There’s a rule of thumb that if an article poses a question in the headline then the answer is always no. I’m bucking that trend right now: yes you should give Google your phone number and here’s why. More often than not I am handing out advice regarding how to control the amount of data about you it has, or tips on stopping it from tracking you when using Google Maps. Today is not one of those days, it’s an exception to the usual rule in that I’m suggesting in response to Google requesting your phone number that it might just be a very good idea to hand it over. No, I haven’t been drinking but rather reading; the reading in question being a posting on the Google security blog by researchers Kurt Thomas and Angelika Moscicki. They looked at research conducted by Google in association with New York University and the University of California to try and determine the impact that basic account hygiene can have on security. The year-long study covered both the broader threatscape as well as targeted attacks and determined that one simple security proactive measure can prevent the vast majority of account hijacking attempts.
Yep, you’ve guessed it: that proactive measure is handing your phone number over to Google. An account recovery phone number to be precise. Most account hijack attempts involve automated bots that leverage access to password breach databases, breaches that have happened elsewhere than Google. Thanks to password reuse being so prevalent these often lead attackers right back to places like Google in an attempt to take over an account and access the keys to the phishing and fraud kingdom: your Gmail. Along with highly targeted attacks and the never-ending phishing threat, Google reckons it protects its users from hundreds of thousands of these account hijacking attempts every day. The new research revealed that by adding a recovery phone number to your account, 100% of automated bots and 99% of bulk phishing attacks can be stopped dead in their tracks. Even the more sophisticated use of targeted attacks were thwarted 90% of the time by this simple tactic.
It’s all to do with layering your defenses, and Google provides an automatic proactive layer for every user. When any suspicious sign-in attempt to your account is identified, and that red flag could be triggered by the use of a new device or even a device in a new location, then Google asks for some proof that it’s you who is wanting to login. Device-based challenges are key to this, with both SMS code delivery and the more secure on-device prompting alternative delivering high levels of protection. Assuming, that is, you’ve handed over that recovery phone number in the first place. Without it, Google will take the fallback option of knowledge-based challenges such as a question about your last sign-in location. However, these work OK for the bot attacks but are dramatically less successful in seeing off the phishing threat: protection rates against phishing can drop off to just 10%.
And don’t think that nobody would really go to any great trouble to hijack your Google account, I can assure you they will. Indeed, Google researchers also investigated the market trading in “hackers for hire” and found that criminal groups charge as much as $750 to break into a single Google account. These targeted attacks are also persistent in nature, with many hired hackers promising to maintain varying phishing threats for more than a month to maximize the chance of success. If you are in a high-risk category, such as journalism, politics or are a business leader, access to your account becomes even more valuable. Google recommends that a recovery phone number alone is not enough for these users who should instead consider enrolling in the “Advanced Protection Program” that adds even more layers of security.
Guemmy Kim, group product manager at Google, told me that while the onus of security responsibility is rightly on Google itself, as the experts creating and deploying the technology, the recovery phone number is a simple step that everyone can take to improve their level of personal protection from online attacks. “Adding a recovery phone number to your account,” Kim says, “is much like putting on your seatbelt when you ride in a car: it drastically improves your safety when you use it.”