Google, PayPal introduce political-phishing defenses

In recent months, search giant and eBay division have quietly rolled out online-payment solutions specifically targeting Internet-based campaign contributions.

Chris Soghoian

Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.

See full bio

Chris Soghoian

Jan. 31, 2008 8:46 a.m. PT

3 min read

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

Google Checkout for Political Contributions Google

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a number of reasons:

The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.

In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.

A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.

I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.

Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.

The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.

First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.

Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.

Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.

With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.

It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.

Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.