The news of the spear phishing attack on GMail users has highlighted a number of interesting points around GMail and its security. The attack, believed to have originated from Jinan, China, specifically targeted users with an email that included a malware link prompting them to enter their GMail log-in details again. This information was then used to access and monitor their GMail accounts illegally.
This breach has not come about through any vulnerabilities in Googles security systems. As with all phishing tactics, this attack could be applied to any email service as it is the user that discloses the valuable information and not the technology.
The most interesting thing about this attack, however, is that Google was aware of it very early on, which meant the number of users affected was limited.
Google has excellent intrusion detection systems that monitor and flag any unusual behaviour in its GMail accounts. For example if a UK GMail user had responded to the recent phishing e-mail and then their account was accessed from a Chinese IP address, Google will automatically alert this unusual activity to the account user. The user is also given the ability to close any remote sessions.
Google added two-factor authentication for corporate users of Google Apps for Business in 2010 and has now released this for all GMail users. This enhanced verification requires two independent factors for authentication, much like you might see on your banking website: your password, plus a code obtained using a smartphone app or via a one-time text sent to a registered mobile. This protects GMail accounts from exposure even if the user did inadvertently disclose their login credentials.
Security is an area Google invests a lot of research into, particularly focusing on building access controls into its applications from the start. The incident has highlighted the level and success of Googles security procedures and their understanding of online applications.