Application security

PayPal to deploy tokens to fight phishing attacks

PayPal will offer a public beta in the Unites States next week for a new security token designed to combat phishing attacks on its customers, a company executive told SCMagazine.com on Thursday.

The online payment company has been working with VeriSign for some time to develop the PayPal Security Key as an option for its 133 million customers, said PayPal CISO Michael Barrett at RSA Conference 2007. PayPal plans to offer the device for free to all of its business customers and for a nominal $5 fee to all other customers.

PayPal and its parent company, eBay, are consistently two of the biggest brand targets of phishers, according to figures compiled by PhishTank. In January, this grassroots organization said PayPal ranked first in the number of unique, valid phishes reported against it by PhishTank’s volunteer members, tallying a staggering 2,693 unique attacks. The eBay brand was assaulted by 1,423 different attacks, putting it in third place behind Barclays Bank.

Barrett is hoping to leverage the token as one facet of a multi-layered strategy to fight the prolific attacks against his customers.

"There is no single silver bullet," Barrett said. "But there are a few things we can do from a lifecycle perspective that, when combined, can go a long way toward fighting the problem."

The key is one of six main approaches that PayPal is using in this strategy. Barrett said that the most fundamental tactic is to first work to ensure that most phishing emails never make it to inboxes in the first place. Because about 50 percent of the email volume is generated through only about a half-dozen major internet service providers (ISPs), PayPal is concentrating on them.

The company now signs all of its emails with digital signatures, Barrett said. Using this as a tool, large ISPs such as MSN and Yahoo are readying systems to drop any email that appears to come from PayPal - but lacks a signature.

"If it never arrives in the in the first place, there isn’t a link to click on," Barrett said.

The third and fourth methods PayPal is employing are consumer education and the utilization of better browser security functions. PayPal is a major supporter of the new extended validation SSL certificates that were recently announced by certification authorities and Microsoft.

The final two layers of anti-phishing defense happen behind the scenes. Paypal uses a lot of fraud detection engines on both the front and back end of its system to detect attacks against customers. And it continues to compile the research it generates on attacks into a database in order to connect large groups of attacks to particular criminals. That data helps with what Barrett considers one of the most important aspects of fighting the problem: working with law enforcement to punish the perpetrators.

"While we might have a grudging respect for the technical abilities of these criminals, at the end of the day, we want to see them in handcuffs and orange jumpsuits," Barrett said.

Click here to email West Coast Bureau Chief Ericka Chickowski.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.