What is early access to google products

How Google protects the data

Hacking, phishing, malware: criminals on the Internet keep trying to break into different user accounts. Thousands of employees at Google are working to ensure that they are unsuccessful. A conversation with Stephan Micklitz and Tadek Pietraszek

has worked at Google Zurich since 2006 and heads a large security team there. In 2006 he received his doctorate in computer science from the Albert Ludwig University in Freiburg.

Mr. Pietraszek, you and your team take care of the security of the user accounts. How do you prevent someone from breaking into your users' accounts?

Tadek Pietraszek, chief developer for account security: First of all, it is important to detect a hacker attack in the first place. There are more than a hundred variables that can be used to identify suspicious activity. Let's assume you live in Germany, travel very rarely abroad and someone tries to access your account from another country, then this is an alarm signal for us.

Stephan Micklitz, Head of Development for Security and Data Protection: That is why we then ask you, for example, for the telephone number that you have stored with us or other information that only you as the owner of the account know.

Tadek Pietraszek (left) is responsible for the security of user accounts at Google.

How often do such attacks occur?

Pietraszek: There are hundreds of thousands every day. Our biggest problem is that there are tons of lists of usernames and passwords stolen from hacked websites on the Internet. Since some of our users use the same password for different accounts, this naturally also includes login data from Google accounts.

Are these lists the biggest security problem?

Pietraszek: Yes, exactly. The lists and also the typical phishing attacks. Almost everyone has already received emails with which criminals want to steal someone else's password. We can of course do our part to ensure that they fail to do this. If we find an email suspicious, we can flag it with warnings in Gmail so that you can take a closer look, or we can filter the email immediately. Our Chrome browser also notifies you if you try to visit phishing websites known to us.

Micklitz: There are basically two types of phishing. The mass e-mails with which perpetrators want to collect as much login data as possible, and the so-called spear phishing, in which they target a specific person's account. These can be quite sophisticated actions that last several months and in which the perpetrators examine the life of the victim in detail and attack them in a targeted manner.

"If we find an email suspicious, we can flag it with warnings in Gmail."

Tadek Pietraszek

How does Google support its users so that these actions can no longer be successful?

Pietraszek: For example with two-factor authentication. Many users may know this from their bank's online account. If you want to transfer money, you have to enter an SMS code next to the password, for example. Google introduced two-factor authentication back in 2009, earlier than most of the other major email providers. In addition, Google users who actively use a mobile phone and have registered their phone number automatically benefit from a similar level of protection in the event of suspicious login attempts.

Micklitz: Two-factor authentication is a good method, but SMS codes can also be found out. For example, a criminal could call your wireless service provider and try to have a second SIM card sent to you. Authentication with physical security keys, for example a Bluetooth transmitter or a USB stick, is even more secure.

Pietraszek: This option is part of the extended safety program.

What is behind this program?

Pietraszek: We have been offering it to everyone who is at increased risk of being hacked since 2017. For example, journalists, managing directors, dissidents or members of parliament.

Micklitz: In addition to the physical security key, we are also restricting data access by third-party apps by incorporating additional steps for users to use to confirm their identity if they lose the security key.

As head of development, Stephan Micklitz is responsible for security and data protection at Google worldwide. He studied computer science at the Technical University of Munich and has been working for Google in Munich since the end of 2007. Right picture: A security key.

Can you give us an example of a sophisticated hacker attack that you have faced?

Pietraszek: There was one such attack at the beginning of 2017, for example. Hackers had created a malicious program to gain access to the victims 'Google accounts and sent fake emails to the users' contacts. In it, they asked the recipients to authorize access to a forged Google document. Anyone who did this involuntarily gave the malware access and automatically sent fake emails to their own contacts. This allowed the virus to spread quickly. We have contingency plans for such cases.

Micklitz: In this specific case, for example, we blocked the distribution of these emails in Gmail, revoked permissions granted to the program and secured the accounts. Of course, we've also added systematic safeguards to make similar future attacks more difficult. Google Accounts are under constant attack and it is best if our automated systems protect them. Of course, this assumes that we can reach the users regardless of their Google account, for example via a second e-mail address or a mobile number given to us.

"Actually, it is enough for users to adhere to a few rules."

Stephan Micklitz

How important is the issue of security for the average user?

Pietraszek: It is very important to many, but security precautions are also a nuisance. This also explains, for example, why users use the same passwords for multiple accounts - the worst mistake ever. Our job is to educate users on how to protect their accounts with little effort. We therefore offer a security check in Google Account, which you can use to easily check your settings.

Micklitz: Actually, it is enough to stick to a few rules.

That would be?

Micklitz: Don't use the same password for multiple services, install security updates and avoid suspicious software. Provide your phone number or an alternative email address so that you can be reached in other ways. And activate the screen lock on your smartphone to prevent unauthorized access. Much has already been achieved with this.

Photography: Conny Mirbach