The saying goes, "If something's not working, try something else." And clearly, when it comes to the financial services and retail industries' response to phishing, something's not working. Unique phishing attacks reported to the Anti-Phishing Working Group hover around 25,000 per month, with spikes as high as 38,000 in the last year. Somewhere around 150 brands are targeted each month. And Gartner estimates that 3.3 percent of the 124 million consumers who received a phishing email last year lost money because of the attack. Why aren't industry efforts—from consumer education, to diligent takedown, to spam filtering—putting a dent in the problem? "Because we haven't addressed it at the Internet level; it's like Band Aids," says Gartner analyst Avivah Litan.
But the cause is far from lost. In the past twelve months PayPal, and its parent company eBay, have dramatically ramped up their anti-phishing strategy, framing the problem as how best to ruin the phishing fraudster's business model. The results have been dramatic. At one point, Sophos estimated that 75 percent of all phishmail targeted eBay and PayPal users, though targets do tend to vary over time and by how the statistics are collected. Since PayPal launched its new strategy that's been reduced to less than 10 percent.
Eager to build industry cooperation to eradicate phishing, PayPal recently published a white paper entitled "A Practical Approach to Managing Phishing," available to all on the PayPal Website. The paper is surprisingly candid, demurring on details only in the category of its fraud-detection techniques. The strategy embodied in the paper has its fans, and critics, but few would disagree that it's time for stronger steps. "What is most important in what they're trying to do is say it's important to have a strategy in place," says Sean Kline, director of product management, Identity and Access Assurance Group, RSA, The Security Division of EMC. "Whether or not you agree with this strategy is up to your own organization."
PayPal breaks phishing down into the fraudster's profit equation as good as an MBA marketing professor: the volume of phishmail sent out multiplied by the response rate and the monetized value of a stolen account equals the fraudster's profit. PayPal long focused on the monetization of the account, effectively lowering fraudsters' profits; but, perversely, that approach encouraged fraudsters to increase the amount of mail sent to maintain their profit levels. The increased number of phishing mails served to further deteriorate the customer experience—either through financial losses or loss of trust.
So, rather than just focusing on reducing fraudsters' ability to monetize stolen accounts, the company's new strategy focuses on several blocking points within the fraudsters' business model. First, reclaim email by preventing phishing emails from being delivered at all. This requires senders to adopt a signed email strategy, and require ISPs not to deliver unsigned email—even to a customer's spam folder. PayPal initially partnered with Yahoo! Mail to prove the signing and blocking concept using DomainKeys and Sender Policy Framework. "After first going live with DomainKeys email blocking in October 2007, we have seen impressive results," PayPal CISO Michael Barrett writes in the paper.
In the first few months the company prevented the delivery of more than 50 million phishing emails, and then saw a significant drop off in the number of attempted spoofs of PayPal's Yahoo users. PayPal also started working with Iconix.
Relying on the underlying browser technology to block users from visiting phishing sites is another PayPal tactic. Indeed, it's here that PayPal and Microsoft have become fast friends, with PayPal pushing Microsoft to incorporate additional security mechanisms into its browser, and encouraging users to choose the newest, and presumably safest, browser technology — i.e. IE7. PayPal loves IE7 not only for the use of extended validation certificates, but also for its outright site-blocking process.
PayPal has also re-engineered its blacklisting process, which encourages users to forward phishmails to spoof@paypal.com. PayPal rapidly investigates each entry, adding the fraudulent URLs to its blacklist, which is then distributed to the wider Internet community.
Elsewhere, PayPal comes down hard on weak authentication practices, especially those that use ostensibly private personal information questions as part of the account recovery practice. PayPal uses VeriSign's OATH-based token in the U.S., Australia and Germany, and plans to launch it in other markets.
PayPal doesn't say much about its fraud modeling techniques, other than it makes significant investments in both technology and trained fraud investigators. Also mentioned are building relationships with law enforcement and government regulators and policy makers, pushing to make sending out a wave of phishing emails a crime, rather than the only prosecutable crime being the actual theft of funds from a stolen account.
Any security expert will find flaws with portions of PayPal's anti-phishing response. Among the most common are criticisms of EV Certificates, as "they're not the end-all, be-all," says Litan. "Companies can't even get them, and they're years away from being rolled out properly."
Criticism notwithstanding, the dramatic reduction in phishing emails targeting their customers is reason enough for institutions to consider PayPal's anti-phishing strategy. But, as PayPal notes, the realities of cybercrime can be frustrating. "As we look forward, with twelve months of history to build on, we believe we can already see the 'balloon squeeze' effect at work," Barrett writes. "We have observed a rise in the number of viruses and Trojans that are deployed to steal user credentials—a far more sinister way to accomplish the same end result as phishing." (c) 2008 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com
