/ 6 August 2011

How Google, Facebook and Hotmail aim to stop hacking

How Google

“My Google email account was recently hacked into whilst I was on holiday in Slovakia. The hacker said that I had been robbed at gunpoint in Spain and robbed, then asked people to send money to a money transfer account in Spain,” read the email that arrived this week. “This has happened to other people, I gather.”

It certainly has: this is the peak season for people having their accounts hacked, principally because so many are travelling, and thus using either computers or networks that are shared and which they trust too much.

For that reason, Google, Hotmail and Facebook (though notably not Yahoo) have all implemented a system called “two-factor authentication” to protect your account. The basic idea is straightforward: as well as your username and password, when you use a new device to access their system, you also have to enter a one-time code which is sent to your mobile phone.

The idea is to protect against your user details being stolen over an insecure network or a computer that may be running malware that tries to capture precisely those details. And even if the malware captures the one-time code, once you’ve logged out the code becomes invalid. So if they try to log in with your stolen details, they’ll be faced with a demand for a code — which will be sent to your phone.

Phone protection
Ideally, the would-be thief won’t have your phone – though the possibility that they might is the reason why you should protect your SIM with a passcode, and set your phone to lock automatically.

The problem is that not everyone uses 2FA (as it’s also known) — and it’s quite hard to force them to. “With 750 million users, it’s quite hard to get a security feature to work for everybody,” says Joe Sullivan, Facebook’s chief security officer, a former US federal prosecutor who previously worked at eBay for six years and joined the giant social network in 2008.

For many people working on their familiar computer, a username and password is sufficient security. But for others, 2FA is desirable, he says. “It’s like how I have a key to lock my front door, but I also have an alarm that I can choose whether I set or not.”

Google and Hotmail also allow you to set up two-factor authentication. Yahoo Mail does not — so avoid using it in situations where you don’t trust everything about the network and computer you’re using. (An internet cafe computer should not be trusted, on principle; nor open wireless networks in hotels, railway stations or elsewhere.)

One thing that using two-factor authentication with all these services is that, first, you need a mobile phone number; second, you need to set it up before you travel, or at least while you’re at a trusted machine (which is none of the machines you’ll encounter while travelling).

Turning it up to Factor Two
To activate two-factor authentication:

  • In Google, it’s found through the “settings” tab on the top right-hand side of the page. You have to set up 2FA on a trusted computer. (It’s a good idea to have a printer to hand so that you can print out a list of backup codes it provides for access just in case your mobile phone is lost or stolen.) You’ll have to provide a phone number to which the codes can be sent; obviously, a mobile is ideal.
  • In Hotmail, you first need to add a mobile phone number in your Windows Live Account overview page. (Again, you’ll need to do this on a trusted computer first.) Then whenever you go to Hotmail or other Windows Live services, you can choose to get a single-use code – a string of numbers that will be sent via text message to your phone – to use instead of your password. Make sure you do. Single-use codes expire after about 15 minutes; make sure too that you log out of the account before leaving the machine.
  • In Facebook, go to Account (top right-hand corner) and Account Settings. From there choose Security and Login approvals: this offers a tickbox for “Require me to enter a security code sent to my phone”. Again, you need to have your number entered.

Yahoo doesn’t offer 2FA, which is a problem, because it puts your login details at risk. There isn’t any option to introduce it either; the Guardian has established that a service called YToken which has a web page claiming to offer it in fact doesn’t, because there wasn’t enough demand, according to its owner.

If you need to access Yahoo emails while you’re away, it’s safest either to do it via a smartphone (with a Pin and phone lock) or set up a Hotmail or Gmail account which periodically logs in to the Yahoo account and shows you the email from it, and use more secure authentication with them.

Meanwhile, at Twitter
Twitter doesn’t yet have two-factor authentication enabled. “It is great and something to aspire towards,” says Del Harvey, Twitter’s head of Trust and Safety. “But the fact that it has taken Google this long, with the resources that it has, tells you that it’s not simple.”

Furthermore, lots of people use Twitter from their mobile phone — its 140-character updates mean that it’s ideal for both smartphones and the simplest phones which only send texts. (In a number of countries, Twitter has an SMS number to which you can send updates.)

“We get a lot of people who contact us to tell us they’ve lost their phone, and need us to turn off their SMS updates,” says Harvey.

Implementing two-factor authentication for people who lose their phone “would mean we lock them out of their [Twitter] account on the web and also make it incredibly difficult for them to get started up again”.

Although she uses Gmail, and two-factor authentication, Harvey knows that if you get a sufficiently large number of users you’ll eventually get an unmanageable number who have managed not to follow the instructions. “They’ve lost their phone, or they didn’t write down the backup codes, or — this happens — they did take down the backup codes but stored them on the phone. And now they’ve lost the phone…”

Harvey’s faith in human fallibility is touching, but well-founded. “Users aren’t likely to use things that make it harder to use their account,” she says. Instead, Twitter has focused on adding straightforward security that prevents your details being “sniffed” over networks: all connections to Twitter now happen over secure SSL links (the https: prefix in a browser toolbar: if you find yourself on what looks like a Twitter site but it doesn’t have that prefix, end the session).

A Twitter spokesperson said: “Users can turn on https. It’s not currently on by default. We’re working on that though.”

Building a better password
That of course won’t stop people guessing your password if it is weak — a word in a dictionary or a simple combination of letters and numbers. (Yes, lots of people use “abc123” as their password. That’s not a strong password.)

You can check your password’s strength at howsecureismypassword.net, which will tell you how long it would take the average desktop PC to crack your password. It doesn’t store passwords, and doesn’t ask for a username, so you can trust it.

For “abc123” the answer is “this is one of the 500 most common passwords — you should probably change it”. (For my personal Twitter account, the answer was “24 000 years”.)

Facebook and Twitter search out weak passwords: if you try to create an account with a weak password, or one that has been shown to be widely used (as happens when hackers breach systems and post huge lists of usernames and passwords), then they will block it.

“When we see those massive stores of emails and passwords, we make sure to get to see the emails and passwords,” says Facebook’s Sullivan. “If we find that someone has the same email/password setup on Facebook, we change it and force them to change it when they login.”

Facebook’s advantage is that it can also force people to prove their identity by showing them pictures of friends — something that the real person will generally be good at doing, and anyone else won’t.

Sullivan says that anywhere between 1% and 10% of passwords are the same between sites — pointing to another problem: people using the same password between sites. It is the single biggest source of vulnerabilities, besides weak passwords.

The ideal is that you use a different password at every site — which can be done, if you use some imagination. It’s also good to include numbers and punctuation marks — those add to the complexity, and hence the difficulty of breaking them.

Most of all, if you use a different password at every site, then if by some misfortune your username (often an email) is stolen along with your password at one (flawed) site, then the automated tools that hackers use on other sites (including Facebook, Gmail, Hotmail,
Twitter and Yahoo) will fail to get them in. That’s success — at least inasmuch as it prevents you having a worse day than having your account hacked. —