A targeted phishing scam and an unfortunate typo helped hackers infiltrate the Gmail account of Hillary Clinton’s campaign manager John Podesta during the 2016 election season.
Podesta received an email requesting a password change, and suspecting a phishing attempt, he forwarded it to IT. But the IT guy accidentally said it was “a legitimate email” rather than “not a legitimate email,” and the rest is history: Podesta’s email was accessed, 60,000 Gmail messages were leaked, and the juiciest made their way into the press.
A hack like this is, and was, entirely preventable. And on Tuesday, Google announced new protections for high-profile individuals who could be targeted like Podesta.
“We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks,” Advanced Protection project manager Dario Salice wrote in Google’s introductory blog post about the feature. “These might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety.”
It’s designed to make hacking and phishing attempts virtually impossible to execute. But would it have been enough to stop the Podesta hack and prevent future similar attacks?
Google isn’t the first company to make changes as we’ve learned how technology influenced the election. Amid growing revelations of how much Russia used social media and advertising to affect its outcome, Silicon Valley juggernauts have been trying to shore up their services against interference. Facebook began battling fake news with a campaign to educate users, utilize third-party fact checkers to verify stories, and show readers related articles alongside stories in their feed. Twitter has suspended accounts tied to Russia and changed how it handles abuse in its app.
Google, which has since discovered Russia-linked ads on its platforms, has adjusted its search algorithms and offered more opportunities to provide feedback about search and autocomplete results. And now with Advanced Protection, it’s trying to eliminate the threat of email hacks.
Advanced Protection does three things: It protects accounts against phishing, blocks fraudulent account access, and offers safeguards against sharing sensitive data with malicious applications.
The Advanced Protection Program incorporates a physical security key (a small USB or wireless device that costs around $25) to protect against phishing. The key, which participants need to buy themselves, uses public-key cryptography and digital signatures. Without the key, even someone with your password would be unable to access your account. Advanced Protection limits your Google data access to only Google apps and adds additional safeguards in the account recovery process to prevent someone from social engineering their way into your account. It also performs additional scans on files and attachments to ensure no malware is piggybacking on the download.
This is one of the highest levels of security a public company has offered to consumer-level users to date. And, a Google representative confirmed, Advanced Protection isn’t limited to only the créme de la créme of Google users. Anyone with a Gmail account can enroll in Advanced Protection and will be granted access. There’s no vetting process. It’s not an elite club.
If this security had existed a year ago, it could have stopped the hack of Hillary's campaign—in theory. Let’s say all of her campaign staff had Advanced Protection enabled, and Podesta had received the same phishing email, and the IT guy had made the same typo. The physical key would’ve prevented the hacker from accessing Podesta’s account. Unlike even a one-time code delivered via SMS, there’s no way for this security token to be hijacked over a carrier network or insecure WiFi.
But Advanced Protection is not without a fatal flaw: Like two-factor authentication and other security measures, it’s opt-in. It’s up to the user to join the program and take advantage of its additional layers of security. As the saying goes, you can lead a horse to water, but you cannot make it drink. And a security measure is only effective if you’ve put it in place.
Since Podesta’s email was able to be hacked with a simple password change, it’s clear he did not have two-factor authentication enabled. And if he, and other staff members, weren’t willing to take advantage of that simple, but important, security precaution, it’s unlikely they would have gone through the extra hoops required of Advanced Protection.
That’s one of the biggest issues with email security today: People are unwilling to undergo some degree of inconvenience in order to secure their accounts and information. Google has supported physical security keys for three years—but do you know anyone that uses one? It’s only in recent months that we’re seeing how truly important it is to lock down your information.
It’s possible the Podesta hack will motivate a large number of people—and in particular the people running, or hoping to run, our government—to get onboard with services like Advanced Protection. But if history is any indicator, the people who most need to get on board with Advanced Protection never will. And with their decision to choose convenience over security, we’ll continue to be susceptible to ever sneakier hacking attempts trying to undermine our country’s democratic way of life.