How Google keeps your data safe
From hacking and phishing to malware, cybercriminals employ a variety of methods to hijack user accounts. Google's Stephan Micklitz and Tadek Pietraszek make sure they don’t succeed.
Mr. Pietraszek, you and your team are responsible for keeping user accounts secure. How do you prevent hackers from gaining access?
Tadek Pietraszek, Principal Software Engineer for user account security: First of all, it’s important that we’re able to detect the initial attack. We use more than a hundred variables to identify suspicious activity. Suppose you live in Germany, very rarely travel abroad, and someone tries to access your account from another country – that sets off alarms.
Stephan Micklitz, Director of Engineering on Google’s Privacy and Security team: That’s why we sometimes ask you to confirm the telephone number you’ve given us, or other information that only you as the account holder would know.
How often do these sorts of attacks occur?
Pietraszek: Hundreds of thousands of cyberattacks are launched every day. Our biggest problem is that the internet contains countless lists of user names and passwords stolen from hacked websites. As a number of our users have the same password for different accounts, these lists also include Google Account login data.
Do these lists pose the biggest security threat?
Pietraszek: Yes, absolutely. That and the classic phishing attacks. Almost everyone has received emails from criminals trying to obtain account passwords. Naturally, we do our part to make sure they don’t succeed. If we think an email destined for your Gmail inbox looks suspicious, we can mark it with a warning so you can take a closer look or we can automatically filter it out. Our Chrome browser also sends alerts when you try to visit a site that we know to be a phishing website.
Micklitz: There are two basic types of phishing. The mass emails, which perpetrators use to collect as much login data as possible, and what’s known as “spear phishing,” in which they target a specific person’s account. These can be quite sophisticated operations lasting several months, during which time the perpetrator examines the victim’s life in detail and launches a very targeted attack.
"If we think an email destined for your Gmail inbox looks suspicious, we can mark it with a warning."
How is Google helping its users prevent such attacks from being successful?
Pietraszek: One example is our 2-Step Verification system. Many users are familiar with this sort of system from their online bank accounts. If you want to transfer money, for example, you might need to enter both your password and a code sent via text. Google introduced two-factor authentication in 2009, which was earlier than most other major email providers. In addition, Google users who have registered their mobile number automatically benefit from a similar level of protection against suspicious login attempts.
Micklitz: Two-factor authentication is a good method, but even text message codes can be intercepted. For example, criminals might contact your mobile provider and try to have a second SIM card sent to them. Authentication with a physical security token, such as a Bluetooth transmitter or a USB stick, is even more secure.
Pietraszek: We use this resource as part of our Advanced Protection Program.
Pietraszek: The Advanced Protection Program was introduced by Google in 2017 and is intended for people at a greater risk of being hacked, such as journalists, CEOs, political dissidents, and politicians.
Micklitz: In addition to our physical Security Key, we also limit data access from third-party apps by incorporating additional steps where users must verify their identity if they lose the key.
Could you tell us about a major cyberattack and how you reacted to that?
Pietraszek: One of these attacks occured in early 2017. Hackers had created a malicious program to gain access to the victims’ Google Accounts and send fake emails to the users’ contacts. In these emails, recipients were asked to grant access to a fake Google document. Those who did so involuntarily granted access to the malware and automatically sent the same fake emails to their own contacts. The virus spread rapidly. We have contingency plans for situations like these.
Micklitz: In this particular case, for example, we blocked the distribution of these emails in Gmail, revoked the access granted to the program, and secured the accounts. Of course, we’ve also added systematic safeguards to make similar attacks more difficult in the future. Google Accounts are constantly under attack, and our automated systems offer the most effective protection. This depends, of course, on us being able to reach our users via means other than their Google Account – i.e., a second email address or a mobile phone number.
"Actually, just sticking to a few basic rules is usually enough."
How important is security to the average user?
Pietraszek: Many people find it very important, but taking the necessary security precautions can be tedious. This explains, for example, why people often use the same password for multiple accounts – which is the worst mistake you can make. Our job is to explain to users how they can protect their accounts with minimal effort. That's why we offer the Security Checkup function in Google Account, which allows users to easily check their settings.
Micklitz: Actually, just sticking to a few basic rules is usually enough.
And those rules are?
Micklitz: Don’t use the same password for multiple services, install security updates, and avoid suspicious software. Provide a telephone number or an alternate email address so you can be reached by other means. And enable your phone’s screen lock to make it harder for unauthorized individuals to gain access. These steps alone are a good start.
Photographs: Conny Mirbach