Tuesday, June 17, 2008

eBay DevCon 08 - Tue17 11:00 Phishing Lessons from the biggest fish in the sea...

This speak is about Information Security, given by Michael Barrett (Chief Information security Officer, PayPal).

Trying to block fraudulent emails was not the answer because bad guys would increase the amount of email they sent. PayPal focused on the backend to counter attack phishing.

However, there is no silver bullet when fighting on-line fraud. The approach is educate and prevent. Preventing can be done by educating, and no consumer should ever click on links in emails, open a new browser nor go to "www..com". The problem with these issues are that links are convenient for users, it would require hundreds of millions of users to change their behavior, and even more, it would require mass removal of links from emails. Trusting the email is one of the biggest challenges we have to overcome.

One of the ways to start the education, are the web pages themselves. Give some space in your web site to inform the user what Phishing is and how to avoid it.

Another step PayPal took was to talk to the ISPs. There are thousands of ISPs around the world, but they are talking to the larger ones (which respond to about 50% of e-mails sent today). This was a very effective approach and they are now signing their messages and the user have visually the information on his/her inbox about which messages have been signed.

The security team of PayPal talks a lot about Safer Browser. Use built-in blacklists which are supported by the new browsers and other configuration and add-ons to turn your browser more intelligent on handling phishing sites.

Extended Validation Certificates which is "just another" SSL certificate. PayPal uses verisign to provide these certificates, but is recommended to suggest this kind of certificate to the merchants site, and this will help consumers to trust their web sites and also the whole community dealing with selling and paying on-line. This functionality will show a green bar on your web browser URL indicating you this is a safe web site.

PayPal is using a Security Key, an electronic token, and over 70% of PayPal security Key users were likely to use PayPal more because of it.

Again, partnership is key. Michael speaks about the Unified Front, a partnership including PayPal, eBay, Tahoo!, Google, MSN, Verisign, AOL and the Law Enforcements Authorities in USA. Normally, companies do not share what they are doing to run their business, but when the subject comes to fraud detection and prevention, sharing information is the best solution.

This is what they've been doing and the number of Phishing related to Paypal has decreased dramatically since 03/2006. This study and results can be found in one pdf they have published.

No comments: