Yahoo! & eBay move to block phishers

Yahoo! Inc is working with auction leader eBay Inc & its PayPal payments unit to block fake e-mail messages to users purporting to be from eBay & PayPal, hoping to spur on an industry that has been slow to fight the scourage of socalled phishing attacks. eBay & PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo! that authenticates e-mail senders are who they say they are, allowing Yahoo! to block fake e-mail messages. The technology upgrade will be made available to Yahoo! Mail users worldwide over the next several weeks. It is a big step forward for consumers in defense against the bad guys.

Along with banks & pharmaceutical makers, eBay & PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud. Over the past decade, phishing has been clogging the inboxes of e-mail users worldwide with ever more sophisticated attempts to fool users into clicking on fraudulent sites or giving up personal financial details to commit fraud. But to date, many of the defenses put forward by security software vendors & industry consortiums have failed to take hold with e-mail senders due to their complexity or costliness, or political infighting over standards, leaving individual consumers always guessing which e-mail may be real or fake.

A PayPal official said Yahoo!s system provides a way of automatically detecting potential phishing attacks without relying on the consumer to do anything new. If the consumer doesn't receive an e-mail in their inbox then it is very hard for the phisher to victimise them.

Fear of blocking

2 camps have emerged among technology providers seeking to develop a coherent approach to identifying e-mail senders. One backed by Yahoo! & Cisco Systems Inc, along with AOL, Google Inc, IBM Corp, Sendmail & VeriSign Inc, is the DomainKeys Identified Mail (DKIM) technology, which allows e-mail providers to identify the web domain from which a sender has sent e-mail. A 2nd standard known as Sender Policy Network (SPF) has been led by Microsoft Corp, which offers its own versions of SPF known as Sender ID. SPFbased protections are used by Amazon, AOL, GoDaddy & eBay, which supports both DKIM & SPF. DomainKeys relies on more sophisticated cryptography than the Microsoft-supported approach.

This sophistication can make DomainKeys harder for websites to install but offers greater long-term defense against phishing attacks. So far, most consumers have installed sender authentication inside their e-mail systems as a monitoring tool but do not block e-mail for fear of false positives mistakenly treating legitimate customer messages as phishing attempts. However, despite the industry disagreements, an underlying consensus is emerging among software vendors, Internet service providers & corporate websites that digital e-mail signing in one form or another is the best shot to combat phishing.

2 years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared. Today if you ask most organisations if they think it is a good thing people would say, 'Yes'. The industry is slowly coming around. eBay & PayPal are some of the first to actively block unauthenticated e-mail messages.