RSS
Twitter
PayPal Battling Back Against The Phishers
from the paypalcom.ru dept
The idea of authenticating email as a means of stopping spam and phishing has been talked about for some time, but for various reasons, including standards disputes, the concept hasn't really gone anywhere. Now PayPal, the most popular target among phishers, is proposing a slightly different take on the concept that sounds sort of interesting. The company is urging popular webmail providers like Google and Yahoo to automatically deny any emails coming from a @paypal.com address unless it's authenticated with an established digital signature. So far, the company hasn't gotten any takers, but it would be an interesting experiment to try. Of course, this wouldn't stop attackers from sending emails from different addresses that looked like PayPal's, but these are likely to be less effective anyway. Ultimately, no one solution is going to be a magic bullet for stopping phishing, but anything that can reduce its volume while still allowing legitimate email to get through is a step in the right direction.
Reader Comments
(Flattened / Threaded)
Hax
I have received so many PayPal phishing attempts, it is disgusting. My wife and I even had some UK woman bid on our item (despite us not offering an International shipping option) and attempt to send us a PayPal email claiming that the money would go through once we shipped the item. Having plenty of eBay experience, we knew that this was totally bogus. Not only do buyers ALWAYS pay first, she was avoiding the eBay channels of communication; she was sending emails and stuff.
(reply to this comment) (link to this comment)
do what the blogs do
There are various blogs using many different, effective authentication methods. The large techs can learn something from the little guys.
(reply to this comment) (link to this comment)
Authentication is a two way street. The site/bank/paypal has to authenticate the user, but there has to be a way for the user to authenticate the site also.
(reply to this comment) (link to this comment)
re:do what the blogs do
and what are these effective blog-used authentication methods? are you talking about the crypto-spelling-match-from-a-picture thing? that is only a measure to verify that the person filling out a form is an actual human. that process can not be applied to authenticating email messages.
paypal could instead borrow a page from banks... put an inbox in your account and send only notification messages to the user's email address. tell them in the notification emails that they have a new message in their paypal account inbox. internalize the messaging system.
otherwise, this idea sounds like it has the potential to work, but they should drop the whole "block the email part". the blocking part makes this solution hard to implement industry- or internet-wide. it requires each email service to maintain a list of domains to block without a cert.
http://opinionone.blogspot.com
(reply to this comment) (link to this comment)
Is this not what SPF already does?
The paypal spf record:
"v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"
Just change that to -all and problem solved.
(reply to this comment) (link to this comment)
hmm...
I have to agree with Contrad here... that would resolve it on servers that actually check SPF...
(reply to this comment) (link to this comment)
Bigger problem requires bigger solution
It's possible that Paypal can negotiate a digital signature with the big boys, but everyone can. We are all being deluged with more and more spam, and there needs to be a way to filter out the stuff I want to read from the other crap. Yahoo, Gmail, Aol, etc have been taking their own approach to this, using graphical filters and spam filters that are mystical to most users.
As more companies embrace email as an integrated marketing channel, users will only have eyes for a few select messages. And the wider scope of this issue is how to put that control back with the reader; not the sender.
(reply to this comment) (link to this comment)
Paypal
Paypal really oughta concentrate on fixing their user database first. It seems almost every week I have to log on and change my password again!
(reply to this comment) (link to this comment)
Re: Paypal
:D
(reply to this comment) (link to this comment)
Most of these e-mail "authentication" schemes boil down to a money-making system that charges people some sort of "licensing" or "registration" fee to send e-mail. Paypal is promoting yet another of these schemes. In this case there are several patents on the process they are encouraging the webmail providers to adopt. I wish I could get all the webmail providers to reject any e-mail that didn't have _my_ approval. I'd be rich!
(reply to this comment) (link to this comment)
fake paypal emails?
If the various web-mails (yahoo, gmail, etc) can already detect junk mail with some accuracy, it seems to me that they and microsoft outlook could also detect an attempt to phish. We get the same paypal emails several times a week - or the bank-of-america one. pain in the neck.
(reply to this comment) (link to this comment)
Is this PayPal logon page a fake ????
Is this PayPal logon page a fake ???? http://login3.paypalglobaldatabase.com/cgi-bin/webscr.php?cmd=_login-run The link was sent in e-mail This page: http://paypalglobaldatabase.com/ Shows: paypalglobaldatabase.com This page is parked free, courtesy of GoDaddy.com
(reply to this comment) (link to this comment)
megaupoad downloading
One of the best file centers is Megaupload! For a proper search and downloading use http://megaupload.name/
(reply to this comment) (link to this comment)
Add Your Comment