Web Heavies Form Blockade Against Phishers

Yahoo, eBay and PayPal are teaming up to improve protections against phishing attacks, the companies announced Thursday.

The companies have adopted a new e-mail authentication technology, developed by Yahoo and known as “DomainKeys Identified Mail” (DKIM), that uses cryptography to verify the domain of the sender.

By allowing e-mail providers to validate an e-mail’s originating domain — ensuring that an e-mail apparently from PayPal really is from PayPal, for instance — the technology makes blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains, the companies said.

“eBay and PayPal’s adoption of e-mail authentication technology and this aggressive move on the part of Yahoo Mail are significant steps forward in the fight to protect consumers against e-mail-based crimes,” said Michael Barrett, chief information security officer at PayPal. “While there is clearly no silver bullet for solving the problems of phishing and identity theft, today’s announcement is great news for our customers who rely on Yahoo Mail.”

Reduced Risk

DKIM, which the Internet Engineering Task Force approved in May as a proposed Internet standard, allows Internet service providers (ISPs) determine if messages are genuine and whether they should be delivered to a customer’s in-box. As a result of the technology, eBay and PayPal customers using Yahoo Mail will begin receiving fewer fake e-mails claiming to be sent by eBay and PayPal, the companies said, reducing their risk of falling for phishing attacks.

Yahoo Mail is the first Web mail service to block these types of malicious messages for eBay and PayPal, they added. Yahoo will roll out the upgrade globally over the next several weeks to all Yahoo Mail users.

“By reducing the risk of phishing scams, Yahoo Mail now offers a much safer Web mail service for eBay and PayPal users, and this protection will benefit the larger Yahoo Mail community as well,” said John Kremer, vice president of Yahoo Mail.

Yahoo, eBay and PayPal are in the process of transitioning to DKIM, and expect to complete their implementation in the coming months, they said.

The More, the Better

“Today is a significant milestone for the added protection of millions of eBay and PayPal customers,” said Dave Cullinane, chief information security officer at eBay. “Through industry cooperation, we can collectively try to stamp out phishing and other e-mail scams. We welcome Yahoo’s commitment to this endeavor, applaud its leadership role within the Internet service provider community, and encourage others join in the fight to keep consumers safe from phishing attacks.”

The fight against phishing and online fraud is a difficult one, but Yahoo, eBay and PayPal “have all been very good corporate citizens when it comes to protecting consumers,” cybersecurity expert and lawyer Parry Aftab told the E-Commerce Times.

“They’ve all been working on phishing issues for a long time,” Aftab said. “There’s so much PayPal phishing and fraud, this is a great idea. Anything that any of these sites can do to step up security is wonderful — I’m thrilled they’re doing more.”

A Few Big Users

The DKIM technology is a good system, Johannes Ullrich, chief technology officer at the SANS Institute, told the E-Commerce Times. Using domain keys assigned by the Domain Name System (DNS), the technology helps verify users cryptographically, he said.

Among the technology’s downsides are that it can be difficult to implement, and also that verification can be hard to achieve for e-mails sent by employees through their home ISPs, Ullrich said. In addition, “right now, no one is really checking for domain keys yet,” he explained.

That may change with the newly announced partnership, however. “It’s a solid system,” Ullrich said. “It needed some big users like Yahoo and PayPal to sign up for it.”