Mobile
2/5/2014
10:15 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Study Finds Widespread Account Hijacking

Victims of account hacks are mad as hell but confused about how to respond.

10 Famous Facebook Flops
10 Famous Facebook Flops
(Click image for larger view and slideshow.)

Online account hijackings seldom prove as destructive as the takeover of Wired writer Mat Honan's Apple ID, Google, and Twitter accounts in 2012, but they're surprisingly widespread and emotionally damaging, even when the meaningful harm is minimal.

About 30% of a group of 294 survey respondents reached through Amazon Mechanical Turk ("Turkers") reported having had at least one email or social networking account accessed by an unauthorized party, according to a study conducted by researchers from Carnegie Mellon University and Google.

The researchers also asked 1,501 respondents in an unrelated Google Consumer Survey (GCS) about whether they had ever had an account compromised. Some 15.6% said they had. The researchers said they can't explain the statistical differences but suggest the variation may be the result of differing motivations among the respondents.

"Turkers set out to complete a survey, while GCS participants are trying to get to premium web content," the researchers explained in their study.

[Have your browser settings gone amok? See Google Sounds Chrome Browser Hijack Alarm.]

The researchers said their findings are consistent with a Pew Research study published last year that found 21% of Internet users had experienced an account compromise.

The authors of the study -- Richard Shay, a CMU PhD candidate and former Google intern; Iulia Ion, a Google software engineer; Robert W. Reed, a Google user experience researcher; and Sunny Consolvo, a Google user experience researcher -- say five themes emerged from their effort to understand the impact of account hijackings.

First, they observed that compromised accounts are often valuable to their victims. This may seem obvious but it bears repeating. It's all too easy to dismiss the loss of a social media account as inconsequential if one doesn't participate in social media or if one views social media as a trivial, time-wasting exercise in vanity. As the researchers noted, these accounts tend to be used daily for personal communication, just like email accounts.

Second, the researchers said that while attackers tend to be unknown, that's not always the case. Among the 89 Amazon Mechanical Turk survey respondents who acknowledged an account break-in, 35 expressed at least moderate confidence about who broke into their accounts. Of these, 30 said they believed the attacker was someone they didn't know. Three said the attacker was someone they knew but didn't live with. And two said the attacker was someone they lived with.

Third, the study indicated that respondents largely acknowledge responsibility for their online security, even as they also often look to their service provider to share that responsibility. The researchers characterized this personal assumption of responsibility as a surprise given other research that suggests limited consumer interest in good security practices. They also saw it as a sign Internet users may be receptive to additional security measures like two-factor authentication, if these can be presented in an appealing way.

At the same time, the survey indicated that Internet users don't have a sufficient understanding of security measures to translate personal responsibility into effective action. The researchers said that while respondents demonstrated awareness of the likely sources of attacks -- malware, phishing, and data breaches -- they tended to select "Using a stronger password" and "Avoiding using the same password on different accounts" as defenses against account hijacking while ignoring counter-measures against malware and phishing. As the study points out, strong, unique passwords only mitigate brute-force cracking and password-reuse attacks; they don't offer protection against typing the password into a phishing site or password exposure through a breach.

Finally, the researchers found that while almost half of the survey respondents said no real harm had been done, all but seven survey takers expressed strong negative reactions like anger, fear, or embarrassment when asked how the account hijacking made them feel. As one respondent put it, "My religious aunt asked why I was trying to sell her Viagra."

The researchers concluded that software designers concerned with increasing the usage of security features should consider employing stories about the emotional consequences of account hijacking to reach those who might otherwise be insufficiently motivated to embrace available security options.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/8/2014 | 6:30:50 PM
Hacks are SOP for Google accounts
All of which just goes to underscore that when it comes to securing mobile devices, industry (both Android as well as Apple) have a looong long way to go yet. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: good one 
Current Issue
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2001-1594
Published: 2015-08-04
GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, an...

CVE-2002-2445
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a default password of (1) root.genie for the root user, (2) "service." for the service user, (3) admin.genie for the admin user, (4) reboot for the reboot user, and (5) shutdown for the shutdwon user, which has unspecified impact and attack vectors.

CVE-2002-2446
Published: 2015-08-04
GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of insite.genieacq for the insite account that cannot be changed without disabling product functionality for remote InSite support, which has unspecified impact and attack vectors.

CVE-2003-1603
Published: 2015-08-04
GE Healthcare Discovery VH has a default password of (1) interfile for the ftpclient user of the Interfile server or (2) "2" for the LOCAL user of the FTP server for the Codonics printer, which has unspecified impact and attack vectors.

CVE-2004-2777
Published: 2015-08-04
GE Healthcare Centricity Image Vault 3.x has a password of (1) gemnet for the administrator account, (2) webadmin for the webadmin administrator account of the ASACA DVD library, (3) an empty value for the gemsservice account of the Ultrasound Database, and possibly (4) gemnet2002 for the gemnet2002...

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!