Google Eliminates Phishing?
News item reads “Google Eliminated Phishing”, really?
In recent technology news headline “Google Eliminated Phishing by Giving All 85,000 Employees USB Security Keys”(1). That’s a rather bold statement, “eliminated phishing”, suggests Google by some sleight of hand had done, well you know, like the impossible of blocking phishing attacks from hitting any of the 85,000 Google employees. I’ll go off the deep end here and suggest there is only one way to “eliminate phishing” attacks, unplug! Google employees didn’t do that…
What Google did was issue USB authentication tokens, little USB dongles that when plugged into an access device fulfill the second component of a multi-factor authentication session. I guess this was done on the premise the USB token fills the “something you have” component of the multi-factor process better than Google Authenticator. Perhaps it does and perhaps it reduces the potential of an impersonation attack, the operatives being “perhaps” and “reduce”. It cannot, will not and never will eliminate the phishing attack. .
As for the effectiveness of second factors such as USB tokens in general, well, they are only slightly more difficult to hack than the single factor password they augment. There are several failings of the multi-factor authentication approach, the most fundamental of which is its basis of “something you have”. To begin with, if it’s something you have then it’s something anyone else can have as well. Think lost or stolen. The something you have token is not coupled to the person. Rather, it’s something the person has and not something that knows the person that has it. Thus, any person can have and use it. Another consideration, a phishing attack that installs a BOT on the laptop is not blocked by USB token. It’s free to do its thing and is free to do so the instant the token is plugged. At that point, the BOT goes to work impersonating the user on any of their multi-factor secured accounts. What’s worse, the BOT could be doing this indirectly via a proxy making it even more difficult to detect. And there’s the old adage that anything one can build can be duplicated by another, it’s merely a question of time, effort and money. Indeed, in some respects, the USB authentication token is easier to hack than its predecessor Google Authenticator.
A closing observation, if a producer abandons the use of its own product, should others do likewise? This move by Google, replacing Google Authenticator with USB tokens, does not bode well. It has to raise concerns with businesses around the world who accepted Google Authenticator as the answer to authentication woes.(1) © 1996-2018 Ziff Davis, LLC. PCMag Digital Group