Gmail: Google improves security of sensitive actions
Google announced today that it is improving protections for certain sensitive actions on Gmail to improve security for all users. The company's email service, like any other email service, is a lucrative target, as it may unlock the entire digital life of attacked users of the service.
Attackers have used various means to prolong access on Gmail. The use of email forwarding and filtering options, for instance, allowed them to forward certain important emails and hide them from the Gmail user. Attackers could filter mails from important services, such as from Amazon, Google, Apple or any other company, so that users would not receive any warnings, for example, when a third-party tried to gain access to their accounts.
Last year, Google introduced safeguards to better protect Google Workspaces accounts. Back then, Google implemented new safeguards for certain critical actions that could "have far reaching consequences for the account owner or the organization". Basically, what Google did was add challenges to these actions that required another step of verification.
This is now extended to certain actions on Google Mail. Google states that it has selected three sensitive actions on Gmail that receive the additional protections:
- Email Filters -- when users create, edit or import filters.
- Forwarding -- when users add new forwarding addresses in Forwarding and POP/IMAP settings.
- IMAP access -- when users enable the IMAP access status from settings.
Gmail users receive critical security alerts whenever one of the listed actions are taken and Google deems it "risky" after evaluation.
If that is the case, the user will receive a verification prompt before the change is saved to the account. Google may prompt users to verify the action using 2-step verification or other means of authentication to validate the action.
Google evaluates risk factors to determine whether it should display an additional verification prompt. While the company has not revealed any specifics, it seems likely that it uses information such as locations, IP addresses, browsers, time of day and other for evaluation.
If that verification fails, for example, when the malicious user does can't complete the second verification step, a critical security alert is automatically pushed on trusted devices.
Google is rolling out the change to all Google Workspace customers and all personal Google Accounts customers in the coming weeks. The full rollout should be completed before September 10, 2023.
Additional protections for sensitive actions is a long overdue step to improve account security. While this won't affect most users who use strong passwords and two-step verification or additional security protections, it may better protect users who are more likely to fall pray to attacks.
Now You: do you use Gmail?