Though not a phishing cure-all, it’s a good sign that Google is bringing this issue front and center for millions of Chrome users.
Remember those Nigerian email scams that hit so many people a decade ago? They were fairly comical, but effective enough to earn a place in Internet lore and more than a few memes. They were also the predecessors of modern phishing schemes, designed to steal credentials, personal information, financial data, and other information. Cybercriminals can then use this data to steal identities, money, intellectual property, and military secrets.
Phishing attacks, in fact, have been at the root of some of the biggest hacks in recent history, ranging from the massive Target data breach to ongoing cyber warfare between Russia and Ukraine. These phishing attacks, however, are no simple Nigerian email scams. Instead, they rely on sophisticated social engineering, often based on previous attacks and data thefts, to trick users into divulging personal or corporate information. This may come in the form of an email with a legitimate looking attachment from a known entity, such as a document on official letterhead with expected content. In the Russia/Ukraine example above, Russian hackers stole a Ukrainian document and infected it with malware, which was then used to obtain login credentials for Ukrainian military personnel.
In other cases, emails direct users to websites that appear familiar or legitimate but are actually fake and used for drive-by malware installations or to collect personal information directly. In any case, recent research by Google and USC outlines the aftermath of a typical phishing attack:
Once hijackers obtain access to a victim’s login credentials, we observe a multitude of monetization vectors. We find that criminal activities are well-structured, efficient, and savvy at taking advantage of human psychology. A typical hijacker’s method adheres to the following playbook: access the account, assess its value, exploit it, and make efforts to delay account recovery in order to increase the chances of successful exploitation.
Phishing attacks don’t just target big corporations or military powers. They are common attacks against virtually all users of the Internet, casting broad nets in the hopes of catching any unsuspecting individuals. This is where Google’s new Chrome extension comes in. Called Password Alert, the extension stores a user’s password as a cryptographic hash and then compares that hash to every password the user enters on non-Google websites. If it detects a duplication, it alerts the user that they may have been phished, presumably because they entered their Google password in a site that had been constructed to look like one with a legitimate Google login.
This is fantastic in theory - the Google ecosystem is vast and there are many potential login points (as well as broad targets for phishers). Unfortunately, it assumes that users will have a unique password for Google and both experience and research tell us that simply doesn’t happen as often as it should. A 2013 study found that over half of all adults surveyed in the UK use the same password across multiple Internet sites. Microsoft researchers even recommended recently that users reuse passwords on low-value sites, saving unique passwords for higher value sites to make password management more realistic. We simply have too many logins - password reuse borders on inevitable.
In the case of Google’s extension, obviously your Google password should be unique. Under the password reuse strategy that Microsoft researchers outlined, your Google account, like banking and social media passwords, fall into the high-value category and should not be reused. But in reality, reuse is more often the default than a strategic decision. When one login is compromised (whether through a phishing attack or otherwise), many are compromised. And the nature of phishing is such that attackers can exploit information from these accounts to seek out other accounts that may share login information.
Google’s new Chrome extension is a good start - and a very public acknowledgment that phishing represents a critical vulnerability for consumers and businesses alike. But the real solution lies with more robust approaches like two-factor authentication, biometrics, federation, and user education. Maybe all of those false positives for people who install Password Alert will be a grim reminder of how often we reuse passwords, even if it doesn’t exactly bring phishers to their knees.