Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

2/5/2014
10:15 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Study Finds Widespread Account Hijacking

Victims of account hacks are mad as hell but confused about how to respond.

10 Famous Facebook Flops
10 Famous Facebook Flops
(Click image for larger view and slideshow.)

Online account hijackings seldom prove as destructive as the takeover of Wired writer Mat Honan's Apple ID, Google, and Twitter accounts in 2012, but they're surprisingly widespread and emotionally damaging, even when the meaningful harm is minimal.

About 30% of a group of 294 survey respondents reached through Amazon Mechanical Turk ("Turkers") reported having had at least one email or social networking account accessed by an unauthorized party, according to a study conducted by researchers from Carnegie Mellon University and Google.

The researchers also asked 1,501 respondents in an unrelated Google Consumer Survey (GCS) about whether they had ever had an account compromised. Some 15.6% said they had. The researchers said they can't explain the statistical differences but suggest the variation may be the result of differing motivations among the respondents.

"Turkers set out to complete a survey, while GCS participants are trying to get to premium web content," the researchers explained in their study.

[Have your browser settings gone amok? See Google Sounds Chrome Browser Hijack Alarm.]

The researchers said their findings are consistent with a Pew Research study published last year that found 21% of Internet users had experienced an account compromise.

The authors of the study -- Richard Shay, a CMU PhD candidate and former Google intern; Iulia Ion, a Google software engineer; Robert W. Reed, a Google user experience researcher; and Sunny Consolvo, a Google user experience researcher -- say five themes emerged from their effort to understand the impact of account hijackings.

First, they observed that compromised accounts are often valuable to their victims. This may seem obvious but it bears repeating. It's all too easy to dismiss the loss of a social media account as inconsequential if one doesn't participate in social media or if one views social media as a trivial, time-wasting exercise in vanity. As the researchers noted, these accounts tend to be used daily for personal communication, just like email accounts.

Second, the researchers said that while attackers tend to be unknown, that's not always the case. Among the 89 Amazon Mechanical Turk survey respondents who acknowledged an account break-in, 35 expressed at least moderate confidence about who broke into their accounts. Of these, 30 said they believed the attacker was someone they didn't know. Three said the attacker was someone they knew but didn't live with. And two said the attacker was someone they lived with.

Third, the study indicated that respondents largely acknowledge responsibility for their online security, even as they also often look to their service provider to share that responsibility. The researchers characterized this personal assumption of responsibility as a surprise given other research that suggests limited consumer interest in good security practices. They also saw it as a sign Internet users may be receptive to additional security measures like two-factor authentication, if these can be presented in an appealing way.

At the same time, the survey indicated that Internet users don't have a sufficient understanding of security measures to translate personal responsibility into effective action. The researchers said that while respondents demonstrated awareness of the likely sources of attacks -- malware, phishing, and data breaches -- they tended to select "Using a stronger password" and "Avoiding using the same password on different accounts" as defenses against account hijacking while ignoring counter-measures against malware and phishing. As the study points out, strong, unique passwords only mitigate brute-force cracking and password-reuse attacks; they don't offer protection against typing the password into a phishing site or password exposure through a breach.

Finally, the researchers found that while almost half of the survey respondents said no real harm had been done, all but seven survey takers expressed strong negative reactions like anger, fear, or embarrassment when asked how the account hijacking made them feel. As one respondent put it, "My religious aunt asked why I was trying to sell her Viagra."

The researchers concluded that software designers concerned with increasing the usage of security features should consider employing stories about the emotional consequences of account hijacking to reach those who might otherwise be insufficiently motivated to embrace available security options.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/8/2014 | 6:30:50 PM
Hacks are SOP for Google accounts
All of which just goes to underscore that when it comes to securing mobile devices, industry (both Android as well as Apple) have a looong long way to go yet. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
CVE-2020-24342
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.