Posted by Daniel Margolis, Software Engineer, Google Account Security Team
Every year, security technologies improve: browsers get better, encryption becomes ubiquitous on the Web, authentication becomes stronger. But phishing persistently remains a threat (as shown by a recent phishing attack on the U.S. Department of Labor) because users retain the ability to log into their online accounts, often with a simple password, from anywhere in the world. It’s why today at I/O we announced new ways we’re reducing the risks of phishing by: scaling phishing protections to Google Docs, Sheets and Slides, continuing to auto enroll people in 2-Step Verification and more. This blog will deep dive into the method of phishing and how it has evolved today.
As phishing adoption has grown, multi-factor authentication has become a particular focus for attackers. In some cases, attackers phish SMS codes directly, by following a legitimate “one-time passcode” (triggered by the attacker trying to log into the victim’s account) with a spoofed message asking the victim to “reply back with the code you just received.”
Left: legitimate Google SMS verification. Right: spoofed message asking victim to share verification code.
In other cases, attackers have leveraged more sophisticated dynamic phishing pages to conduct relay attacks. In these attacks, a user thinks they’re logging into the intended site, just as in a standard phishing attack. But instead of deploying a simple static phishing page that saves the victim’s email and password when the victim tries to login, the phisher has deployed a web service that logs into the actual website at the same time the user is falling for the phishing page.
The simplest approach is an almost off-the-shelf “reverse proxy” which acts as a “person in the middle”, forwarding the victim’s inputs to the legitimate page and sending the response from the legitimate page back to the victim’s browser.
These attacks are especially challenging to prevent because additional authentication challenges shown to the attacker—like a prompt for an SMS code—are also relayed to the victim, and the victim’s response is in turn relayed back to the real website. In this way, the attacker can count on their victim to solve any authentication challenge presented.
Traditional multi-factor authentication with PIN codes can only do so much against these attacks, and authentication with smartphone approvals via a prompt — while more secure against SIM-swap attacks — is still vulnerable to this sort of real-time interception.
The Solution Space
Over the past year, we’ve started to automatically enable device-based two-factor authentication for our users. This authentication not only helps protect against traditional password compromise but, with technology improvements, we can also use it to help defend against these more sophisticated forms of phishing.
Taking a broad view, most efforts to protect and defend against phishing fall into the following categories:
- Browser UI improvements to help users identify authentic websites.
- Password managers that can validate the identity of the web page before logging in.
- Phishing detection, both in email—the most common delivery channel—and in the browser itself, to warn users about suspicious web pages.
- Preventing the person-in-the-middle attacks mentioned above by preventing automated login attempts.
- Phishing-resistant authentication using FIDO with security keys or a Bluetooth connection to your phone.
- Hardening the Google Prompt challenge to help users identify suspicious sign-in attempts, or to ask them to take additional steps that can defeat phishing (like navigating to a new web address, or to join the same wireless network as the computer they’re logging into).
Expanding phishing-resistant authentication to more users
Over the last decade we’ve been working hard with a number of industry partners on expanding phishing-resistant authentication mechanisms, as part of FIDO Alliance. Through these efforts we introduced physical FIDO security keys, such as the Titan Security Key, which prevent phishing by verifying the identity of the website you’re logging into. (This verification protects against the “person-in-the-middle” phishing described above.) Recently, we announced a major milestone with the FIDO Alliance, Apple and Microsoft by expanding our support for the FIDO Sign-in standards, helping to launch us into a truly passwordless, phishing-resistant future.
Even though security keys work great, we don’t expect everyone to add one to their keyring.
Instead, to make this level of security more accessible, we’re building it into mobile phones. Unlike physical FIDO security keys that need to be connected to your device via USB, we use Bluetooth to ensure your phone is close to the device you’re logging into. Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on their browser, giving us an added layer of security against the kind of “person in the middle” attacks that can still work against SMS or Google Prompt.
(But don’t worry: this doesn’t allow computers within Bluetooth range to login as you—it only grants that approval to the computer you’re logging into. And we only use this to verify that your phone is near the device you’re logging into, so you only need to have Bluetooth on during login.)
Over the next couple of months we’ll be rolling out this technology in more places, which you might notice as a request for you to enable Bluetooth while logging in, so we can perform this additional security check. If you’ve signed into your Google account on your Android phone, we can enroll your phone automatically—just like with Google Prompt—allowing us to give this added layer of security to many of our users without the need for any additional setup.
But unfortunately this secure login doesn’t work everywhere—for example, when logging into a computer that doesn’t support Bluetooth, or a browser that doesn’t support security keys. That’s why, if we are to offer phishing-resistant security to everyone, we have to offer backups when security keys aren’t available—and those backups must also be secure enough to prevent attackers from taking advantage of them.
Hardening existing challenges against phishing
Over the past few months, we’ve started experimenting with making our traditional Google Prompt challenges more phishing resistant.
We already use different challenge experiences depending on the situation—for example, sometimes we ask the user to match a PIN code with what they’re seeing on the screen in addition to clicking “allow” or “deny”. This can help prevent static phishing pages from tricking you into approving a challenge.
We’ve also begun experimenting with more involved challenges for higher-risk situations, including more prominent warnings when we see you logging in from a computer that we think might belong to a phisher, or asking you to join your phone to the same Wi-Fi network as the computer you’re logging into so we can be sure the two are near each other. Similar to our use of Bluetooth for Security Keys, this prevents an attacker from tricking you into logging into a “person-in-the-middle” phishing page.
Bringing it all together
Of course, while all of these options dramatically increase account security, we also know that they can be a challenge for some of our users, which is why we’re rolling them out gradually, as part of a risk-based approach that also focuses on usability. If we think an account is at a higher risk, or if we see abnormal behavior, we’re more likely to use these additional security measures.
Over time, as FIDO2 authentication becomes more widely available, we expect to be able to make it the default for many of our users, and to rely on stronger versions of our existing challenges like those described above to provide secure fallbacks.
All these new tools in our toolbox—detecting browser automation to prevent “person in the middle” attacks, warning users in Chrome and Gmail, making the Google Prompt more secure, and automatically enabling Android phones as easy-to-use Security Keys—work together to allow us to better protect our users against phishing.
Phishing attacks have long been seen as a persistent threat, but these recent developments give us the ability to really move the needle and help more of our users stay safer online.