The main tweak is that Google is upping its detection of people pretending to be you. If you’re unwittingly tricked into handing over your Google username and password in a phishing attack, all isn’t lost. Google thinks it can distinguish a sign-in by the phishing attacker from a sign-in by you.
Wrote Google product manager, Jonathan Skelker in a blog announcement:
When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious.
The company is deliberately vague about what signals indicate this but it alluded to similar ideas in the reCAPTCHA v3 announcement from earlier this week.
Failure to do this will result in the user being confronted with the following error message:
If Google thinks it has detected malicious account access, users are now taken through additional checks looking for unauthorised financial activity, access to files on Google Drive, whether access has affected third-party accounts accessed via Google, and double-checking recovery information such as phone numbers for any changes.
The options and process for this is laid out on Google’s secure a hacked or compromised account page.
It’s all perfectly sensible stuff but a quick glance at that page shows how involved Google account security has become – the main advice section now runs to a total of nearly 1,100 words, referencing settings and concepts not all users will be familiar with.
As Google’s Skelker admits:
Online security can sometimes feel like walking through a haunted house – scary, and you aren’t quite sure what may pop up.
His analogy, aimed at the threats, increasingly applies to protections too.
As their number expands to serve a worthy cause, it’s a theme worth thinking about come next year’s National Cyber Security Awareness Month.
John E Dunn