PayPal Plans to Ban Unsafe Browsers - Inside Peek at PayPal's Phishing Fight (
Page 2 of 2 )
In his white paper, which provides never-before-seen details on PayPal's approach to managing phishing, Barrett called for increased collaboration between ISPs, law enforcement and government authorities around the world to put a dent in the billion-dollar phishing ecosystem.
It makes the argument that anti-phishing initiatives must start with blocking fraudulent e-mails from being delivered to phishing victims. "If phishmail never makes it into a customer's in-box, the customer cannot become a victim," it said, noting that ISP cooperation is needed to adopt e-mail authentication schemes.
"Our No. 1 strategy centered on a creative use of new e-mail signing standards and cooperation with major [ISPs] to actually block unsigned e-mail that looked to be from PayPal—before the mail reached the customers," Barrett said. Instead of just using digital signatures in e-mails, the company went a step further with a proposal for ISPs to toss out fraudulent e-mails at the network edge.
"From PayPal's point of view, even a spam phishmail was a poor customer experience," the company said in the white paper. However, while this approach could work, it requires every ISP and every phishing-targeted company to create individual agreements.
Enforcement by Deterrence
Describing large-scale industry acceptance as "a highly unlikely situation," PayPal opted for an experiment with Yahoo to use two anti-phishing/anti-spam technologies—DomainKeys and SPF (Sender Policy Framework)—alongside the blocking rules.
According to the paper, the results were impressive: "In the first few months we successfully prevented the delivery of more than 50 million phishmail messages from reaching the in-boxes and bulk folders of unsuspecting consumers. Perhaps just as exciting is the fact that we’ve also seen a significant drop-off in the number of attempts to spoof PayPal in Yahoo Mail, meaning far fewer fraudsters even try to send these scams to Yahoo Mail users.
"Until all ISPs enforce DomainKeys and SPF, there will be gaps in the protection that e-mail signing and blocking cannot solve. Therefore, the second half of our e-mail strategy is to work with the providers of e-mail clients to ensure that the signatures which are embedded in e-mail are recognized by these clients," it added.
In addition to blocking phishmails and fake Web sites, the PayPal plan also addresses the need for technology to authenticate users to prevent stolen log-in/password combinations from being used on PayPal.com; increased cooperation between governments and law enforcement to pursue legal prosecution of identity thieves; and brand and customer recovery to ensure that targeted customers will still use PayPal.
According to a recent Gartner survey, 3.6 million adults lost $3.2 billion due to phishing attacks in 2007. The survey found PayPal and eBay among the most spoofed brands and that the average dollar loss per incident was in the range of $866 in 2007, down from $1,244 in 2006.
| | Discuss PayPal Plans to Ban Unsafe Browsers | | | | | | | Guess that means no more using PayPal at work. Especailly since many companies,... | | | | | | How intelligent! Ban the user, not from a malicious site, but from a legitimate... | | | | | | A simple solution ....... use OpenDNS ... it's free and it works. Go to... | | | | | | I've bought a couple thousand dollars worth of stuff on eBay over the last year,... | | | | | | This is all about user control and nothing else, but being presented as a consumer... | | | | | | Isn't this anti competition and illegal. I think they could wind in trouble. They... | | | | | | I have IE, Safari, and Firefox. I think you should contact apple about this if... | | | | | | You raise valid points but problem is govt should deal with sites but not this... | | | | | | With respect, I understand that this can be easily construed as "mannying" or... | | | | | | No, its not anti-competitive or illegal. they are requiring certian security... | | | | | | It is long past the time when the companies that process online credit/debit card... | | | | | | You should have a blog (Lily) if you don't, from the looks of it. You have valuable... | | | | | | There are no laws against a company securing it's assets, and they have the right to... | | | | | | >>> Post your comment now! | | | | | |
|
 |
