Inside Peek at PayPals Phishing Fight
In his white paper, which provides never-before-seen details on PayPal's approach to managing phishing, Barrett called for increased collaboration between ISPs, law enforcement and government authorities around the world to put a dent in the billion-dollar phishing ecosystem.
It makes the argument that anti-phishing initiatives must start with blocking fraudulent e-mails from being delivered to phishing victims. "If phishmail never makes it into a customer's in-box, the customer cannot become a victim," it said, noting that ISP cooperation is needed to adopt e-mail authentication schemes.
"Our No. 1 strategy centered on a creative use of new e-mail signing standards and cooperation with major [ISPs] to actually block unsigned e-mail that looked to be from PayPal-before the mail reached the customers," Barrett said. Instead of just using digital signatures in e-mails, the company went a step further with a proposal for ISPs to toss out fraudulent e-mails at the network edge.
"From PayPal's point of view, even a spam phishmail was a poor customer experience," the company said in the white paper. However, while this approach could work, it requires every ISP and every phishing-targeted company to create individual agreements. Enforcement by Deterrence Describing large-scale industry acceptance as "a highly unlikely situation," PayPal opted for an experiment with Yahoo to use two anti-phishing/anti-spam technologies-DomainKeys and SPF (Sender Policy Framework)-alongside the blocking rules.
According to the paper, the results were impressive: "In the first few months we successfully prevented the delivery of more than 50 million phishmail messages from reaching the in-boxes and bulk folders of unsuspecting consumers. Perhaps just as exciting is the fact that we've also seen a significant drop-off in the number of attempts to spoof PayPal in Yahoo Mail, meaning far fewer fraudsters even try to send these scams to Yahoo Mail users.
"Until all ISPs enforce DomainKeys and SPF, there will be gaps in the protection that e-mail signing and blocking cannot solve. Therefore, the second half of our e-mail strategy is to work with the providers of e-mail clients to ensure that the signatures which are embedded in e-mail are recognized by these clients," it added.
In addition to blocking phishmails and fake Web sites, the PayPal plan also addresses the need for technology to authenticate users to prevent stolen log-in/password combinations from being used on PayPal.com; increased cooperation between governments and law enforcement to pursue legal prosecution of identity thieves; and brand and customer recovery to ensure that targeted customers will still use PayPal.
According to a recent Gartner survey, 3.6 million adults lost $3.2 billion due to phishing attacks in 2007. The survey found PayPal and eBay among the most spoofed brands and that the average dollar loss per incident was in the range of $866 in 2007, down from $1,244 in 2006.