Google's Security Checkup and the Email Alerts Coming from It
People just aren't prepared to face all the online risks they're presented with every day. Don't believe us? Here's an argument.
Think about the tools that are supposed to estimate the security of a password or an account. Usually, when their algorithms think that the data is secure (which is not always the case), these tools display green ticks, thumbs up, smiling emojis, or animations indicating that the user has done a good job. It shouldn't work like this.
People basically receive a pat on the back because they've done enough to secure their data online. It's like getting a "well done" for locking the door on your way out. The truth is, users don't actively think about security when they're online, and they need to be reminded of it every now and again. That's why Google's Security Checkup exists.
How does Google's Security Checkup work?
Quite a few of the big service providers have similar features, but in October 2017, Google revamped their own and proudly announced that it can now give users "personalized recommendations." Given that the Security Checkup feature is completely automated, the word "personalized" does seem a bit out of place, but there's no getting away from the fact that Google's checks are more thorough than the ones performed by their competitors' tools.
It will go through the devices you use with your Google account. It will check whether you've enabled 2-step verification, and it will see how many recovery options you have (phone number, alternative email, etc.) Last but not least, it will go through the list of applications that have access to your Google account and the information in it.
You can access Google's Security Checkup at any time at https://myaccount.google.com, and if you see something you don't like, the feature gives you a quick way of changing it. The system also periodically sends email alerts telling you if there's something wrong. Google received quite a lot of heat for the way these alerts were designed.
Google's phishy-looking email alerts
I'm not a security UX expert but telling user there's "a security issue," without telling them which one, and asking them to click on a link it's perhaps not ideal. pic.twitter.com/xRjRUMgTL3
— LoЯenzo Franceschi-Bicchierai (@lorenzoFB) January 16, 2018
Above you see one such alert as shared by Lorenzo Franceschi-Bicchierai, a reporter for Motherboard. Those with a deeper interest in cybersecurity can probably see the problem. It's coming from Google, and it's completely legitimate, but it has all the characteristics of a classic phishing message.
There's a security problem, but the wording is extremely vague. Fixing the issue will take no more than a few moments, and there is, of course, a button leading people directly to the login page. This wasn't Google's finest hour, it must be said.
For years, security experts and bloggers have been typing their fingers off, trying to persuade users not to trust emails with links and buttons, and suddenly, none other than Google drops alerts like this in people's inboxes. All the phishers need to do now is copy the email word-for-word and redirect users to the fake login page.
Overall, it was one of those one-step-forward-two-steps-back moments, and we can all learn something from it. Google can learn that it must be more careful with the design of its email alerts, and users can learn that clicking buttons and links in emails is a bad idea.