Account Protections a Google Perspective

Elie Bursztein Google, @elie with the help of many Googlers updated March 2021

Security and Privacy Group Slides available here: https://elie.net/account

Security and Privacy Group 4 in 10 US Internet users report having their online information compromised

Source the United States of P@ssw0rd$ - Harris / Google poll

Security and Privacy Group How do attacker compromise accounts?

Security and Privacy Group Main source of compromised accounts

Data breach Phishing Keyloggers

Security and Privacy Group The blackmarket is fueling the account compromised ecosystem

Security and Privacy Group Accounts and hacking tools are readily available on the blackmarket

Security and Privacy Group Volume of credentials stolen in 2016: a lower bound

Data breach Phishing Keyloggers 4.3B+ 12M+ 1M+

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials CCS’17 Security and Privacy Group

Data breach

Phishing Keyloggers

Stolen credentials volume Targeted attack

Risk

Security and Privacy Group Stolen credential origin takeaways

The black market Password reuse is Phishing and fuels account the largest source keyloggers poses compromise of compromise a significant risk

Security and Privacy Group How can we prevent account compromise?

Security and Privacy Group Defense in depth leveraging many competing technologies

Security and Privacy Group Increasing security comes at the expense of additional friction including lock-out risk, monetary cost, and user education

Security and Privacy Group Each security solution offers a different trade-off which makes security a complex balancing act between usability and security

Security and Privacy Group Credentials Stolen credential Accounts are At risk users face are stolen database is built compromised advanced attacks

Preventing Resetting leaked Preventing Advanced credential theft credentials proactively unauthorized login protection

Today: combining key technologies to offer the best account security and usability possible

Security and Privacy Group Part 1 Preventing credentials theft

Security and Privacy Group Build large scale AI powered systems to detect and block threats at scale before they reach users

Security and Privacy Group Safe Browsing warnings protects over 4 billions devices from phishing, malware

Security and Privacy Group Millions of warnings displayed weekly

https://transparencyreport.google.com/safe-browsing/overview Security and Privacy Group Attackers are shifting to phishing

https://transparencyreport.google.com/safe-browsing/overview Security and Privacy Group Everyday Gmail blocks over 100M+ phishing emails

Deconstructing the Phishing Campaigns that Target Gmail Users - Black Hat 19 Security and Privacy Group Cats through the age

2000 BC 1200 AC 1800 AC 2020 AC

Security and Privacy Group Drive phishing through the ages

Security and Privacy Group 68% of phishing emails blocked by Gmail are different from one day to the next

Deconstructing the Phishing Campaigns that Target Gmail Users Security and Privacy Group Keeping up with constantly evolving attacks requires continuously improving and retraining detection systems. As in evolution the red queen hypothesis applies: it takes all your running to stay ahead of attackers.

Security and Privacy Group How to deal with a borderline case?

Security and Privacy Group Provide as much context as possible and rely on user to make the final decisions

Security and Privacy Group Gmail inbox soft warnings help users decide which emails are phishing 45% of Internet users don’t know what phishing is

Security and Privacy Group Takeaways

Prevention is a critical first defense layer It protects billion of users across the world from being phished and infected

Keeping up with attack evolutions requires constant improvements Attackers actively attempt to evade detection thas are major hurdles to them

Education and warning design are a must Make sure that users understand the risks and don’t get warning fatigue is very challenging

Security and Privacy Group Section 2 Resetting compromised credentials proactively

Security and Privacy Group Third party data breaches keep surfacing

Security and Privacy Group 66% Of US users reuse passwords across online services

Source: the United States of P@ssw0rd$ - Harris / Google poll

Security and Privacy Group 59% Of the U.S. adults use 33%

22% a name or a birthday 15% 14% into some of their online password Pet’s Own Spouse/ Children’ name name partner s name name Source The United States of P@ssw0rd$ - Harris / Google poll

Security and Privacy Group Get users to use a password manager

Security and Privacy Group 15% of US Internet users use a password manager. 36% use a piece of paper….

Source The United States of P@ssw0rd$ - Harris / Google poll

Security and Privacy Group We need additional defenses to mitigate password reuse until password managers are ubiquitous

Security and Privacy Group 2014

Security and Privacy Group Disclosing the existence of our proactive breach password reset program

Security and Privacy Group 110M+ Google accounts proactively re-secured

Security and Privacy Group How to protect all internet accounts against compromised password reuse?

Security and Privacy Group Privacy preserving

Accurate & actionable Automated Ideal password warning system properties

Security and Privacy Group Private set intersection Allows users to query Google about the breach status of their usernames and passwords without revealing the information queried.

Protecting accounts from credential stuffing with password breach alerting Security and Privacy Group Additional cryptographic mechanism ensure that malicious actors can’t use the system to learn leaked username and password.

Security and Privacy Group Password Checkup protects hundreds of millions of users from leaked passwords by displaying tens of millions of warnings weekly

https://blog.google/technology/safety-security/keeping-private-information-private/ Security and Privacy Group 100M+ people have used Password Checkup, and they’ve seen a 30% reduction in breached credential usage

https://blog.google/technology/safety-security/keeping-private-information-private/ Security and Privacy Group Password check up on Predictive anti-phishing android protection

https://security.googleblog.com/2021/02/new-password-checkup-feature-coming-to.html Security and Privacy Group Takeaways

Proactive password Password manager protections greatly can solve a lot of reduce malicious those issues sign-in Get users to realize how People all too often choose important this is for them easy to guess passwords

Security and Privacy Group Section 3 Preventing unauthorized logins Password only authentication is dangerous

Security and Privacy Group Use additional information To prevent hackers logging in with compromised credentials

Security and Privacy Group Types of additional information

Who you are What you have What you know

Security and Privacy Group Mass adoption of two factor authentication is challenging

Security and Privacy Group 37% Of US internet users use two-factor authentication

Source The United States of P@ssw0rd$ - Harris / Google poll

Security and Privacy Group 52.5% of the online service 47.5% 52.5% don’t offer two factor authentication

Source https://elie.net/blog/security/the-bleak-picture-of-t wo-factor-authentication-adoption-in-the-wild/ Support 2FA Doesn’t support 2FA

Security and Privacy Group Some industries don’t use standards

https://elie.net/blog/security/the-bleak-picture-of-two-factor-authentication-adoption-in-the-wild/ Security and Privacy Group Many sites marketing reuse terminology incorrectly and end-up confusing users https://elie.net/blog/security/the-bleak-pict ure-of-two-factor-authentication-adoption -in-the-wild/

Security and Privacy Group Which type of two factor authentication should we push for?

Security and Privacy Group Not all 2FA technologies are equal Security level

Secondary email SMS verification Device prompt Security key

Boutique phishing 68% 96% 99% 100%

Spear-phishing 53-100% 76% 90% 100%

Evaluating Login Challenges as a Defense Against Account Takeover - WWW19 Security and Privacy Group Security keys are the most secure Physical key second factor against phishing

Security key built into your phone

Security and Privacy Group How to speed up security key adoption?

Security and Privacy Group Say hello to OpenSK an open-source security key written in RUST

Security and Privacy Group OpenSK: Design Philosophy

Open Secure by design Research friendly

Open source, no Memory-safe programming Cheap & easy to audit your patents, language, and secure OS. own key, and attack it. no NDAs, affordable.

Security and Privacy Group OpenSK: hardware

TockOS

Nordic chip

Case 3D blueprint Security and Privacy Group Help manufacturing Since Feb’21 Feitan OpenSK research edition key available on Amazon for OpenSK-based $9.90 (not ready for production!) affordable security key for everyone

What’s next? Major milestones

FIDO 2.1 OpenSK on track to be the first FIDO 2.1 certified key 1 Certification

Bleeding edge New features to make keys more secure and usable are 2 features actively developped

Improved Keep partnering with the industry to develop high 3 manufacturing quality affordable security keys

Security and Privacy Group More information at: https://github.com/google/opensk

Security and Privacy Group Takeaways

Password are not Strong two factors Industry wide adoption enough is the way to go is still very distant

Password reuse and Not all 2nd factors are There are a lot of structural phishing makes created equals we need to problem to solve before we credentials only login very focus on strong two factor get 2FA as universal as HTTPS risky adoption

Security and Privacy Group Section 4 Advanced protection Large scale attacks don’t care which accounts they target

Security and Privacy Group Targeted attacks Resourceful attackers that target specific individuals and organizations

Boutique hacking Hand-crafted campaigns targeting a few dozen individuals or organizations

Bulk hacking

Personalization Automated campaigns targeting many individuals and organizations

Number of Targets

Security and Privacy Group Accounts at risk of targeted attacks

Journalists & Politicians & Executives & Celebrities hacktivists campaign teams Fintech users

Security and Privacy Group Key threats faced by targeted users

Handcrafted phishing attacks with two factor phishing Spear-phishing is a common tactic against targeted users

Malicious Attackers use oauth app to maintain persistent access oauth app to targeted users

Advanced Attackers research their target background and use account recovery the collected data for impersonation and phishing impersonation purpose

Security and Privacy Group Realtime password verification and then phishing the SMS code

Security and Privacy Group Increase security further at the expense of additional friction

Security and Privacy Group Lock-down Protecting Protecting Account login Session Session Recovery Mandatory Limit API Data Squeeze out Stronger security keys Access malware Verification

Security and Privacy Group Takeaways

Strong account Constant Additional security requires a improvements are protections are need defense in depth needed to keep-up for targeted users strategy with adversaries

Security and Privacy Group Effective account security requires tailoring your protections to meet your users needs https://elie.net/account

Security and Privacy Group