Google Has a Great Tip for Securing Your Online Account

Posted on May 20, 2019 by Paul Thurrott in Cloud, Google with 16 Comments

On Friday, Google published the results of a year-long study on wide-scale and targeted account hijacking attacks. The study corroborated the firm’s belief that taking a few simple steps can protect users from most attacks. But one step, in particular, stands out: Add a recovery phone number to your Google account.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation,” a Google Security Blog post notes.

Google teamed up with researchers from New York University and the University of California, San Diego on the year-long study on wide-scale attacks and targeted attacks. And it found that basic account hygiene goes a long way toward thwarting those attacks.

“We provide an automatic, proactive layer of security to better protect all our users against account hijacking,” Google explains. “If we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.”

That additional proof can include a 2-step verification prompt on your phone or even an SMS text message. Both are quite effective, according to Google: SMS codes helped prevent 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. But on-device prompts were even better, as they stopped 100 percent of automated bots, 99 percent of bulk phishing attacks and 90 percent of targeted attacks.

Users without recovery phone numbers have to fall back on weaker knowledge-based challenges, like recalling your last sign-in location. While this kind of thing can be effective in some cases, that effectiveness drops to as low as 10 percent in phishing attacks.

Ultimately, Google’s advice is sound: Take a bit of time to make sure your Google account (and other online accounts) are secure. They have a great post about the five best steps you can take. Again, the first step, regarding creating a recovery phone number, is the single most effective one.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (16)

16 responses to “Google Has a Great Tip for Securing Your Online Account”

  1. red.radar

    I don’t disagree with Google’s study. I am just a little troubled with how my phone number is becoming a part of my identity. Changing a phone number is tough. You almost need two lines activated so you can move it.

    • Chris_Kez

      In reply to red.radar:

      A lot of people would be in a tough spot if they had to change their number for whatever reason; I imagine very few people would have the wherewithal to go back to every site/service and turn off or update their phone-based 2FA.

    • Orin

      In reply to red.radar:

      I don't disagree with you. Our phone numbers are very much becoming tied to us as individuals. It is becoming more difficult to change phone numbers because of all that is tied to them. I'm failing to see why this is troubling though. What about that bothers you particularly?

  2. dontbe evil

    google and security in the same title ... ROTFL

  3. Stooks

    So basically you should be using 2 Factor......old news and all of your services should have this. Ask John Podesta how important that is.

  4. Bats

    This is old advice. I did this a few years ago, when Google incentived users to add the phone number in exchange for additional Gbs Google Drive space.

  5. RonV42

    Phone numbers aren't the best choice for this type of multi factor. As a company we are moving away from SMS and phone numbers and going to "knowledge" based IDM for recovery.

  6. harmjr

    What I also would like to see implemented is a location only access. Why cant I go in and setup to never allow a log in from Europe or Asia? I dont know why google, Microsoft and yahoo dont have this. Yes someone could use a VPN I get that.

  7. obarthelemy

    I'd recommend app-based 2FA, it's both more secure and more practical than txt-based 2FA**when done right** :

    1- secure your 2FA app behind a second fingerprint/pwd on your smartphone. Same as for your banking app and porn browser.

    2- at the time you set up 2FA, scan that barcode on 2 devices (phone and tablet, 2nd phone...); it's the only time you can set up a second 2FA authenticator

    3- even MS accepts the Google Authenticator app instead of MS's own, so you can put pretty much everything in that single 2FA app.

  8. StevenLayton

    For those saying that this is 'old news', remember that old advice to some is new advice to others, or its a simple reminder to stop thinking about doing it, and actually do it.

  9. david.thunderbird

    The only problem here is now gooGle has your numbers. You really didn't think they wouldn't add it to your ball of string?

    • AnOldAmigaUser

      In reply to david.thunderbird:

      Do you think that Google did not have your phone number before? IMEI and MAC address both uniquely identify the device, and if you do not think that your phone provider provides the phone number linked to both, for a price, then you are very naive. Google, like other data aggregators, purchase additional data to make sure they have the complete picture. Anything they say about non-PII is simply lip service.

  10. Breaker119

    Authenticator Apps FTW

  11. lvthunder

    What if I don't want to give my phone number to a marketing company?

  12. YouWereWarned

    6FA is the way to go...give 'um your cell number, highest-limit credit card, SSN, checking account, street address, and favorite month to vacation far away. I feel better already...

Leave a Reply