Using anti-spam tools that include features that specifically seek out fake eBay and PayPal messages could provide a significant improvement by choking off the primary marketing tool of its adversaries, and the executive said his company can drastically reduce the number of unhappy customers calling to report that theyve been duped into handing over their credentials. All of PayPals legitimate e-mail is already identified with unique digital signatures.PayPal is also pursuing a wide range of other security strategies in the name of creating a defense-in-depth approach for protecting its customers. These include the use of new EV SSL (Extended Validation Secure Sockets Layer) digital certificates, which will provide users with visual cues in browsers such as Microsofts new Internet Explorer 7 to let them know when theyre on a fake site. To fight attacks such as cross-site scripting, which have corrupted PayPals legitimate URLs in the past, Barrett said the company is working hard to make sure that its software developers avoid any vulnerabilities in writing and reviewing the millions of lines of code that make up its site. Behind the scenes, the company is deploying real-time fraud-monitoring tools that watch out for suspicious behavior on its pages and using data-matching techniques to help identify transactions that might indicate the use of hijacked accounts. Outside the world of technology, PayPal is working more closely than ever before with law enforcement officials, particularly in the United States, although the process remains hard because local, state and federal authorities have so much work on their platesand thieves have deduced they are less likely to be caught if they pull off larger numbers of smaller heists that make it harder for PayPal and the police to discover them and bring charges. While he remains somewhat frustrated by the lack of government resources dedicated to fighting online fraud, Barrett said hes hopeful that politicians and regulators will ramp up their efforts, and PayPal is working actively to advocate stronger penalties for cyber-criminals. "Working with law enforcement has improved, but it could be better, in particular in the sense that they look at relatively high fraud loss limits before taking interest in prosecution," he said. "But this isnt a problem thats just about the U.S.; its hard to get very far into fighting things internationally before you find yourself getting into deep legal conversations over jurisdiction." PayPal is also trying to exert pressure with legislators on Capitol Hill, where he believes progress may be in the making, despite recent setbacks. "We thought the laptop theft at the Department of Veterans Affairs might have helped more to that end, but then they got it back, and its been sort of quiet," Barrett said. "One of the interesting things were waiting to see is if the new Congress takes up ID theft legislation; weve been waiting for that for a long time."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
"If customers never see the phishing e-mails in the first place, its a lot harder for them to be victimized," Barrett said. "Were working with all the major e-mail vendors to help raise the status of the security problem. If they see anything with our name on it that doesnt have a signature, were telling them to drop it."