Google, PayPal Use Phish Filter

Google Inc. has agreed to filter phishing e-mails in its Gmail service using a security technology championed by eBay Inc.

eBay and its payments subsidiary PayPal Inc. began using Yahoo Inc.'s DomainKeys system in October to authenticate e-mail sent through Yahoo.

DomainKeys lets a company attach a unique identifier to all outgoing e-mail to verify that messages are authentic, and it can spot, and block, any e-mail that claims to be from a known sender but lacks the identifier.

"Google's Gmail service has agreed to automatically detect and block PayPal and eBay phishing e-mails from reaching your Gmail inbox," Michael Barrett, PayPal's chief information security officer, said in a post to the San Jose company's blog Tuesday.

"From now on, if you have a Gmail e-mail address, you will see a dramatic reduction in the amount of e-mails which purport to come from PayPal and eBay but which aren't in fact from us," he wrote.

Since PayPal began working with Yahoo to block phish e-mails last year, Yahoo has blocked more than 50 million e-mails from phishers posing as PayPal.

This, Mr. Barrett said in an interview Wednesday, indicates that the financial industry can defeat the phishers.

"The industry as a whole needs to get its head around the fact that phishing is actually a solvable problem," he said.

Though DomainKeys is no silver bullet, it is very effective, he said. "If the phish-mail doesn't land in the consumer's inbox, it's rather hard for them to get victimized," he noted.

Mr. Barrett said he is aware of other financial institutions "chomping at the bit" to follow PayPal's example in signing its e-mails. "We may be the first," he said, "but we are far from the last."

Brad Taylor, Google's Gmail spam czar and a software engineer at the Mountain View, Calif., company, said in a Tuesday post to the Gmail blog that his company has been using DomainKeys since 2004 but that it "can only be effective when high-volume senders consistently use … [it] to sign their mail."

E-mails that do not bear a DomainKeys identifier do not even appear in a Gmail user's spam folder, he wrote — they are completely deleted from the system.

Mr. Taylor said that a potential issue with DomainKeys is that the companies using it must be consistent: "If they're sending some mail without signatures, it's harder to tell whether it's phishing or not."

He added that he hopes "this will set a good example for other organizations to follow … and that over time more and more e-mail will become trustworthy."

eBay and PayPal spent six months testing the DomainKeys system last year to make sure no e-mail was sent untagged. Mr. Barrett said in an interview at the time that PayPal was able to meet this demand despite being a "big, gnarly, complicated company." eBay and PayPal consistently rank among phishers' top targets.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER