Basic security hygiene works wonders for protecting user accounts

It turns out Mom was right; simple preventive hygiene like washing your hands before eating and regularly brushing your teeth can prevent a lot of health problems. Indeed, the simplest actions can have outsized benefits, and some new research from Google shows that the same holds true for security hygiene for user accounts.

We’re all familiar with the basics like not reusing passwords and keeping software updated with the latest security patches, but these maxims have become so familiar that people are numb to the advice. Hopefully, some data quantifying the effectiveness of security basics will be more convincing.

While the username-password system of identity and security has significant problems, we’re stuck with it given the tremendous inertia of established software processes and human resistance to change. However, as Google demonstrates, some simple additions, which admittedly add some friction to the authentication process, can significantly reduce, and in some cases outright eliminate, the risk of account hijacking.

Basic security hygiene summarized

Almost a decade ago, Microsoft summarized Ten Immutable Laws of Security that are just as true now in the era of smartphones and mobile apps. Several are worth highlighting since they illustrate common attack methods used to compromise user accounts and personal data (bracketed text added to improve relevance

• Law #1: If a bad guy can persuade you to run his program on your computer [or phone], it's not solely your computer anymore.
• Law #5: Weak passwords trump strong security.
• Law #6: A computer is only as secure as the administrator [or smartphone user] is trustworthy [or vigillant]
• Law #8: An out-of-date antimalware scanner [or OS] is only marginally better than no scanner at all.

 

Tricking people into running a program on their PC or phone (Law #1) via a phishing email with a phony and obfuscated Web link, or even a Trojan horse app that makes it past App/Play Store curators, remains one of the most common ways of taking control of a device and downloading or scraping information. The exposure is magnified if one ignores Law #8 and is running an outdated OS or critical application (email, messaging client) that can be exploited via well-known security holes that have been plugged. Furthermore, since the phone user is the administrator,

Law #6 implies that carelessness and lack of sufficient vigilance or skepticism when interacting with external messages (email or text), Web sites or unvetted third-party apps can defeat even well-secured systems. Finally, although brute force password guessing attacks (Law #5) are less effective and common now in the era of online services where passwords are better protected, recycling a high-value password, like that to one’s email account, on a less protected site such as a news or business site registration system, be just as dangerous.

Google and Microsoft are two of the most sophisticated cloud operators around and collectively hold hundreds of millions of user accounts, so it’s not surprising that each has solid (and similar) recommendations for basic security hygiene; Microsoft addresses its advice to developers, site operators and IT administrators this way:

1. Ensure your users are registered and ready for multi-factor authentication (MFA) challenges;
2. Detect and challenge risky logins; and
3. Detect and change compromised credentials.

 

Google provides a similar set of five steps for everyday users:

1. Set up a recovery phone number or email address, and keep it updated.
2. Use unique passwords for your accounts.
3. Keep your software up to date.
4. Go a step further by setting up two-factor authentication.
5. Take the Google Security Checkup.

Note: The Security Checkup is an online wizard that provides personalized and actionable recommendations to strengthen the security of Google Accounts.

Google’s recommendations and findings

Being the data-driven organization it is, Google decided to find out how effective its recommendations are at preventing account compromise. Working with security researchers at NYU and UC San Diego, Google conducted a year-long study that examined the effectiveness of various authentication enhancements at thwarting both wide-scale and targeted attacks. It recently presented two papers, one on using login challenges to defeat account takeovers and another on targeted account-hijacking-for-hire services detailing the results.

The study found that two-factor authentication (2FA) using a separate security key like the Google Titan (at least the latest version that fixes a hole when using Bluetooth) or YubiKey is the gold standard in account protection and blocks the three attack vectors studied: automated bots, bulk phishing scams and targeted attacks.

However, on-device security prompts using an app like Google Authenticator or Authy to generate 6-8 digit one-time codes was almost equally effective, blocking “100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”

Source: Google Security Blog post

While their effectiveness for bot and phishing attacks is similar, Google found that mobile app code generators are significantly better at blocking targeted attacks than codes sent via SMS. Indeed, given the ubiquity of companies using one’s mobile number as a security control point explains the recent rise of SIM swapping since it enables sophisticated thieves to take control over many aspects of a person’s online identity.

Security researcher Brian Krebs has been covering the increasing danger from SIM swaps and has some genuinely harrowing accounts on his website. Krebs describes the problem this way (emphasis added):

Customers can legitimately request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size. But SIM swaps are frequently abused by scam artists who trick mobile providers into tying a target’s service to a new SIM card and mobile phone that the attackers control. Unauthorized SIM swaps often are perpetrated by fraudsters who have already stolen or phished a target’s password, as many banks and online services rely on text messages to send users a one-time code that needs to be entered in addition to a password for online authentication.

Krebs cites another security researcher, Allison Nixon from Flashpoint who reiterates that danger (emphasis added):

Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims. Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

Indeed, the risk is so high that an online marketplace and forum for account hijackers was itself hacked, “exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users,” according to Krebs.

In light of these and other incidents, it's likely that Google’s results underestimate the security of SIM-based code delivery against motivated hackers targeting particular users. In sum, there’s no substitute for a completely independent second factor of user authentication like a security key, but on-device code generation apps are a worthy substitute as long as users thoroughly secure their phone (8-digit or longer PIN or alphanumeric passphrase, enabling device lock-out after 10 or so incorrect attempts).

Targeted attacks: Low probability, but more dangerous

Targeted attacks, in which someone pays a criminal “hack for hire” group several hundred dollars to take over a targeted person’s account, are much less common (Google estimates that only one in a million users face this risk), but more dangerous. Google’s research paper detailing the methods and business model used by these groups is revealing and shows that the attacks always start with customized phishing campaigns that include personal information gleaned from other sources and where the goal is tricking the user into enter their account (usually email) password into a bogus login screen. (Note: this is precisely the technique used by someone, whose identity remains unknown, to steal the Gmail of Clinton confidant John Podesta, the contents of which were subsequently published by Wikileaks).

Source: Google, “Example man-in-the-middle phishing attack that checks for password validity in real-time. Afterwards, the page prompts victims to disclose SMS authentication codes to access the victim’s account.” (Note: the second step should be unnecessary since Google should already have a valid phone number tied to your account)

Google found that these hack-for-hire services can detect when 2FA is enabled on an account and will require additional money (usually equal to the original payment) and the target’s mobile phone number to proceed. Once armed with the cash and a number, the hackers have mechanisms for tricking the victim into entering a 2FA code sent via SMS (and sometimes, on-device code generators) into a fake form and executing a login before the code expires. Even so, the report notes that 2FA creates enough overhead to deter many attackers and can be defeated entirely by hardware keys, writing (emphasis added):

The current techniques for bypassing 2FA can be mitigated with the adoption of U2F security keys. We surmise from our findings, including evidence about the volume of real targets, that the commercial account hijacking market remains quite small and niche.

My take

Businesses and individuals conduct an enormous amount, indeed, the majority in many cases, of their commercial, financial and even social activity online, where one’s email account and phone number have become the master keys to almost every other account. As such, criminals have become extremely crafty and sophisticated in the techniques used to compromise user accounts and leverage control over an email and phone number to seize control over one’s entire digital persona. Fortunately, a properly implemented 2FA, i.e. something you have (a crypto key generator) and something you know (a password) can thwart most if not all of these attacks without added too much inconvenience to the login process.

While hardware keys remain the gold standard, they are less convenient than codes delivered through one’s phone, however, weaknesses in carriers’ number porting processes mean that a mobile phone number should never be used as a code delivery mechanism since it’s impossible to guarantee that your number is indeed controlled by you. Indeed, Google’s research concludes that: (emphasis added)

As our data showed, risk-aware authentication cannot reliably protect against repeated, targeted hijacking attempts that involve social engineering. Here, security keys provide the only 100% guarantee of protection against remote password theft.

However, Google’s research shows that on-device code generators are almost as effective while being more convenient for most people. If you’re still skeptical about the security of something like Google Authenticator or Authy, read the technical details here and you’ll learn that it uses cryptographic functions to create a unique code sequence tied to the device that can't be copied to another phone. (While Authy offers optional multi-device support, it has control and encryption mechanisms that make it virtually impossible to stealthily add another device without the account owner’s approval).

Nevertheless, increased security isn’t without some inconvenience. As the Google report notes (emphasis added):

These protections [2FA] come at a cost of increased failed sign-in attempts from legitimate users, but with eventual success rates at levels similar to password-only authentication.

The added login friction is well worth the benefits, meaning that every enterprise should protect user email and SSA logins with a combination of hardware keys and on-device code-generation. Likewise, individuals must demand that the businesses and online services they use immediately implement strong 2FA that doesn’t include SMS code delivery; the technology is mature and there is no justification for further procrastination.