Recently Google has been in the news quite a bit because a number of gmail users have had their accounts hacked, allegedly from China.  The article at Technology Review talks about tracing the source of Gmail attacks, but it also highlights ways that the attacks occur, referencing an article that shows what some of the phishing attacks look like, and it’s surprising.  While Google may claim that there are no technological solutions to the phishing problem, I strongly disagree.  It’s just that they haven’t implemented some strategies that are known to work.  Why?  I have no idea.

On the outset, you need to know what the attacks do look like in order to avoid them.  When someone sends you an email message, that message may have embedded links in it.  Common phishing attacks use a deceptively similar URL that presents the victim with a fake page.

The google phishing emails used to steal passwords apparently use the attachment feature of Gmail, hiding a phishing URL behind the View and Download links for attachments. When victims click on these pages, they get a gmail login page that’s tailored to them, with their username pre-filled in the username field.  Most of us are used to having to re-authenticate quickly by habit.  That’s bad!

Before you ever log into an account, check that the URL for it is exactly right.  It’s always best to not log in after clicking on a link, but rather to use a bookmark instead.  Since Gmail remembers your login, I’d recommend putting a link to Gmail in your toolbar and any time you are asked to log in, click that instead.

The article also claims that Google asserts there’s no technical fix for this problem.  But Google does have a “callback” feature that you can use when logging in, to help prevent unauthorized access.  Unfortunately, without your phone handy or without a handy list of single use bypass codes, you can’t get into your email at all.  That’s a bit draconian, and a pain for users.  A secret question in the event you don’t have your phone would be more secure, particularly if you could pick your own secret question.

Picking your own question highlights one of the best strategies for foiling phishing attacks that my bank uses.  I am not sure why this strategy isn’t more common. Perhaps it’s patented or something, which would be a shame since it’s so obvious.  My bank asks me for my login and a first passphrase, and then once it knows that, it shows me a picture I select along with a phrase I choose.  If the picture and phrase are not ones that I chose, then I know there’s a phishing attack and my first passphrase is now compromised.  I can easily change it right away.  There’s another password on the screen that shows me the picture and phrase, so I can’t just log in with the first one.

The first passphrase need not be secure since it’s just used to keep phishers from knowing what my picture and quote.

There are many things Google could do to make their login more secure.  No security is foolproof, and nothing takes the place of using caution.

Incidentally, One vulnerability I’m very surprised hasn’t been exploited yet is the dropdown message on a mac that asks you for your password so Firefox (or Chrome or Safari) can authenticate.  This would be an easy thing to mimic – there’s no way that I can tell to be sure that the window that drops down is actually from the application and not the web page.  This is a serious security problem for macs that has not yet been addressed, and only the mac is vulnerable to this type of phishing because of the way that passwords are stored in the keychain.