Google Advanced Protection: more protection at the expense of convenience

A week ago, on October 17, Google introduced enhanced security features for the Gmail account, targeting primarily civil servants and journalists using the company’s services. Experts do not consider the panacea a new set of tools for Advanced Protection, but thanks to it any user can get an impressive level of protection.

Advanced Protection consists of three levels of protection, which may need journalists and those who are engaged in election campaigns, noted representatives of Google. The accounts of such users are often attacked by intruders, usually with the aim of interfering with the communication of the victim or hacking the account, followed by the theft of confidential data.
The list of capabilities includes hardware two-factor authentication based on two physical security keys that restricts full access to the Gmail and Google Drive mailbox with a small list of applications.

“Third-party applications will no longer have access to Gmail or Drive. For secure access, you only need to use the Gmail application or Inbox by Gmail, “explained Google. – Services with authentication, such as Gmail or Photo, can only be used through the Chrome browser. ”

In addition, in order to prevent an attacker from hacking an account, Google experts added a number of steps to restore access in the event that access is lost through the fault of the user who forgot his password. “Additional verification when you restore access to your account takes several days,” Google experts noted.

“We call it the Podesta-protected Google account,” said Joseph Hall, chief technology officer for Center for Democracy and Technology, named John Podesta, election campaign manager Hillary Clinton during the last election, on which was attacked. ”

“In addition to conditional John Poddes, activists, victims of domestic violence and billionaires, there is a handful of people who will benefit from this technology,” Hall said. “These tools can really help potential targets, which are hunted by states or overly enterprising attackers.”

Currently, the new service is available to owners of personal Google accounts, but to enable it, you need two hardware security keys based on a Bluetooth or USB connection. The free Advanced Protection package is not available to the owners of commercial G Suite accounts.

According to Google itself, Advanced Protection is the best available security tools for high-risk users who are ready to sacrifice some of the amenities for the sake of keeping personal accounts.
Experts warn that extended security measures are not for the faint-hearted, as they set strict restrictions when Google’s account interacts with other Internet services while working on mobile devices, such as tablets and smartphones. “By losing your password, you run the risk of permanently losing access to your account,” Hall said.

“It’s nice to see that Google has provided some of the users with some of the advanced protection from their business products,” said Allen Falcon, CEO of Cumulus Global, a business solutions provider.

In his comment for Threatpost, he also noted that Google offers these services as part of existing G Suite licenses or as additional paid services on the Google Cloud Platform.
“Similar services are similarly found in other cloud services. The mandatory use of the Security Key replaces all text keys with a physical one, and it must always be available, “Falcon explained.

The disadvantage of Google Advanced Protection, as experts noted, is the lack of support for encrypting e-mail. At the same time, in the G Suite Enterprise package with a monthly subscription fee of $ 25, support for encryption keys is available.

New tools solve a serious problem for Google, said Eric Hodge, director of consulting services at Cyber Scout. According to him, the last half a year the confidence in the reliability of Google services was slowly being shaken by phishing attacks.

“We are seeing a record number of attacks in which users are being tricked into entering credentials on fake Google pages,” Hodge said.

Earlier this summer, Google experts blocked the accounts involved in mass mailings of phishing emails that mimic Google Docs. The letters were sent primarily to reporters to force the victim to give permission to the malicious application to access the user’s Google account.

“Google is taking very effective measures. They are not expensive, and on a large scale it is very difficult to manage, – says Hodge. – In addition, it will be a headache for users to constantly carry a small device to