Security

It's the front lines in the online fraud war: eBay and its PayPal subsidiary are the most-spoofed brands by fraudsters engineering phishing scams, according to research firm Gartner.

Mike Vergara, senior director of accounts protection at PayPal, is a foot soldier in that war, contributing to the company's efforts to defend hundreds of millions of eBay and PayPal customers. Vergara recently discussed the e-commerce giant's anti-fraud strategy with Network World Senior Editor Ellen Messmer.

What have eBay and PayPal been doing to fight online fraud attempts?

To keep over 170 million PayPal accounts safe, we went live last June with our Security Key for two-factor authentication. I'm not free to tell you the exact numbers of people using this security token, but I can say it's been well accepted.

What's the latest thinking about combating phishing aimed at eBay and PayPal customers?

We need better e-mail authentication, and for that we support the standard called DomainKeys Identified Mail, [which provides] for cryptographic signing of a piece of e-mail, to see where it came from. But there are two different standards for this, with another called Sender ID SPF, which Microsoft supports. So we support both.

How does this work?

All the e-mail sent from PayPal -- such as funds transfers or transactions such as receipt and statement -- is signed using DomainKeys and Sender ID SPF. Many ISPs, including Yahoo, Google, Comcast and AOL, now use DomainKeys. Over the summer, our partnership with Yahoo grew so that now Yahoo blocks phishing e-mail based on DomainKeys, deleting it before it hits Yahoo accounts. Google and Gmail, Comcast and AOL do support the DomainKeys signature but they don't yet support blocking. They might label e-mail with a 'suspicious variable' in their spam filter instead. We know deploying the infrastructure to do blocking takes time. But our strategy is to have every ISP in the world blocking phishing e-mail.

But isn't it likely there will always be some ISP somewhere that doesn't?

Yes, so we're also taking another approach as well to make sure our customers are safe. We're offering e-mail plug-in software from a small start-up called Iconix that can read either the DomainKeys or Sender ID SPF signatures. This is a plug-in for e-mail, whether Web-based or other, such as Microsoft's Outlook. When e-mail arrives, it asks whether it should give a seal of approval for e-mail from PayPal or eBay. It will show you that the e-mail is really from us.

Does this get eBay and PayPal into the area of software support?

This is our first e-mail product but most questions will go to Iconix and if they don't know the answers, our help desk will be there.

Is this add-on software free, and how did you decide on this buy-rather-than-build approach?

It's free. We had the beta last year and compared the software against similar products from MessageLabs and Goodmail, and liked this one the most. We don't have the design experience in this field to build this ourselves, so we decided to go with the Iconix software, and we're encouraging our customers to use it.