March 26, 2007 2:12 PM PDT
Newsmaker: At PayPal, fending off phishers--and Google
See all Newsmakers
- Related Stories
-
eBay vs. fraud: Share your suggestions
January 23, 2007 -
PayPal to offer password key fobs to users
January 11, 2007 -
New tool enables sophisticated phishing scams
January 10, 2007
Phishing attacks are commonplace. PayPal advises people not to click on suspicious-looking links, but given the scope of the problem, more needs to be done to protect people.
PayPal Chief Technology Officer Scott Thompson talked to CNET News.com about new security measures in browsers and at Internet service providers' e-mail gateways that should help people differentiate legitimate PayPal e-mail from spam. He also discussed how eBay's PayPal business unit is going mainstream and global and how executives are not worried about competition from Google and its Checkout online payment service.
Q: PayPal and eBay continue to be popular targets for phishers. What are you doing to protect customers, and how can this problem be solved?
Thompson: Most other online relationships are with your bank or with a brokerage firm or very rarely do you start with your e-mail address as your account identifier. We start with an e-mail address because that is the quickest way online to identify somebody, and that is also the quickest way to allow people to send money to each other. But it's very easy if you are a phisher or fraudster to guess your e-mail address and to send you something that might look like it's from PayPal or eBay. By the way, if (spammers) were to send you something, they are likely to be successful because we have over a 133 million account holders today.
PayPal sends out about 6 billion e-mails a year. Earlier this year, we took the effort to put a digital signature that authenticates PayPal as the sender of all these e-mails, so when it goes out to ISPs, we have digitally authenticated that e-mail as being us. With Internet Explorer 7 one of the really neat things that is going to happen is the digital signature that we provide to Microsoft in that browser will actually turn the top line of the URL green. If it is not signed by us, if somebody is trying to imitate us, it will turn red. We also are working with ISPs around the world today, starting with all the big ones. If a PayPal e-mail doesn't have our digital signature on it, (the system) prevents it from ever arriving in your in-box. This will change the game rather dramatically in the whole spoof-phishing area.
When will we start seeing the benefits from that?
Thompson: If you have IE 7 today, you will see the URL line turn green. The same thing is true with Firefox. The other thing that is coming is we are working with ISPs and browser providers to determine all the bad sites around the world where this activity is coming from.
Can you tell me about the password-generating key fob? How is that rollout going?
Thompson: The uptake on that has been surprising. You never know when you launch something like that what the average customer might do. We have exceeded our estimates of what the uptake was going to be. Almost immediately after receiving the fobs, more than 50 percent of all the people who received the security device activated it immediately.
How many does that represent?
Thompson: Well, I don't know that I can give you the number, but we are (offering) them today in Australia, Germany and the United States. But we are not aggressively advertising it yet to all of the people who visit our payment site. And my sense is, when we do aggressively advertise it and market it to that same customer base, we are going to have an even further uptake.
So, would you say security is PayPal's biggest challenge, and if not, what is?
Thompson: I think this company even long before I arrived was grounded in security and was absolutely grounded in privacy. The standard that we have for ourselves far exceeds anything I have ever seen in any organization I have been in. Here's a good example. Every piece of customer information that we store on your behalf for any of the 133 million customers is completely and fully encrypted inside of our network and in all the computers we have here at PayPal. That is an investment that I would argue I have never heard of a bank making, never heard of a payment system company making it. People don't do that because it is extremely expensive. So, I think in the DNA of PayPal there has always been this extremely high consciousness for security and for privacy, and that continues even today, seven years after the company was founded. That is one of those great strategic advantages that we have over all the other competition that plays in the payment space.
Can you comment on the competition you might be seeing from Google Checkout? Have you seen any loss of market share or revenue?
Thompson: Sure. The first thing I would say is payments are really hard to deal with. It's a business that is built around precision. There is no margin for error in anything associated with payments, and that's the relationship we have with both buyers and sellers on the eBay site and our customers and merchants on eBay. Beyond that I fully expect that because payments is such a big business, that all the competitors that we know of today are going to be there tomorrow, and there is probably going to be a whole lot more that people are dreaming of right now in start-ups in Silicon Valley and elsewhere.
See more CNET content tagged:
PayPal, Scott Thompson, digital signature, Checkout, phishing
Needless to say, my client refrain to use paypal to pay me, and I bet she will never use paypal in her life - understandable. I contacted paypal and they told me that I had to download and install a ssl certificate in my computer from an obscure link they sent by email. Obviously, I refused, i don't install anything like that in my computer unless it comes from windows updates.
I use a multitude of online banks and IE 7.0, arguably the safest browser nowadays, works perfectly with all - but if you want to use paypal, you have to install extra software (??) on your computer. Thanks, but I pass, and so does my client.
Recently I received a paypal payment from a friend and it was credited to my account. I made an attempt to withdraw this money to my bank account - instead my friends account was frozen, money I received withheld and a charge placed on my account. Customer care was unable to provide any information or advice, was confused about what is happening or when it will be resolved. It took two weeks after which the money has been returned to my friend's paypal account. This happened even though he immediately logged into paypal and confirmed his identity to unfreeze it.
2. Credit card payment reversed months later
On another occasion I sold an unused DVD player on ebay, received a payment by paypal and sent the item. After a several months the money I received has been taken from my account as the buyer called his bank to cancel the transaction.
I did not even know the buyer used a credit card to pay me.
Summary: You are not in control of the money you think you have in your paypal account.
I found a very informative site on how paypal works:
http://www.paypalsucks.com
http://paypalsucks.org/graphics/PPS-Cartoon1.gif
Perhaps IE7 users with problems should try a Windows Update, to make sure that their browser is 100% up to date.
You don't need separate email accounts. You need either a service that allows you to have many different addresses received in the same inbox such as fastmail.fm or gmail (username+paypal@gmail.com, though it's better not to use the word paypal as eventually villains might adopt), or a service that forwards mail coming to many different addresses to your address (such as sneakemail.com. this is the one I use with banks and such. The email passing through sneakemail arrives at my inbox marked with the label I chose at sneakemail, so mail that comes to the address I gave to my bank would carry that label, and if it is not from my bank or if mail claims to be from my bank and doesn't carry the correct SneakEmail labeling I would know something is phishy!)
- PayPal
- by Aulderon March 28, 2007 10:37 AM PDT
- I would suggest that PayPal is fatally compromised and it hasd little or nothing to do with guessing you email address. Suggested experiment: Create a PayPal account and see how long it takes before your first phishing email comes in. BTW within 24 hours is a goofd guess. Either the IT technology is compromized or there is an insider posting your information. I no longer use the PayPal registration service. it is just too big a risk.
- Like this Reply to this comment
-
(11 Comments)