Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Google Security Technology

Google Says Hackers Steal Almost 250,000 Logins Each Week (cnn.com) 33

Google is digging into the dark corners of the web to better secure people's accounts. From a report: For one year, Google researchers investigated the different ways hackers steal personal information and take over Google accounts. Google published its research, conducted between March 2016 and March 2017, on Thursday. Focusing exclusively on Google accounts and in partnership with the University of California, Berkeley, researchers created an automated system to scan public websites and criminal forums for stolen credentials. The group also investigated over 25,000 criminal hacking tools, which it received from undisclosed sources. Google said it is the first study taking a long term and comprehensive look at how criminals steal your data, and what tools are most popular. [...] Google researchers identified 788,000 potential victims of keylogging and 12.4 million potential victims of phishing. These types of attacks happen all the time. For example on average, the phishing tools Google studied collect 234,887 potentially valid login credentials, and the keylogging tools collected 14,879 credentials, each week.
This discussion has been archived. No new comments can be posted.

Google Says Hackers Steal Almost 250,000 Logins Each Week

Comments Filter:
  • by Anonymous Coward

    These types of attacks will keep working partially based on Social Engineering as well as an already compromised system, such as a key logger.

  • by uCallHimDrJ0NES ( 2546640 ) on Thursday November 09, 2017 @04:24PM (#55521641)

    ...until they offer us the solution of total account security through total surveillance. They can then assure us that no one is using our accounts besides ourselves and every single paying Google customer, any one of whom can watch our individual surveillance feeds for a fee.

  • by ctilsie242 ( 4841247 ) on Thursday November 09, 2017 @04:29PM (#55521673)

    Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.

    • by Anonymous Coward

      Google has a good selection of 2FA tools, be it the app (which lets you tap "yes" on your phone), their authenticator, SMS fallback, etc. I'm surprised why more people are not enabling authentication. That way, a revealed password isn't the end of the world, although stealing auth tokens can be still a valid attack, but that is a lot harder to do than a passive keylogger.

      If it's that good then why isn't it on by default?

      Seriously, what the fuck is wrong with technology firms? They sell these consumer electronics items and leave them wide open?

      What a bunch of morons - THEY are the morons!

      And if "hackers" can break into Google, I guess those Google "engineers" aren't such hot shits after all.

    • by Anonymous Coward

      Because it's an email account, the chances it will be compromised are pretty low, but if the worst happens, I'll make a new account and call it a day.

      Enabling any 2FA just causes more hoops to jump through and is a constant annoyance.

      Sort of the same thing with my credit card website, sure I could enable 2FA and be annoyed every time I want to check charges. OR I could just use a slightly complex password, and if anything fishy happens dispute the charges.

      Using 2FA has a constant overhead of annoyance

      • by Anonymous Coward

        Most accounts rely on your email account for any sort of password reset procedures, so if it is compromised it is much more likely your other accounts will end up compromised as well.

        The barriers to use are low. You do not usually use it every time you go to the site, generally you use it the first time you log in from a new device or browser, or maybe once a month. If you have an Android device it can be set as a popup that you hit yes to. If you're using a time based authenticator, you can configure Lastp

    • I'm surprised why more people are not enabling authentication.

      It's in part because these providers insist on using SMS as the preferred second factor despite its disadvantages compared to U2F or TOTP. SMS has two problems:

      SMS is expensive
      Cellular carriers in Slashdot's home country charge 10 cents per received text message unless a subscriber pays hundreds of dollars per year for a cellular plan including unmetered text messaging. I doubt that most people would want to pay their cellular carrier 10 cents every time they check their email.
      SMS is insecure
      SMS messages ca
      • SMS has a big bonus though - it almost always goes to a device exclusively linked to you that you willingly carry around with you almost all the time.

        In the game of social network data mining, giving someone your cell number and confirming the connection via SMS is like handing over your government ID while letting them scan your face, fingerprints, iris, retina, voice patterns, and gait.

  • Just do not send the plain text password to the server. Use a nonce base hashing scheme instead.

    TLS is almost worthless because it relies on the user to validate the URLs. Might as well not use it at all.

    And the Secure Remote Password (SRP) algorithm has been around for a long, long time. It avoids offline John-the-ripper attacks.

    The idea is that users only type in passwords in an area of the browser like the URL line which JavaScript cannot access.

    Problem solved. Once and for all.

    Unfortunately, neithe

  • is all the logins belonged to this guy [nbc.com]

"Hello again, Peabody here..." -- Mister Peabody

Working...