Posted by Elie Bursztein, Anti-Abuse Research Lead and Ilan Caron, Software Engineer

What was your first pet’s name?
What is your favorite food?
What is your mother’s maiden name?

What do these seemingly random questions have in common? They’re all familiar examples of ‘security questions’. Chances are you’ve had to answer one these before; many online services use them to help users recover access to accounts if they forget their passwords, or as an additional layer of security to protect against suspicious logins.

But, despite the prevalence of security questions, their safety and effectiveness have rarely been studied in depth. As part of our constant efforts to improve account security, we analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. We then worked to measure the likelihood that hackers could guess the answers.

Our findings, summarized in a paper that we recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.

Click infographic for larger version

Easy Answers Aren’t Secure

Not surprisingly, easy-to-remember answers are less secure. Easy answers often contain commonly known or publicly available information, or are in a small set of possible answers for cultural reasons (ie, a common family name in certain countries).

Here are some specific insights:

• With a single guess, an attacker would have a 19.7% chance of guessing English-speaking users’ answers to the question "What is your favorite food?" (it was ‘pizza’, by the way) 
• With ten guesses, an attacker would have a nearly 24% chance of guessing Arabic-speaking users’ answer to the question "What’s your first teacher’s name?"
• With ten guesses, an attacker would have a 21% chance of guessing Spanish-speaking users’ answers to the question, "What is your father’s middle name?"
• With ten guesses, an attacker would have a 39% chance of guessing Korean-speaking users’ answers to the question "What is your city of birth?" and a 43% chance of guessing their favorite food.

Many different users also had identical answers to secret questions that we’d normally expect to be highly secure, such as "What’s your phone number?" or "What’s your frequent flyer number?". We dug into this further and found that 37% of people intentionally provide false answers to their questions thinking this will make them harder to guess. However, this ends up backfiring because people choose the same (false) answers, and actually increase the likelihood that an attacker can break in.

Difficult Answers Aren’t Usable

Surprise, surprise: it’s not easy to remember where your mother went to elementary school, or what your library card number is! Difficult secret questions and answers are often hard to use. Here are some specific findings:

• 40% of our English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.
• Some of the potentially safest questions—"What is your library card number?" and "What is your frequent flyer number?"—have only 22% and 9% recall rates, respectively.
• For English-speaking users in the US the easier question, "What is your father’s middle name?" had a success rate of 76% while the potentially safer question "What is your first phone number?" had only a 55% success rate.

Why not just add more secret questions?

Of course, it’s harder to guess the right answer to two (or more) questions, as opposed to just one. However, adding questions comes at a price too: the chances that people recover their accounts drops significantly. We did a subsequent analysis to illustrate this idea (Google never actually asks multiple security questions).

According to our data, the ‘easiest’ question and answer is "What city were you born in?"—users recall this answer more than 79% of the time. The second easiest example is "What is your father’s middle name?", remembered by users 74% of the time. If an attacker had ten guesses, they’d have a 6.9% and 14.6% chance of guessing correct answers for these questions, respectively.

But, when users had to answer both together, the spread between the security and usability of secret questions becomes increasingly stark. The probability that an attacker could get both answers in ten guesses is 1%, but users will recall both answers only 59% of the time. Piling on more secret questions makes it more difficult for users to recover their accounts and is not a good solution, as a result.

The Next Question: What To Do?

Secret questions have long been a staple of authentication and account recovery online. But, given these findings its important for users and site owners to think twice about these.

We strongly encourage Google users to make sure their Google account recovery information is current. You can do this quickly and easily with our Security Checkup. For years, we’ve only used security questions for account recovery as a last resort when SMS text or back-up email addresses don’t work and we will never use these as stand-alone proof of account ownership.

In parallel, site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.

Posted by Kurt Thomas, Spam & Abuse Research

In March, we outlined the problems with unwanted ad injectors, a common symptom of unwanted software. Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web. We’ve received more than 100,000 user complaints about them in Chrome since the beginning of 2015—more than any other issue. Unwanted ad injectors are not only annoying, they can pose serious security risks to users as well.

Today, we’re releasing the results of a study performed with the University of California, Berkeley and Santa Barbara that examines the ad injector ecosystem, in-depth, for the first time. We’ve summarized our key findings below, as well as Google’s broader efforts to protect users from unwanted software. The full report, which you can read here, will be presented later this month at the IEEE Symposium on Security & Privacy.

Ad injectors’ businesses are built on a tangled web of different players in the online advertising economy. This complexity has made it difficult for the industry to understand this issue and help fix it. We hope our findings raise broad awareness of this problem and enable the online advertising industry to work together and tackle it.

How big is the problem?

This is what users might see if their browsers were infected with ad injectors. None of the ads displayed appear without an ad injector installed.

To pursue this research, we custom-built an ad injection “detector” for Google sites. This tool helped us identify tens of millions of instances of ad injection “in the wild” over the course of several months in 2014, the duration of our study.

More detail is below, but the main point is clear: deceptive ad injection is a significant problem on the web today. We found 5.5% of unique IPs—millions of users—accessing Google sites that included some form of injected ads.

How ad injectors work

The ad injection ecosystem comprises a tangled web of different players. Here is a quick snapshot.

• Software: It all starts with software that infects your browser. We discovered more than 50,000 browser extensions and more than 34,000 software applications that took control of users’ browsers and injected ads. Upwards of 30% of these packages were outright malicious and simultaneously stole account credentials, hijacked search queries, and reported a user’s activity to third parties for tracking. In total, we found 5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software.
• Distribution: Next, this software is distributed by a network of affiliates that work to drive as many installs as possible via tactics like: marketing, bundling applications with popular downloads, outright malware distribution, and large social advertising campaigns. Affiliates are paid a commision whenever a user clicks on an injected ad. We found about 1,000 of these businesses, including Crossrider, Shopper Pro, and Netcrawl, that use at least one of these tactics.
• Injection Libraries: Ad injectors source their ads from about 25 businesses that provide ‘injection libraries’. Superfish and Jollywallet are by far the most popular of these, appearing in 3.9% and 2.4% of Google views, respectively. These companies manage advertising relationships with a handful of ad networks and shopping programs and decide which ads to display to users. Whenever a user clicks on an ad or purchases a product, these companies make a profit, a fraction of which they share with affiliates.
• Ads: The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, Ebay—who unwittingly pay for traffic to their sites. Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware. Ads originate from ad networks that translate unwanted software installations into profit: 77% of all injected ads go through one of three ad networks—dealtime.com, pricegrabber.com, and bizrate.com. Publishers, meanwhile, aren’t being compensated for these ads.

Examples of injected ads ‘in the wild’

How Google fights deceptive ad injectors 

We pursued this research to raise awareness about the ad injection economy so that the broader ads ecosystem can better understand this complex issue and work together to tackle it.

Based on our findings, we took the following actions:

• Keeping the Chrome Web Store clean: We removed 192 deceptive Chrome extensions that affected 14 million users with ad injection from the Chrome Web Store. These extensions violated Web Store policies that extensions have a narrow and easy-to-understand purpose. We’ve also deployed new safeguards in the Chrome Web Store to help protect users from deceptive ad injection extensions.
• Protecting Chrome users: We improved protections in Chrome to flag unwanted software and display familiar red warnings when users are about to download deceptive software. These same protections are broadly available via the Safe Browsing API. We also provide a tool for users already affected by ad injectors and other unwanted software to clean up their Chrome browser.
• Informing advertisers: We reached out to the advertisers affected by ad injection to alert each of the deceptive practices and ad networks involved. This reflects a broader set of Google Platforms program policies and the DoubleClick Ad Exchange (AdX) Seller Program Guidelines that prohibit programs overlaying ad space on a given site without permission of the site owner.

Most recently, we updated our AdWords policies to make it more difficult for advertisers to promote unwanted software on AdWords. It's still early, but we've already seen encouraging results since making the change: the number of 'Safe Browsing' warnings that users receive in Chrome after clicking AdWords ads has dropped by more than 95%. This suggests it's become much more difficult for users to download unwanted software, and for bad advertisers to promote it. Our blog post from March outlines various policies—for the Chrome Web Store, AdWords, Google Platforms program, and the DoubleClick Ad Exchange (AdX)—that combat unwanted ad injectors, across products.

We’re also constantly improving our Safe Browsing technology, which protects more than one billion Chrome, Safari, and Firefox users across the web from phishing, malware, and unwanted software. Today, Safe Browsing shows people more than 5 million warnings per day for all sorts of malicious sites and unwanted software, and discovers more than 50,000 malware sites and more than 90,000 phishing sites every month.

Considering the tangle of different businesses involved—knowingly, or unknowingly—in the ad injector ecosystem, progress will only be made if we raise our standards, together. We strongly encourage all members of the ads ecosystem to review their policies and practices so we can make real improvement on this issue.