PayPal and partners winning battle on phishing

gallery

"You can never reduce the security risks to zero," said Michael Barrett, chief information officer of PayPal said.

"But what you can do is have a whole layer of defences that holistically begin to have an effect on online fraud and that's what's we're doing with the DomainKeys email authentication project."

Barrett was in the UK keen to talk up the success the company has so far had with parent eBay and partner Yahoo to prevent cyber criminals from pretending to represent either e-commerce company in emails that encourage customers to divulge sensitive personal and financial information.

The DomainKeys collaboration project launched last month is designed to roll out new authentication technology and form what Barrett said is an essential part of PayPal's responsibility for ensuring the security of the company's 163 million customer accounts worldwide.

"We have taken steps to roll out a strong layer of authentication as part of our ongoing strategy to anticipate the ways the bad guys try to get ahead and adapt their methods," he said.

DomainKeys is an email authenticity verification technology designed to allow internet service providers (ISPs) to determine if messages are real and should be delivered to a customer's inbox.

PayPal, Yahoo! and eBay are working to develop digital signatures that can block unauthenticated email and so reduce the volume of fraudulent phishing' emails received by consumers purporting to be from PayPal or eBay.

Barrett told IT PRO the success of the project in dramatically reducing the proportion of phishing emails targeted at both companies' customers had been recognised by independent security vendor, Sophos.

Sophos found that in September 2007 only 21 per cent of phishing emails purported to come from the two well-known companies, where a year ago, 85 per cent of these bogus messages claimed to be from eBay or PayPal.

Barrett added that, for the example set by PayPal to have a lasting effect, email signing needs to be widely adopted as a standards-based approach by large numbers of email senders. "And blocking of unsigned, or improperly signed, email needs to be widely adopted within the ISP community," he said.

Graham Cluley, senior technology consultant agreed. He said: "Hackers are finding it harder than before to steal from their millions of users because of heightened user awareness and technology that the firms introduced to help verify if an email communication is legitimate or not."

PayPal is also a member of the Anti-Phishing Working Group (APWG).

Email to a friend

Print this page