Gmail Is a Perfect Place for Phishers and Here Is the Proof

Today there’s a very interesting story on The New Your Times blog that grabbed my attention because of its title – “Rumor Control: Why I Can’t Put “Tibet” in My Hotmail Address”. In the article David Gallagher references a reader who attempted to register an email address containing the word “Tibet” in it (it has something to do with his book about Tibet) on Hotmail but failed because the ID chosen contained “a word or phrase that is not allowed”.

The immediate guess was that trying not to irritate the Chinese government further and willing to keep their presence in the huge Chinese market Microsoft simply chose to prevent people from registering email accounts with the word “Tibet” in them.

But this has quickly proven to be a wrong guess: a Microsoft spokesperson explained that this limitation is simply one of the efforts aimed at preventing phishing (emails disguised as messages from a financial institution like a bank or PayPal in an attempt to make recipients let their banking or other sensitive information known to the intruders). In order to prevent these activities Microsoft (and possibly other email providers as well) do not allow to register emails containing the names of such institutions to make the work more difficult for the infringers.

And Tibet apparently contains “tib” – which is considered by Microsoft as the name of TIB Bank of Florida.

I have decided to do a quick check for some of the best-known financial institutions myself to see what level of anti-phishing protection is in place with the most popular free email providers: Gmail, Yahoo! Mail, and Microsoft Hotmail. So these are the IDs I attempted to register and the results with the three email providers:

What conclusion can we draw here based on this experiment? The three most popular free email providers have different approaches to anti-phishing. And surprisingly Gmail seems to be the least secure of all (which again makes me wonder why we stick so stubbornly to everything bearing a “made by Google” tag).

While Gmail does not have the IDs I attempted to register available, they easily suggested a number of variations for each of them that I still can register and use. And if I add “24″ after “support” it does look like it’s 24/7 support service, right?

Moreover, all the names of the institutions can be easily registered as Gmail accounts if you simply add some numerals to them (like HSBC24 – perfectly available):

This basically means that Google does not check the desired usernames for the names of financial institutions contained in them. What’s more, they don’t even seem to mind it if you register an email containing the words “terrorist”, “terrorism”, “Hitler”, “Nazi” or “racism”. This revelation was disturbing to me and I actually hoped they would at least prevent such words from registration.

Hotmail is quite reliable and the only financial institution that it failed to recognize was “BoA” – a very common abbreviation for “Bank of America”. The rest of the popular targets for phishers were easily recognized and forbidden as described in the article mentioned in the beginning of the post.

Yahoo! Mail is actually the most secure of all when it comes to phishing practices, it seems: all of the keywords I checked were not available without any suggestions, no matter what numerals I added to them:

It is very interesting to see this issue discussed because of all the indignation surrounding Tibet. At least to me this was an experiment worth taking and I’m sure there are others who will be surprised to know that Google is not interested at all in what you want to have as you Gmail ID. I tend to think that the practices chosen by its less hyped competitors are somewhat more appealing when it comes to protection of internet users.

Photo from ToastyKen used under Creative Commons