On this week’s episode of Converge, Google’s Mark Risher tells us why the conventional wisdom about choosing your password is wrong and about the expanding number of threats faced by platforms like Gmail as they work to protect users from phishing attacks and spammers. Conventional wisdom about choosing longer, more complicated passwords is getting less effective over time. Meanwhile, the people behind phishing attacks are getting much better.
Risher is a director of product management at Google, where he oversees Google’s identity, account security, and counter-abuse teams. A big part of Risher’s job over the years has been to fight unwanted email, and he says the methods used by spammers have evolved significantly over that time. Some attackers are getting much better results than they used to just by doing some research on their clients, he said.
“What work is taking your name out of a hat wherever I find it, going to your LinkedIn page, and finding a few facts about you,” Risher said. “Maybe doing a little search and getting some other information, and then saying ‘Dear Casey, you may remember that we met a few weeks ago at Vox Media, and at the time you had promised to tell me your Social Security number and then it just slipped your mind. Can you please remind me?’”
It sounds ridiculous, but it works, Risher said. “I take it to the absurd, but you can imagine how you could do something that’s much closer, like ‘Hey, I’m going to meet up with you. Remind me your mother’s maiden name?’ … These social engineering attacks that they spend a few more minutes personalizing can then yield much much more outsized rewards.
Risher tells us a better approach to picking passwords on Converge, an interview game show where the biggest personalities in tech tell us about their wildest dreams. It’s a show that’s easy to win, but not impossible to lose — because, in the final round, I finally get a chance to play and score a few points of my own.
Risher has worked at Google since 2014, when his security startup, Impermium, was acquired by the company. Before that, he worked at Yahoo, where he once held the title of “spam czar” for Yahoo mail.
You can read a partial, lightly edited transcript with Risher below, and you’ll find the full episode above. You can listen to it here or anywhere else you find podcasts, like Apple Podcasts, Pocket Casts, Google Play Music, Spotify, our RSS feed, and wherever fine podcasts are sold.
Casey Newton: It wouldn’t be a good discussion about security if we didn’t scare people a little bit. So I want to ask, what is the next frontier? Are there areas where you feel spammers or state actors are ahead and tech platforms are still kind of struggling to keep up? Is there anything you’re seeing out there that’s keeping you up at night?
Mark Risher: The thing that end users should worry about, and that I worry about, is these much more bespoke, targeted attacks that are going after an individual. And we see this in a lot of different places in the communications space, that I wouldn’t classify strictly as spam. It’s a more targeted attack.
When I mention phishing, what people often think of is “Dear Sir or Madam, I am an oil minister with $35 million that I would like you to help me unload.” And that doesn’t work. What does work is taking your name out of a hat wherever I find it, going to your LinkedIn page, and finding a few facts about you, maybe doing a little search and getting some other information, and then saying, “Dear Casey, you may remember that we met a few weeks ago at Vox Media, and at the time you had promised to tell me your Social Security number and then it just slipped your mind. Can you please remind me?” I take it to the absurd, but you can imagine how you could do something that’s much closer, like, “Hey, I’m going to meet up with you. Remind me your mother’s maiden name?” I don’t know what the questions are, but these social engineering attacks that they spend a few more minutes personalizing can then yield much much more outsized rewards.
That’s their version of human in the loop.
Yeah, business email compromise is particularly scary. This is a problem where recipients get a message that maybe pretends to be from an executive at their company or from the finance team saying, “Send me those tax forms,” and it’s a near duplicate. It’s not “Casey,” it’s “Casy.” And I just don’t see it, or it’s got maybe even the Cyrillic letter “E” instead of the Latin letter “E,” and so I wouldn’t even recognize that’s different.
In Gmail, we’ve built a bunch of features, in both our web client and in our iOS and Android apps, that identify when you’re getting messages from a doppelgänger, something that looks close but isn’t. But that’s just one of the many dimensions where we’ve been quite concerned about this impersonation of pretending to be someone else and asking for sensitive information, which is much, much more rewarding.
If I send out 10 million offers for generic Viagra, I might get 10 people that respond. And I can sell them and make a profit of a very small amount that basically covers my time. If instead I send out 10 messages, each one asking for a wire transfer of five or six figures, that’s much more worth my time.
More Info: www.theverge.com