PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don’t provide anti-phishing protection.
The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.
In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, Barrett said there’s a “significant set of [PayPal customers] who use very old and vulnerable browsers” and made it clear that any browser that falls into the “unsafe” category will be banned.
“At PayPal, we are in the process of reimplementing controls which will first warn our customers when logging in to PayPal of those browsers that we consider unsafe. Later, we plan on blocking customers from accessing the site from the most unsafe-usually the oldest-browsers,” he declared.
Who are the most influential people in security? Find out here.
Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.
The EV SSL certificates are meant to provide trust to Web-based transactions. For example, if you use Microsoft’s IE 7 to visit a Web site secured with an EV SSL certificate, the URL address bar is displayed in green and offers the ability for the user to toggle between the organization name listed in the certificate and the issuing Certificate Authority.
Firefox and Opera have announced their intention to support EV SSL in upcoming releases.
Apple’s Safari browser, which is being aggressively pushed to Windows users, could conceivably be banned from accessing PayPal.com under the plan outlined by Barrett.
EV Certificates Unproven, but Best Solution Yet
The jury is still out on the value of EV SSL certificates as a meaningful security utility but, in Barrett’s mind, the green URL bar offers a visual cue that “makes it much easier for users to determine whether or not they’re on the site that they thought they were visiting.”
He said PayPal was one of the first companies to adopt EV certificates. “More or less all of the pages on our site are SSL encrypted, and they all use EV certificates. And after nine months of usage, [our] data suggests that there is a statistically significant change in user behavior. For example, we’re seeing noticeably lower abandonment rates on sign-up flows for IE 7 users versus other browsers. We believe that this correlates closely to the user interface changes triggered by our use of EV certificates,” Barrett added.
PayPal is also recommending the use of blacklists and anti-fraud warning pages as effective technologies to help protect consumers from identity theft fraud. Microsoft and Mozilla have invested heavily in anti-malware blockers and anti-phishing technology.
Inside Peek at PayPals Phishing Fight
In his white paper, which provides never-before-seen details on PayPal’s approach to managing phishing, Barrett called for increased collaboration between ISPs, law enforcement and government authorities around the world to put a dent in the billion-dollar phishing ecosystem.
It makes the argument that anti-phishing initiatives must start with blocking fraudulent e-mails from being delivered to phishing victims. “If phishmail never makes it into a customer’s in-box, the customer cannot become a victim,” it said, noting that ISP cooperation is needed to adopt e-mail authentication schemes.
“Our No. 1 strategy centered on a creative use of new e-mail signing standards and cooperation with major [ISPs] to actually block unsigned e-mail that looked to be from PayPal-before the mail reached the customers,” Barrett said. Instead of just using digital signatures in e-mails, the company went a step further with a proposal for ISPs to toss out fraudulent e-mails at the network edge.
“From PayPal’s point of view, even a spam phishmail was a poor customer experience,” the company said in the white paper. However, while this approach could work, it requires every ISP and every phishing-targeted company to create individual agreements.
Enforcement by Deterrence
Describing large-scale industry acceptance as “a highly unlikely situation,” PayPal opted for an experiment with Yahoo to use two anti-phishing/anti-spam technologies-DomainKeys and SPF (Sender Policy Framework)-alongside the blocking rules.
According to the paper, the results were impressive: “In the first few months we successfully prevented the delivery of more than 50 million phishmail messages from reaching the in-boxes and bulk folders of unsuspecting consumers. Perhaps just as exciting is the fact that we’ve also seen a significant drop-off in the number of attempts to spoof PayPal in Yahoo Mail, meaning far fewer fraudsters even try to send these scams to Yahoo Mail users.
“Until all ISPs enforce DomainKeys and SPF, there will be gaps in the protection that e-mail signing and blocking cannot solve. Therefore, the second half of our e-mail strategy is to work with the providers of e-mail clients to ensure that the signatures which are embedded in e-mail are recognized by these clients,” it added.
In addition to blocking phishmails and fake Web sites, the PayPal plan also addresses the need for technology to authenticate users to prevent stolen log-in/password combinations from being used on PayPal.com; increased cooperation between governments and law enforcement to pursue legal prosecution of identity thieves; and brand and customer recovery to ensure that targeted customers will still use PayPal.
According to a recent Gartner survey, 3.6 million adults lost $3.2 billion due to phishing attacks in 2007. The survey found PayPal and eBay among the most spoofed brands and that the average dollar loss per incident was in the range of $866 in 2007, down from $1,244 in 2006.