Tame hackers say password protection no longer enough
Google introduces physical key as part of latest online safety strategy
Passwords are no longer enough to protect people from cybercrime, former hackers say.
Many security barriers are now needed to block online criminals and effectively secure sensitive information.
At a briefing in Munich on the latest internet security advice, Google said it was committed to building powerful tools to enable users to adjust privacy preferences any time.
The company has launched its Advanced Protection Programme, a physical key to protect accounts and to be used with existing security measures such as passwords and secondary authentication.
“Relying on one single factor to keep online accounts and passwords secure is no longer good enough,” said Mark Risher, director of product management at Google and account security leader of the phishing and identity services team.
“The Advanced Protection Programme has been built for high-risk internet users, such as those who have a lot to lose or are vulnerable to state sponsored hacking, such as journalists, activists or citizen groups subject to persistent attacks.
“With a key, Google will refuse to give over sensitive information to suspicious websites.”
Google’s investment in technologies such as machine learning can identify patterns from the subtle signalling from certain websites that look suspicious and could put users at risk.
Machine learning and blockchain technology are two of the developing methods used to make secure financial transactions and exchange private information online.
“Our investments are broad, and coming from security we know there is no silver bullet that will make all your problems go away,” Mr Risher said.
“We are always encrypting data in transit and understanding how areas can be exploited – that is what we are building our systems on, rather than one particular technology.” In 2016, the company asked more than 4,000 people from 15 countries about their concerns for privacy and security.
Technology experts at Google said they were committed to keeping private information free from government-backed snooping and state-sponsored data interception.
“There is no direct access to information via Google for government agencies,” said Stephan Micklitz, engineering director on identity, privacy and security at Google in Munich.
“We do receive requests for information on users from law enforcement for access to data, and we review these requests, but our team will always push back as much as possible.”
Google safe browsing protects three billion devices worldwide, and fields 260 million warnings a month.
When a user opens a browser to view a website it may feel instantaneous, but in reality there are usually two junctions between the browser and the destination website.
If your browser is communicating with a website over a clear path without any encryption, there is no guarantee the information being sent cannot be tampered with.
This is called the “man in the middle” security risk, where the hacker places themselves between the victim and the website they are trying to reach.
Hired hacker Parisa Tabriz is now director of engineering at Google and responsible for the Chrome browser.
“We’ve seen a number of ‘man in the middle’ attacks over the years, including internet service providers inserting advertisements, other organisations monitoring web traffic or governments monitoring its citizens,” she said.
“One of the larger such attacks in recent years, in 2011, was suspected to be the Iranian government trying to intercept Google Mail.
“We’ve seen a lot of examples of this. The best way to avoid this is to use encryption to transmit web content.”