protect your third-party service accounts (not Google) from password cracking by installing the Chrome Password Checkup extension .

Interestingly, Google does not follow the advice that he himself gives to his users. Google uses hardware tokens for two-factor authentication of more than 85,000 of its employees. According to the representatives of the corporation, since the start of using hardware tokens, not a single theft of the account has been recorded. Compare with the numbers presented in this report. Thus, it can be seen that the use of hardware tokens for two-factor authentication is the only reliable way to protect both accounts and information (and in some cases also money).

To protect Google accounts, tokens created according to the FIDO U2F standard are used, for example, such. And for two-factor authentication, cryptographic tokens are used in Windows, Linux and MacOS operating systems .

(Translator's note)