Google on Tuesday launched a set of more stringent security measures for its account holders in response to an increase in the use of sophisticated, targeted hacking techniques that comuter security firms say are often politically motivated.
The tools, which are offered under an ‘advanced protection’ setting in Google accounts such as Gmail and Google Drive, are aimed at individuals who consider themselves at particularly high risk, including politicians, journalists, dissidents and high-profile businesspeople.
‘High risk’ accounts
“There is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” Google said in a blog post. “For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”
The setting makes it more difficult for attackers to access users’ accounts, in part because it requires the use of a hardware key to log in – a USB device for desktops and laptops and a Bluetooth unit for mobiles.
If that key is lost Google said users would have to pass through a much more arduous process to regain entry to their accounts.
The company didn’t disclose how account recovery is structured, but an executive who was briefed by Google said it includes a period of time in which the account would remain locked while the user passes identity checks.
Joseph Lorenzo Hall, chief technologist at the Centre for Democracy and Technology (CDT), said the slower recovery scheme is intended to make account recovery a less attractive way for hackers to bypass other security protections.
Third-party tools locked out
Another provision means third-party tools will be locked out of Google accounts, preventing hackers from siphoning data using their own software.
In practice, that also means, for instance, that users can’t access their Gmail messages from Outlook, Thunderbird or the email client built into iPhones and iPads. At launch, users with Advanced Protection switched on will only be able to access their Google accounts using Google’s own browser, Chrome.
The receipt of attachments will also be delayed by about 60 seconds while Google carries out more extensive security checks.
Google said the features offered under the new security setting would be updated over time. As launched, they are designed to counter threats of the kind that have led to high-profile hacks in recent months.
Convincing phishing attacks of the kind that led to the theft of the Gmail login credentials of Hillary Clinton campaign manager John Podesta last year would have been blocked by the hardware key requirement, for instance.
Another scheme in May that tricked Google Docs users into granting account access to a malicious web application might also have been stymied by the provision that prevents access by third-party software.
But Google will also have to ensure its accounts remain reasonably usable even with the new protections applied.
As researchers have noted in the past, security protections are only effective if users choose to use them, and if they’re overly stringent few are likely to switch them on.
How well do you know the cloud? Try our quiz!