Google Has a Great Tip for Securing Your Online Account

On Friday, Google published the results of a year-long study on wide-scale and targeted account hijacking attacks. The study corroborated the firm’s belief that taking a few simple steps can protect users from most attacks. But one step, in particular, stands out: Add a recovery phone number to your Google account.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation,” a Google Security Blog post notes.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Google teamed up with researchers from New York University and the University of California, San Diego on the year-long study on wide-scale attacks and targeted attacks. And it found that basic account hygiene goes a long way toward thwarting those attacks.

“We provide an automatic, proactive layer of security to better protect all our users against account hijacking,” Google explains. “If we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.”

That additional proof can include a 2-step verification prompt on your phone or even an SMS text message. Both are quite effective, according to Google: SMS codes helped prevent 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. But on-device prompts were even better, as they stopped 100 percent of automated bots, 99 percent of bulk phishing attacks and 90 percent of targeted attacks.

Users without recovery phone numbers have to fall back on weaker knowledge-based challenges, like recalling your last sign-in location. While this kind of thing can be effective in some cases, that effectiveness drops to as low as 10 percent in phishing attacks.

Ultimately, Google’s advice is sound: Take a bit of time to make sure your Google account (and other online accounts) are secure. They have a great post about the five best steps you can take. Again, the first step, regarding creating a recovery phone number, is the single most effective one.

Tagged with

Share post

Please check our Community Guidelines before commenting

Conversation 16 comments

  • red.radar

    Premium Member
    20 May, 2019 - 10:03 am

    <p>I don’t disagree with Google’s study. I am just a little troubled with how my phone number is becoming a part of my identity. Changing a phone number is tough. You almost need two lines activated so you can move it. </p><p><br></p>

    • Chris_Kez

      Premium Member
      20 May, 2019 - 10:25 am

      <blockquote><em><a href="#429334">In reply to red.radar:</a></em></blockquote><p>A lot of people would be in a tough spot if they had to change their number for whatever reason; I imagine very few people would have the wherewithal to go back to every site/service and turn off or update their phone-based 2FA. </p>

    • Orin

      21 May, 2019 - 6:48 am

      <blockquote><em><a href="#429334">In reply to red.radar:</a></em></blockquote><p>I don't disagree with you. Our phone numbers are very much becoming tied to us as individuals. It is becoming more difficult to change phone numbers because of all that is tied to them. I'm failing to see why this is troubling though. What about that bothers you particularly?</p>

  • dontbe evil

    20 May, 2019 - 10:10 am

    <p>google and security in the same title … ROTFL</p>

  • Stooks

    20 May, 2019 - 10:14 am

    <p>So basically you should be using 2 Factor……old news and all of your services should have this. Ask John Podesta how important that is.</p>

  • Bats

    20 May, 2019 - 10:22 am

    <p>This is old advice. I did this a few years ago, when Google incentived users to add the phone number in exchange for additional Gbs Google Drive space.</p>

  • RonV42

    Premium Member
    20 May, 2019 - 10:45 am

    <p>Phone numbers aren't the best choice for this type of multi factor. As a company we are moving away from SMS and phone numbers and going to "knowledge" based IDM for recovery. </p>

  • harmjr

    Premium Member
    20 May, 2019 - 10:46 am

    <p>What I also would like to see implemented is a location only access. Why cant I go in and setup to never allow a log in from Europe or Asia? I dont know why google, Microsoft and yahoo dont have this. Yes someone could use a VPN I get that.</p>

    • harmjr

      Premium Member
      20 May, 2019 - 11:34 am

      <blockquote><em><a href="#429349">In reply to harmjr:</a></em></blockquote><p>Someone down voted me. If there is a tech reason can you explain?</p><p><br></p><p>I know MS can do this as my system admins where I work can pull reports from our O365 accounts showing log-ins outside the US.</p>

  • obarthelemy

    20 May, 2019 - 11:08 am

    <p>I'd recommend app-based 2FA, it's both more secure and more practical than txt-based 2FA**when done right** :</p><p>1- secure your 2FA app behind a second fingerprint/pwd on your smartphone. Same as for your banking app and porn browser.</p><p>2- at the time you set up 2FA, scan that barcode on 2 devices (phone and tablet, 2nd phone…); it's the only time you can set up a second 2FA authenticator</p><p>3- even MS accepts the Google Authenticator app instead of MS's own, so you can put pretty much everything in that single 2FA app.</p>

  • StevenLayton

    20 May, 2019 - 11:10 am

    <p>For those saying that this is 'old news', remember that o<em style="color: rgb(0, 0, 0);">ld advice to some is new advice to others, or its a simple reminder to stop thinking about doing it, and actually do it. </em></p>

  • david.thunderbird

    20 May, 2019 - 11:14 am

    <p>The only problem here is now gooGle has your numbers. You really didn't think they wouldn't add it to your ball of string?</p>

    • AnOldAmigaUser

      Premium Member
      20 May, 2019 - 11:21 am

      <blockquote><em><a href="#429358">In reply to david.thunderbird:</a></em></blockquote><p>Do you think that Google did not have your phone number before? IMEI and MAC address both uniquely identify the device, and if you do not think that your phone provider provides the phone number linked to both, for a price, then you are very naive. Google, like other data aggregators, purchase additional data to make sure they have the complete picture. Anything they say about non-PII is simply lip service.</p>

  • Breaker119

    Premium Member
    20 May, 2019 - 11:58 am

    <p>Authenticator Apps FTW</p>

  • lvthunder

    Premium Member
    20 May, 2019 - 12:04 pm

    <p>What if I don't want to give my phone number to a marketing company?</p>

  • YouWereWarned

    20 May, 2019 - 2:46 pm

    <p>6FA is the way to go…give 'um your cell number, highest-limit credit card, SSN, checking account, street address, and favorite month to vacation far away. I feel better already…</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC