2013

Google Docs Aren’t As Secure As You Think

Support FSMdotCOM - become Pro and we can ditch the ads

google-docs-logo

 

For college students, entrepreneurs on a budget or teams working in remote locations around the world, Google’s document creation and storage service, GoogleDocs, has been a boon to productivity. Instead of spending hundreds of dollars on software or sharing documents via e-mail, you can simply log in and get the job done quickly and efficiently.

Since using GoogleDocs requires a password, and users can restrict who has access to their documents, most people believe that the site is completely safe. Besides, who is interested in your History 101 paper on the American Revolution or the party planning checklist that you’re sharing with your friends? Granted, some enterprise users may create and store more high-stakes documents on the site, but for the most part GoogleDocs is considered relatively safe.

The security team at Oxford University in England disagrees. Recently, a spate of phishing attacks launched on university students using the GoogleForms application caused the university to make the unprecedented decision to block the site from university-controlled computers. While the block only lasted for a few hours, it was designed to get the attention of both users, who (in the eyes of Oxford IT) weren’t taking security seriously, and Google, who the university believes needs to do more to beef up protection against cyber crime.

It All Started With an E-mail

While the vast majority of GoogleDocs fans use the service to create and share documents, one of the more popular add-on features of the service is GoogleForms. The easy-to-use application allows users to create forms, such as surveys, and easily collect the data for analysis. It also allows instructors to create online tests and quizzes, and businesses can collect addresses and other information about their customers.

But in the case of Oxford University and dozens of others like it, GoogleForms was used as a means to collect passwords and other sensitive information. Criminals sent e-mails purporting to be from a known entity, such as Gmail or the university help desk, noting that the user had to confirm their e-mail address and password in order to keep their e-mail active or continue to use the university network. Unsuspecting users, noting that the e-mail appeared to come from a secure Google address, obliged. As a result, at Oxford alone, thousands of student passwords were stolen and their e-mail addresses commandeered as a means of spreading spam. The problem grew so quickly and became so severe that several e-mail providers, including Hotmail, temporarily blocked all messages sent from Oxford servers — a problem that the security team could not ignore.

Protecting Against Phishing

While some experts believe that Oxford blocking GoogleDocs was an overreaction, the incident did point out a serious cyber-security issue: phishing. Almost everyone with an e-mail address has encountered a phishing, or spoofed, message at some point. These messages often appear to come from a known entity, such as your bank or credit card issuer, and ask you to confirm your password and other details to keep your account current or deal with some other issue.

Often, these scams are designed to steal money or financial data, but sometimes, as the case with the GoogleDocs scam, they are designed to steal e-mail passwords. While in the early days phishing e-mails were easy to spot, since they often came from obviously fake or completely unrelated address, criminals have become more sophisticated and developed the ability to create more authentic-looking addresses.

That means that it’s imperative for users to be more alert to potential scams. For example:

  • Never provide passwords when prompted by e-mail.
  • Pay close attention to the wording of any e-mails you receive. Phishing e-mails often include hints such as poor grammar or spelling
  • Use two-factor authentication security, which requires both a password and a physical security item, such as a token, to gain access to secure network
  • If a “call-to-action” appears in the e-mail, call the company in question to confirm the request.

Phishing e-mails are a major problem and can lead to serious security breaches. Not only does responding provide criminals with access to your details, it also opens the door to malware installations or other potential problems. So while GoogleDocs is generally safe, think twice about what you post and how you respond to e-mails you receive.

DISCLAIMER: this post was sponsored by Trend Micro

About the Author: Noah Gamer is a driven business leader with experience in Internet marketing, Web software development and security software. Currently, he develops Internet strategy and directs global SEO for Trend Micro.