Security is complicated.
It turns out that giving your mobile phone number to Google can block almost all phishing attacks and automated bots attempting to hack into your Google account.
Your Google account is particularly important to you. If you use Chrome, Google likely stores your browsing history and your passwords. If you use Google Maps, Google knows your location at all times. If you use Gmail, it has records of your travel and your purchases, and your Gmail mailbox frequently also gives the bad guys access to reset your other passwords. The password for your Google account deserves special protection.
Most attacks today are done behind the scenes by automated bots that have access to vast troves of stolen passwords from breaches at large companies. There are also frequent attacks that start with phishing emails – the ones you get that appear to be from Microsoft or Netflix or UPS, trying to get you to put in your password on a phony login screen.
If Google has your phone number, then Google provides additional security with automatic and risk-based sign-in protections – the equivalent of two-factor authentication without any work or confusing bits. Google worked with researchers from New York University and UC San Diego and describes the dramatic results this way:
“Here’s how it works: if we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.”
In other words, you won’t be disturbed if you’re using your usual phone or computer in places where they normally are. But if your laptop is turned on somewhere you’ve never travelled, or if a hacker tries to log into your account from Pottsylvania, Google will not log in until you respond to an alert on your phone. That simple step prevents the most common mass-scale attacks in almost every case.
Google is trying to walk a fine line between security and convenience. The same study discovered that at any given moment, more than a third of people didn’t have their phone or didn’t remember their recovery email address, putting them at risk of being locked out of their accounts. It’s hard to know what to do about that; the pendulum today is swinging towards security but Google has not yet made a recovery phone number mandatory.
By default Google sends an SMS text message with a code number for you to type in at the login screen. If you have an Android phone, Google will instead prompt you onscreen to acknowledge that you’re trying to log in, which is both easier and more secure than the SMS code. If you’re prompted when you’re not trying to log in, it’s the bad guys, and a simple “NO” keeps them out of your account.
It’s easy and provides very real protection. Give Google your phone number even if your instincts are normally not to hand over your information. Guemmy Kim, group product manager at Google, puts it this way: “Adding a recovery phone number to your account is much like putting on your seatbelt when you ride in a car: it drastically improves your safety when you use it.”
Your Google account is not your only high value account. Want to do more for your security? Google has five simple tips here. The most important tip: don’t use the same password for multiple sites! Use a password manager like LastPass to keep track of them. And get over your hesitation and turn on two-factor authentication, a second step in addition to your username and password each time you sign in to your bank, your mailbox, LastPass, and any other valuable accounts. I’ll have a tip in the next article about LastPass and your phone.
Be careful out there!