Gmail Is a Perfect Place for Phishers and Here Is the Proof
by
on August 07, 2008,
Today there’s a very interesting story on The New Your Times blog that grabbed my attention because of its title - “Rumor Control: Why I Can’t Put “Tibet” in My Hotmail Address”. In the article David Gallagher references a reader who attempted to register an email address containing the word “Tibet” in it (it has something to do with his book about Tibet) on Hotmail but failed because the ID chosen contained “a word or phrase that is not allowed”.
The immediate guess was that trying not to irritate the Chinese government further and willing to keep their presence in the huge Chinese market Microsoft simply chose to prevent people from registering email accounts with the word “Tibet” in them.
But this has quickly proven to be a wrong guess: a Microsoft spokesperson explained that this limitation is simply one of the efforts aimed at preventing phishing (emails disguised as messages from a financial institution like a bank or PayPal in an attempt to make recipients let their banking or other sensitive information known to the intruders). In order to prevent these activities Microsoft (and possibly other email providers as well) do not allow to register emails containing the names of such institutions to make the work more difficult for the infringers.
And Tibet apparently contains “tib” - which is considered by Microsoft as the name of TIB Bank of Florida.
I have decided to do a quick check for some of the best-known financial institutions myself to see what level of anti-phishing protection is in place with the most popular free email providers: Gmail, Yahoo! Mail, and Microsoft Hotmail. So these are the IDs I attempted to register and the results with the three email providers:
| Gmail | Hotmail | Yahoo! Mail | |
| BoAsupport | No, but boasupport24 available | Available | No |
| HSBCsupport | No, but HSBCsupport24 available | No | No |
| WellsFargoSupport | No, but WellsFargoSupport24 available | No | No |
| PayPalSupport | No, but PayPalSupport24 available | No | No |
| eBaySupport | No, but eBaySupport24 available | No | No |
What conclusion can we draw here based on this experiment? The three most popular free email providers have different approaches to anti-phishing. And surprisingly Gmail seems to be the least secure of all (which again makes me wonder why we stick so stubbornly to everything bearing a “made by Google” tag).
While Gmail does not have the IDs I attempted to register available, they easily suggested a number of variations for each of them that I still can register and use. And if I add “24″ after “support” it does look like it’s 24/7 support service, right?
Moreover, all the names of the institutions can be easily registered as Gmail accounts if you simply add some numerals to them (like HSBC24 - perfectly available):
This basically means that Google does not check the desired usernames for the names of financial institutions contained in them. What’s more, they don’t even seem to mind it if you register an email containing the words “terrorist”, “terrorism”, “Hitler”, “Nazi” or “racism”. This revelation was disturbing to me and I actually hoped they would at least prevent such words from registration.
Hotmail is quite reliable and the only financial institution that it failed to recognize was “BoA” - a very common abbreviation for “Bank of America”. The rest of the popular targets for phishers were easily recognized and forbidden as described in the article mentioned in the beginning of the post.
Yahoo! Mail is actually the most secure of all when it comes to phishing practices, it seems: all of the keywords I checked were not available without any suggestions, no matter what numerals I added to them:
It is very interesting to see this issue discussed because of all the indignation surrounding Tibet. At least to me this was an experiment worth taking and I’m sure there are others who will be surprised to know that Google is not interested at all in what you want to have as you Gmail ID. I tend to think that the practices chosen by its less hyped competitors are somewhat more appealing when it comes to protection of internet users.
Photo from ToastyKen used under Creative Commons
If you enjoyed this post, make sure you subscribe to profy RSS feed!
Svetlana Gladkova
John Phelps
Opensource 
Michael Fidler 
Svetlana: I agree. As well, I have received phishing warnings and notices in the past from Gmail. Not sure if they still do, but they did put a big red banner at the top to warn people.
@Brad: That’s what I think myself, we should never forget those users who would not even see any difference between the parts before and after the @ and if there’s anything any service can do to help such users, I believe they should really do this.
I’m sorry but if anyone believes that an email from a sender whose address ends in @gmail.com, @hotmail.com, @yahoo.com (or any free email provider for that matter) is an official email from a financial institution they shouldn’t be using email. I’ve used all three services (yahoo and gmail more recently) and Gmail still seems to do the best job of filtering out spam and protecting users from the potentially harmful content of emails.
Paul,
I don’t believe that a free email service can be used by a bank. But some of the novice internet (and email) users may see no difference between account ID and domain in the email and they can easily go for it. I know that Google definitely does the best job in filtering out spam (unlike Yahoo) but I can’t agree that it’s useless to have such terms banned - just in case.
There is a trade-off at work here. On the one hand, censorship of certain terms could protect certain people who are less technically inclined from falling for phishing scams, but on the other hand, as mentioned in the original article in the Times, legitimate names such as Scott Tibbs are also getting blocked. It’s a fine line to walk, and personally, I prefer to lean toward less policing and regulation and more freedom and responsibility to choose what you like.
On another note, I don’t think people stick blindly to Google products just because of the branding. People use them because they are very often the best products in that category. In the days before the YouTube acquisition, it beat Google Video pretty soundly. That’s a case where a competitor had a better product than Google’s offering, and clearly, people didn’t flock to Google Video just because it was made by Google.
Svetlana, you have too much time on your hands. Get a life.
@ptao: Sure that’s a tough question and of course it is not the easiest one to find an answer for. Of course with this type of censorship comes a question of possibly infringing the interests of other people. But I don’t think that any free email provider ever guaranteed availability of our names for our email accounts. I also think that TIB is a strange name to block in general but if such a block will save some less tech-savvy people their money, I think I am for it actually.
As for the quality of Google’s products, I am perfectly aware of the superb quality and their superiority to competitive solutions. I am just concerned about putting all the eggs in one basket - I’m afraid it may be dangerous like in the recent case (I talked about it in the article linked to from those Google words) when a user was totally locked out of his Google account and could do virtually nothing since all his life was centered around Google products only.