Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/5/2014
10:15 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Study Finds Widespread Account Hijacking

Victims of account hacks are mad as hell but confused about how to respond.

10 Famous Facebook Flops
10 Famous Facebook Flops
(Click image for larger view and slideshow.)

Online account hijackings seldom prove as destructive as the takeover of Wired writer Mat Honan's Apple ID, Google, and Twitter accounts in 2012, but they're surprisingly widespread and emotionally damaging, even when the meaningful harm is minimal.

About 30% of a group of 294 survey respondents reached through Amazon Mechanical Turk ("Turkers") reported having had at least one email or social networking account accessed by an unauthorized party, according to a study conducted by researchers from Carnegie Mellon University and Google.

The researchers also asked 1,501 respondents in an unrelated Google Consumer Survey (GCS) about whether they had ever had an account compromised. Some 15.6% said they had. The researchers said they can't explain the statistical differences but suggest the variation may be the result of differing motivations among the respondents.

"Turkers set out to complete a survey, while GCS participants are trying to get to premium web content," the researchers explained in their study.

[Have your browser settings gone amok? See Google Sounds Chrome Browser Hijack Alarm.]

The researchers said their findings are consistent with a Pew Research study published last year that found 21% of Internet users had experienced an account compromise.

The authors of the study -- Richard Shay, a CMU PhD candidate and former Google intern; Iulia Ion, a Google software engineer; Robert W. Reed, a Google user experience researcher; and Sunny Consolvo, a Google user experience researcher -- say five themes emerged from their effort to understand the impact of account hijackings.

First, they observed that compromised accounts are often valuable to their victims. This may seem obvious but it bears repeating. It's all too easy to dismiss the loss of a social media account as inconsequential if one doesn't participate in social media or if one views social media as a trivial, time-wasting exercise in vanity. As the researchers noted, these accounts tend to be used daily for personal communication, just like email accounts.

Second, the researchers said that while attackers tend to be unknown, that's not always the case. Among the 89 Amazon Mechanical Turk survey respondents who acknowledged an account break-in, 35 expressed at least moderate confidence about who broke into their accounts. Of these, 30 said they believed the attacker was someone they didn't know. Three said the attacker was someone they knew but didn't live with. And two said the attacker was someone they lived with.

Third, the study indicated that respondents largely acknowledge responsibility for their online security, even as they also often look to their service provider to share that responsibility. The researchers characterized this personal assumption of responsibility as a surprise given other research that suggests limited consumer interest in good security practices. They also saw it as a sign Internet users may be receptive to additional security measures like two-factor authentication, if these can be presented in an appealing way.

At the same time, the survey indicated that Internet users don't have a sufficient understanding of security measures to translate personal responsibility into effective action. The researchers said that while respondents demonstrated awareness of the likely sources of attacks -- malware, phishing, and data breaches -- they tended to select "Using a stronger password" and "Avoiding using the same password on different accounts" as defenses against account hijacking while ignoring counter-measures against malware and phishing. As the study points out, strong, unique passwords only mitigate brute-force cracking and password-reuse attacks; they don't offer protection against typing the password into a phishing site or password exposure through a breach.

Finally, the researchers found that while almost half of the survey respondents said no real harm had been done, all but seven survey takers expressed strong negative reactions like anger, fear, or embarrassment when asked how the account hijacking made them feel. As one respondent put it, "My religious aunt asked why I was trying to sell her Viagra."

The researchers concluded that software designers concerned with increasing the usage of security features should consider employing stories about the emotional consequences of account hijacking to reach those who might otherwise be insufficiently motivated to embrace available security options.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/8/2014 | 6:30:50 PM
Hacks are SOP for Google accounts
All of which just goes to underscore that when it comes to securing mobile devices, industry (both Android as well as Apple) have a looong long way to go yet. 
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.
CVE-2019-10764
PUBLISHED: 2019-11-18
In elliptic-php versions priot to 1.0.6, Timing attacks might be possible which can result in practical recovery of the long-term private key generated by the library under certain conditions. Leakage of a bit-length of the scalar during scalar multiplication is possible on an elliptic curve which m...
CVE-2019-19117
PUBLISHED: 2019-11-18
/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG1218) V22.5.9.163 devices allows remote authenticated users to execute any command via shell metacharacters in the cgi-bin/luci autoUpTime parameter.