Account takeover, or account ‘hijacking’, is a pervasive and persistent problem for users in their work and personal environments. Most often, account hijacking attempts are automated – carried out by bots with access to vast lists of email/password combinations exposed by third-party breaches.

These bots attempt to gain additional access to your digital footprint by trying those credentials against different services. For instance, a bot with access to email addresses and passwords exposed in the Equifax breach may try these credentials against Gmail. That’s not to say traditional and spear-phishing attacks are no longer prevalent!

We regularly respond to successful and attempted account hijacking. In our Security Awareness Training, we educate organizations and their employees on the measures they can take to prevent such compromises. We assert that the best countermeasures to account hijacking are strong login challenges and the use of multi-factor authentication.

Furthermore, we note that these challenges and mechanisms vary in the added protection they provide. Specifically, the use of a physical security key provides the greatest degree of additional security, followed by a six-digit code generated by an app and, finally, a SMS text message.

Google, in coordination with New York University and the University of California, San Diego, published research confirming the efficacy of the aforementioned security measures. This year-long study examined the effectiveness of secondary authentication factors “at preventing over 350,000 real-world hijacking attempts”, on a sample of 1.2 million users “stemming from automated bots, phishers, and targeted attackers”.

The results are a powerful confirmation of the need for organizations and individuals to utilize additional authentication mechanisms wherever possible.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” researchers from Google AI said in a blog post.

The researchers also found that users who exclusively implemented security keys were protected from 100% of automated, bulk phishing, and targeted attacks. However, as is often the case, human nature impedes security. Researchers also found that 38% of users did not have access to their phone when challenged, and many were unable to recall their secondary email address or additional factor.

What should you, the reader, do now? Think about your daily digital routine – what websites do you regularly log into at work? At home? Do you have sensitive information on those services? If so, consider utilizing login challenges and multi-factor authentication.

The consequences of a successful account takeover are serious. Take measures to protect yourself and your family online.

If you’re interested in reading Google’s research publication, you can check it out here: https://ai.google/research/pubs/pub48119.