Mobile
2/5/2014
10:15 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Study Finds Widespread Account Hijacking

Victims of account hacks are mad as hell but confused about how to respond.

10 Famous Facebook Flops
10 Famous Facebook Flops
(Click image for larger view and slideshow.)

Online account hijackings seldom prove as destructive as the takeover of Wired writer Mat Honan's Apple ID, Google, and Twitter accounts in 2012, but they're surprisingly widespread and emotionally damaging, even when the meaningful harm is minimal.

About 30% of a group of 294 survey respondents reached through Amazon Mechanical Turk ("Turkers") reported having had at least one email or social networking account accessed by an unauthorized party, according to a study conducted by researchers from Carnegie Mellon University and Google.

The researchers also asked 1,501 respondents in an unrelated Google Consumer Survey (GCS) about whether they had ever had an account compromised. Some 15.6% said they had. The researchers said they can't explain the statistical differences but suggest the variation may be the result of differing motivations among the respondents.

"Turkers set out to complete a survey, while GCS participants are trying to get to premium web content," the researchers explained in their study.

[Have your browser settings gone amok? See Google Sounds Chrome Browser Hijack Alarm.]

The researchers said their findings are consistent with a Pew Research study published last year that found 21% of Internet users had experienced an account compromise.

The authors of the study -- Richard Shay, a CMU PhD candidate and former Google intern; Iulia Ion, a Google software engineer; Robert W. Reed, a Google user experience researcher; and Sunny Consolvo, a Google user experience researcher -- say five themes emerged from their effort to understand the impact of account hijackings.

First, they observed that compromised accounts are often valuable to their victims. This may seem obvious but it bears repeating. It's all too easy to dismiss the loss of a social media account as inconsequential if one doesn't participate in social media or if one views social media as a trivial, time-wasting exercise in vanity. As the researchers noted, these accounts tend to be used daily for personal communication, just like email accounts.

Second, the researchers said that while attackers tend to be unknown, that's not always the case. Among the 89 Amazon Mechanical Turk survey respondents who acknowledged an account break-in, 35 expressed at least moderate confidence about who broke into their accounts. Of these, 30 said they believed the attacker was someone they didn't know. Three said the attacker was someone they knew but didn't live with. And two said the attacker was someone they lived with.

Third, the study indicated that respondents largely acknowledge responsibility for their online security, even as they also often look to their service provider to share that responsibility. The researchers characterized this personal assumption of responsibility as a surprise given other research that suggests limited consumer interest in good security practices. They also saw it as a sign Internet users may be receptive to additional security measures like two-factor authentication, if these can be presented in an appealing way.

At the same time, the survey indicated that Internet users don't have a sufficient understanding of security measures to translate personal responsibility into effective action. The researchers said that while respondents demonstrated awareness of the likely sources of attacks -- malware, phishing, and data breaches -- they tended to select "Using a stronger password" and "Avoiding using the same password on different accounts" as defenses against account hijacking while ignoring counter-measures against malware and phishing. As the study points out, strong, unique passwords only mitigate brute-force cracking and password-reuse attacks; they don't offer protection against typing the password into a phishing site or password exposure through a breach.

Finally, the researchers found that while almost half of the survey respondents said no real harm had been done, all but seven survey takers expressed strong negative reactions like anger, fear, or embarrassment when asked how the account hijacking made them feel. As one respondent put it, "My religious aunt asked why I was trying to sell her Viagra."

The researchers concluded that software designers concerned with increasing the usage of security features should consider employing stories about the emotional consequences of account hijacking to reach those who might otherwise be insufficiently motivated to embrace available security options.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Apprentice
2/8/2014 | 6:30:50 PM
Hacks are SOP for Google accounts
All of which just goes to underscore that when it comes to securing mobile devices, industry (both Android as well as Apple) have a looong long way to go yet. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.