The Ugly Marketing of Google Security

Engineers are really smart people who often know how to make something with no real world effectiveness work really well without effect. In a glaring example of marketing hype, very limited effectiveness, and a lesson in teaching users to fall for phishing attacks, Pavni Diwanji, Engineering Director at Google published a blog post http://googleonlinesecurity.blogspot.com/2010/03/detecting-suspicious-account-activity.html

The blog tells of how a friend had his account hijacked and then the attacker asked him for money. This is pretty much the same scam as I blogged about at http://www.eset.com/blog/2009/07/27/hotmail%E2%80%99s-delay-may-facilitate-fraud.
 
Mr. Diwani first mistake was in citing the Google privacy policy. The launch of Google Buzz proved that Google ignores their privacy policy as a matter of practice and policy, but then when he goes on to plug Google’s alleged ability to detect and notify of suspicious account activity he completely misses the reality of the situation. In most cases when the friend’s Gmail account is hacked, the attacked changes the password so that the rightful owner cannot stop their attacks. Telling the attacker what the last IP address they logged on from was only reminds the attacker to be sure to use an anonymous proxy so they won’t get caught.

I was going to leave a comment, but the blog is on Blogger.com and it was asking me for a Google.com account and password. This is sooooooo phishing like. Yeah, I know of the relationship between Google and Blogger, but may people do not. To ask for the Google credentials there is truly irresponsible.

I don’t really feel any safer knowing that if my Gmail account is hijacked Google will tell the attacker his IP address.

Giving credit where it is due, Google has some really smart security professionals and some very dedicated employees who do make a difference. In this case they have an engineering director in need of serious education and an enormously broken comment scheme on Blogger.com. If it takes a Google account and password then put it on a google.com address.

Randy Abrams
Director of Technical Education