By Katherine Noyes E-Commerce Times
10/04/07 11:44 AM PT
Yahoo, eBay and PayPal are working together to deploy a tool designed to shield their users from vicious phishing scams. The new e-mail authentication technology developed by Yahoo allows e-mail providers to validate an e-mail's originating domain and makes blacklists and whitelists more effective.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
Yahoo (Nasdaq: YHOO), eBay (Nasdaq: EBAY) and PayPal are teaming up to improve protections against phishing attacks, the companies announced Thursday.
The companies have adopted a new e-mail authentication technology, developed by Yahoo and known as "DomainKeys Identified Mail" (DKIM), that uses cryptography to verify the domain of the sender.
By allowing e-mail providers to validate an e-mail's originating domain -- ensuring that an e-mail apparently from PayPal really is from PayPal, for instance -- the technology makes blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains, the companies said.
"eBay and PayPal's adoption of e-mail authentication technology and this aggressive move on the part of Yahoo Mail are significant steps forward in the fight to protect consumers against e-mail-based crimes," said Michael Barrett, chief information security officer at PayPal. "While there is clearly no silver bullet for solving the problems of phishing and identity theft, today's announcement is great news for our customers who rely on Yahoo Mail."
Reduced Risk
DKIM, which the Internet Engineering Task Force approved in May as a proposed Internet standard, allows Internet service providers (ISPs) determine if messages are genuine and whether they should be delivered to a customer's in-box. As a result of the technology, eBay and PayPal customers using Yahoo Mail will begin receiving fewer fake e-mails claiming to be sent by eBay and PayPal, the companies said, reducing their risk of falling for phishing attacks.
Yahoo Mail is the first Web mail service to block these types of malicious messages for eBay and PayPal, they added. Yahoo will roll out the upgrade globally over the next several weeks to all Yahoo Mail users.
"By reducing the risk of phishing scams, Yahoo Mail now offers a much safer Web mail service for eBay and PayPal users, and this protection will benefit the larger Yahoo Mail community as well," said John Kremer, vice president of Yahoo Mail.
Yahoo, eBay and PayPal are in the process of transitioning to DKIM, and expect to complete their implementation in the coming months, they said.
The More, the Better
"Today is a significant milestone for the added protection of millions of eBay and PayPal customers," said Dave Cullinane, chief information security officer at eBay. "Through industry cooperation, we can collectively try to stamp out phishing and other e-mail scams. We welcome Yahoo's commitment to this endeavor, applaud its leadership role within the Internet service provider community, and encourage others join in the fight to keep consumers safe from phishing attacks."
The fight against phishing and online fraud is a difficult one, but Yahoo, eBay and PayPal "have all been very good corporate citizens when it comes to protecting consumers," cybersecurity expert and lawyer Parry Aftab told the E-Commerce Times.
"They've all been working on phishing issues for a long time," Aftab said. "There's so much PayPal phishing and fraud, this is a great idea. Anything that any of these sites can do to step up security is wonderful -- I'm thrilled they're doing more."
A Few Big Users
The DKIM technology is a good system, Johannes Ullrich, chief technology officer at the SANS Institute, told the E-Commerce Times. Using domain keys assigned by the Domain Name System (DNS), the technology helps verify users cryptographically, he said.
Among the technology's downsides are that it can be difficult to implement, and also that verification can be hard to achieve for e-mails sent by employees through their home ISPs, Ullrich said. In addition, "right now, no one is really checking for domain keys yet," he explained.
That may change with the newly announced partnership, however. "It's a solid system," Ullrich said. "It needed some big users like Yahoo and PayPal to sign up for it."
Google Beckons the Enterprise With Bolstered E-Mail Security October 03, 2007
Google's e-mail and instant messaging services are not just for consumers anymore -- at least, that's the company's message to the enterprise with the addition of Postini's security functionality to its Apps Premier Edition. Whether businesses will be willing to offload their crucial message handling operations to a hosted service, though, remains the question.
Related Stories
Media Player Exploits: New Vectors, New Threats September 26, 2007
New attack vectors for vulnerabilities in QuickTime and WMP surfaced last week. The QuickTime vulnerability allows scripting to run with full user rights without the user's knowledge. The other vulnerability allows hackers to insert code that tricks the Windows Media Player into opening a Windows Internet Explorer browser, regardless of the user's preference for a default Web browser.
Understanding and Combating Rock Phishing August 03, 2007
In 2005, a particularly nefarious group of phishers came to be known as the "Rock Phish Gang." The name comes from the fact that early versions of their phishing attacks included the word "rock" in the URL. The text is no longer present in their attacks, but the rock phish gang is still out there and continues to be a formidable menace to banks and other organizations.
Second Life Target of Self-Replicating Worm November 21, 2006
A self-replicating worm dubbed "Grey Goo" forced the shutdown of the virtual community Second Life after the worm's creators claimed to spin rings of gold, duping players who interacted with it into spreading the malware throughout the virtual environment. "The worm dropped into Second Life is a 'Grief Bomb,'" Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
Related News Alerts
More by Katherine Noyes
Leaked Emails Fuel Climate-Change Firestorm November 23, 2009
A batch of illegally obtained emails exchanged by climate change researchers supposedly constitutes evidence of a conspiracy among scientists to mislead the public on global warming. An increasingly vocal faction has recently been promoting the view that global warming is a lie, or that it is not as severe as reported, or that human activities are not a major contributor -- or all of the above.
Two-Wheel Linux, and Other Reasons to Be Thankful for FOSS November 23, 2009
Among the many reasons to be thankful for Linux and all that is FOSS are qualities like portability, flexibility, comprehensiveness, a cooperative nature, receptivity to innovation -- oh, and the fact that open source makes such things possible as an electric motorcycle that can tear up the highway at 130 mph.
FOSS and the Google Question November 19, 2009
How FOSSy is Google, really? "I find it kinda funny that folks tout that Google uses Linux when the most useful tool they have developed -- the Google FS -- they keep internally and therefore don't have to share the code!" observed Slashdot blogger hairyfeet. "So how exactly is Google different from MSFT and Apple, who have both in the past locked up free code for themselves?"
Headline Feeds
authentication technology, developed by Yahoo and known as "DomainKeys Identified Mail" (DKIM), that uses cryptography to verify the domain of the sender.
Talkback: 
