PayPal security chief Michael Barrett isn't ready to claim a victory in the fight against phishing schemes, but he said that his company is slowly turning the tide using a set of new partnerships and technological means.
Along with its parent company eBay, online payment processor PayPal has long held the inauspicious title of the Web's most frequently spoofed phishing target. However, speaking to the audience gathered at the IDC Security Forum in New York on Wednesday, Barrett highlighted a number of areas where he claims that the company is making progress.
Combined with more comprehensive end-user education programs -- including new how-to instructional videos posted to YouTube that offer tips on spotting common phishing e-mails -- Barrett said that by partnering with large Internet service providers (ISPs) and Web mail services, PayPal is seeing immediate results.
More than half of all the e-mail traveling over the Internet funnels through a half dozen of the world's most popular ISPs and Web mail systems, including AOL, Gmail, Hotmail, and Yahoo, the chief information security officer (CISO) said, all of whom PayPal has partnered with.
By using electronic signatures that the companies can scan to differentiate legitimate communications sent out by PayPal and eBay from all the counterfeit messages bearing the companies' names, he said, the partners are eliminating millions of phishing attempts before they ever reach end-users' in-boxes.
The notion of using electronic signatures to separate legitimate e-mail from unwanted spam and attacks is nothing new, but PayPal couldn't wait for the industry parties who have become involved with developing standards for the practice to finish their work, Barrett said.
Every e-mail sent out by the company has borne a signature of authenticity since Dec. 2006, and while most people aren't yet utilizing the extra source of data to scan for unwanted messages, PayPal's partners are doing so with great success, he said.
"Rather than relying on the consumer, we're saying let's simply block the e-mails unless we can guarantee that they are signed," Barrett said. "By working with these partners, we're finding that we can block several million e-mails per week that would have otherwise reached our customers; this also allows us to gather real-time information about what the bad guys are up to."
While e-mail signing has "languished" for three years as the standards debate has dragged on, Barrett said that by applying the technique through such a powerful alliance today, benefits can already be realized.
"If e-mails don't reach end users' in-boxes it's hard for them to be infected by them, and all ISPs are hoping to fix this problem because they're hearing about it from end-users," the CISO said. "They also bear the considerable cost of managing all this traffic, and they don't want it on their systems either; there's a natural incentive for [PayPal and its partners] to approach the issue in this way."
Despite the apparent efficacy of the technique, Barrett warned that PayPal's current e-mail signing process won't scale to help thwart the many different iterations of phishing, as it would require any company that has become a target of the attacks to build their own ISP partnerships.