Google, PayPal introduce political-phishing defenses

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

Google Checkout for Political Contributions

(Credit: Google)

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a number of reasons:

• The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
• Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
• While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
• Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.

In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.

A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.

I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.

Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.

The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.

First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.

Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.

Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.

With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.

It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.

Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.

[SS4ALL]

If the candidates would provide one way for their supporters to safely contribute money directly to their campaigns on the internet and inform the public through various media sources that any attempts made to collect money through other sources are fake and fraudulent, a great number of people could avoid falling into such traps by just being made aware. These people who are phishing are getting away with this kind of criminal activity because they are contacting people who are unaware of what phishing even is. Many people with good intentions and big hearts usually get hurt financially and also emotionally because they trusted someone who looked legitimate and found out too late that they were not. The public needs to be protected and provided with safe and secure ways to contribute their hard earned money while also being educated and made aware of the dangers that are out there. Very few individuals will read the information in blogs such as this because they are not on the internet looking for this type of information. The majority are usually on the internet shopping for items and looking for specific things to meet a need so the best way to reach them and warn them of these criminal acts would be through television commercials, radio spots and various other advertisements. These candidates who ask us to trust them with our votes and elect them as the leader of our country have got to discontinue all of the typical lip service and start showing us that they really care by protecting us now, not only after they have been elected. If one candidate would make a bold decision and take a stand right now and show us that even during a presidential campaign a decision can be made to protect us all from these criminal acts, then the others would follow because they would not want to be seen as the candidates that didn't care. It would only take one person to stand and attack this major problem today and that one bold decision could make such an awesome and immediate impact that America could possibly see an end to such criminal acts and feel a little safer than we do today. I would follow a leader who would make such a decision. Wouldn't you?

Tim Clark
http://www.securityandsurveillance4ALL