The audience gathered in Whitton auditorium wasn’t what you might expect for a university tech event. The morning of Feb. 27 as alumni, students and faculty poured into the room, many older attendees began to outnumber the few students sitting at the corners of the room. But, as dean of the College of Business Administration P.N. Saksena gave his opening speech, the audience of sharp-dressed 50-60- year-olds all had their eyes firmly planted on a 38-year-old man sporting jeans and a beret who took the podium.
This was Elie Bursztein, a postdoctoral fellow at Stanford University, a lauded publisher who has won five best-paper awards, and is the leader of Google’s anti-abuse research team. This day, he was a speaker on cybersecurity for “The Challenge of Securing Online Accounts”, part of an ongoing series of lectures called the Whitton Executive Series.
As Bursztein began to address the crowd, asking who had previously had an account hacked, hands began to go up across the room. When he asked how many of those people used the same password on more than one website, the audience laughed nervously as their hands remained up. Finally, he asked a more pertinent question:
“What can we do to not get hacked?”
Bursztein began by giving an overview on three basic methods by which hackers steal account credentials: data breaches, where the security of a company is compromised, phishing (where users enter information onto fake web pages made to look legitimate) and keylogger malware (used to take passwords by recording user keystrokes).
Bursztein noted that in 2016, 4.3 billion users had their credentials stolen through data breaches with 12 million users being victims of phishing alone. Of these, 25 percent were valid Google accounts, with an account takeover risk 463 times higher than normal.
“Password reuse is the largest source of credential theft, but phishing is the most deadly one. Most of those accounts were compromised within 30 minutes of being phished,” Bursztein said.
Bursztein left the audience in silence for a moment before offering a more positive question.
“How can we prevent account compromise?”
Though many users only take action after their accounts have been compromised, Bursztein advocates for a proactive approach to cybersecurity.
“Prevention is better than a cure,” Bursztein said. “Seventeen percent of people reuse passwords; if that little thing could change then so much could be prevented.”
Bursztein went on to acknowledge that remembering passwords across multiple accounts was difficult, but suggested using a password manager application as a solution. Due to these services generating and storing unique passwords based on algorithms, they offer an easy way to manage many different passwords for different accounts and earn Bursztein’s professional recommendation.
But password managers aren’t the only tool the anti-abuse researcher advocates for: a recent Google Chrome extension called password checker receives his approval for automatically sending notices of stolen credentials.
The extension didn’t just draw his praise: downloads surpassed Google’s expectations, reaching 600 thousand in the first three weeks, well above the company’s estimate of 25 thousand.
Bursztein then discussed adaptive two-factor authentication methods like access code prompts, along with biometric security measures like fingerprint scanners. Out of all the options, the security specialist believes that hardware tokens like security keys, which resist phishing attempts, provide the best options for proactive cybersecurity.
“They’re the best and most secure method we have,” Bursztein said. “We are making great progress in this field and hope to keep pushing it as a solution.”
Despite knowing what methods work, Bursztein admits that while cybersecurity techniques may be advancing, the true challenge is getting users to adopt them.
“We now know what to do,” he said. “It’s an adoption problem now.”
Though Bursztein feels secure in the strides Google has made in cybersecurity, he still feels obligated to help users adopt these methods. Whether users be young or old, he believes they could all learn to be proactive when it comes to cybersecurity.