Google research prompts the dumbest cybersecurity question ever asked
Google research has concluded that phishing is the most serious threat when it comes to account hijacking attacks. Using Google accounts as the source, researchers decided to look into the root cause (every pun intended) of these account takeovers.
Analysing the dark market for clues between March 2016 and March 2017, the Google research tracked the trade in stolen credentials. To cut a long story short, the research uncovered 788,000 credentials stolen via keyloggers while 12 million were stolen via phishing methodologies. There were also more than 3 billion credentials that had been exposed by the less than helpful catch-all of ‘third-party breaches.’ I say less than helpful, as they could have been initiated through keylogging or phishing or some other nefarious means; we just don’t know.
What we do know, because the researchers told us, is that 12 percent of those third party breaches (or just under 4 million) exposed a Gmail address and accompanying password. Of these, a further 7 percent (277,200) were actually still valid and could therefore be reused.
Google research reckons that somewhere between 12 and 25 percent of attacks using phishing or keyloggers on Google accounts will uncover a valid password. Both of these threat methods will attempt to get further information that might help in answering password reset questions: 82 percent of phishers and 74 percent of keyloggers looked for an IP and location, 18 percent of both hunted for phone numbers and device details.
So far so interesting for those of use who track threat intelligence matters. Here’s where it starts getting a little more fuzzy for me though. The Google research paper goes on to ‘rank’ the relative risk of phishing, keyloggers and third party breaches to user exposure to account hijacking. They placed phishing as the biggest threat, then keyloggers and third party breaches behind them.
You can find the full research paper here but to be honest, I’m not sure I’d bother. Pretty much everything you need to know has been stated above. Apart from one thing: that ranking these threats is, in my opinion, pointless at best and dangerous at worse.
How so? None of what Google uncovered here is new, nor is it surprising to anyone vaguely aware of cybersec threat models. But already the less specialist media has grabbed the research and started churning out articles asking what the most dangerous threat is, or inviting the reader to choose between phishing and data breach as posing the most risk to their accounts. Whichever way you phrase it, the question is disingenuous. It’s a stupid question, simple as. It’s like asking which is worse: death by murder, suicide or accident?
If people assume that they need to worry more about phishing threats than anything else, does this mean they don’t have to bother about the rest? Erm, nope. Will people who never thought about phishing threats before, all of a sudden become expert at spotting social engineering scams? Ditto.
Fair play to Google for doing the research, and for acting to improve security by such means as the new advanced protection program that puts security above usability in many ways. Thing is, few people (including those who might benefit most from the program) are going to use it if it means additional outlay on two-factor tokens, and additional hassle through third party tools no longer working and a more convoluted method of regaining control over a hijacked account. That’s the sad truth. Far better making security better for everyone, through education and detection tools alike. The former being the single most important weapon anyone can have in their cybersec armoury.