Security news that informs and inspires

Google Boosts Account Security

Google is making some changes to the way it protects users’ accounts, including notifications whenever users share any information from their Google account with any other app or site, and a new process that will help people recover compromised accounts.

For many people, their Google account is the epicenter of their online activity. People often link those accounts to other services through federated login, payment services, and other connections. And attackers often prioritize going after those accounts for just that reason, and because people will sometimes reuse their email passwords across other services, so compromising a Google account can be a springboard to a much deeper compromise.

To help users whose accounts have been compromised, Google has developed a new process that will be put in motion automatically once the company’s back end systems detect potentially malicious activity on an account. The process includes checking the critical security settings on the account to ensure that an attacker can’t use an associated phone number or recovery email address to access the account. Google also will help users check any other accounts associated with their Google account for unusual activity, and see if any payment methods connected to their Google account has been compromised, too.

Much of what Google and other platform providers do to protect user accounts happens in the background and normally is invisible to users. These safeguards typically involve automated systems that check for device fingerprints and other characteristics that help providers identify legitimate users. Google has extensive automated account-security checks for its users, some of which are public and many of which are not. Those systems are what form the foundation of the method Google uses to identify suspicious account activity and provide users with warnings about potential attacks by government-backed attackers.

“It’s really important that you understand the information that has been shared with apps or sites so that we can keep you safe."

In addition to the new recovery process, Google also is implementing an additional notification that will alert users whenever they share any data from their Google accounts with third-party apps.

“It’s really important that you understand the information that has been shared with apps or sites so that we can keep you safe. We already notify you when you’ve granted access to sensitive information — like Gmail data or your Google Contacts — to third-party sites or apps, and in the next few weeks, we’ll expand this to notify you whenever you share any data from your Google Account,” Jonathan Skelker, a product manager at Google, said.

Google also is making a small change to the way it handles the behind-the-scenes checks it runs when users login to their accounts. The company’s systems look for a number of factors, and if something looks amiss, users might get a security challenge or not be allowed to login.

“When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious. We’re always working to improve this analysis, and we’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment,” Skelker said.