Google has successfully defended its over 85,000 employees against phishing attacks like the kind that hacked Democrats during the 2016 U.S. presidential race since requiring that staffers use physical, USB-based security keys to access their work accounts, the company said Monday.
None of Google’s employees have had their work-related accounts compromised since mandating physical keys in early 2017, a Google spokesperson told the KrebsonSecurity website.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” said the spokesperson. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
Physical security keys can safeguard users who have been “phished,” or duped into disclosing their log-in credentials, by requiring more than just a username and password to access an account. Accounts protected using physical security keys can typically only be accessed by inserting a recognized USB-based device into the computer being used during the log-in process and pressing a button, meaning a hacker would need both a user’s password and the physical key to gain entry.
Google previously protected its employees from hackers by requiring that their accounts are protected using two-factor authentication – a security measure in which the log-in process is supplemented by having the user enter a secondary code accessed from a predetermined device, such as the account holder’s cellphone. Security vulnerabilities make that practice potentially exploitable, however, making physical keys a viable alternative for defending against phishing attacks, especially sophisticated campaigns conducted by state actors.
Russian military officials used phishing attacks to hack Democratic Party targets during the 2016 race and steal materials subsequently leaked online prior to President Trump’s election, including internal Democratic National Committee correspondence and the personal emails of John Podesta, the chairman of Democratic candidate Hillary Clinton’s campaign, according to U.S. officials.
Mr. Podesta was hacked as the result of a March 2016 phishing email sent by Russian military intelligence, Robert Mueller explained in a criminal indictment unsealed last month as part of the Justice Department’s investigation into the 2016 race. The email contained a malicious link that directed the recipient to a purported Gmail log-in page where they were prompted to enter Mr. Podesta’s password, effectively surrendering his credentials to the Russian hackers running that site.
If implemented correctly, Mr. Podesta could have potentially prevented the breach using physical security keys since the hackers would have required more than just his password to access his account.
Russian hackers sent phishing emails to over 300 targets during the 2016 race, Mr. Mueller wrote in the July 13 indictment. The DNC was ultimately breached within weeks of Mr. Podesta’s account after Russian hackers used a phishing email to compromise an employee of the Democratic Congressional Campaign Committee and subsequently installed malware on that organization’s network, according to the indictment.
More recently, a Microsoft executive warned last week that hackers were recently caught attempting phishing attacks against three candidates running in the November 2018 midterms.