Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.
The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.
Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.
The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.
Blockbuster announced Tuesday it's teaming up with PayPal to offer users another payment method for purchases off its Web site.
Under the arrangement, consumers can use their PayPal account to pay for their online movie rental subscriptions. And later this summer, Blockbuster expects to launch its downloading service for movie rentals and purchases.
Eventually, Blockbuster expects to make PayPal available for use to purchase other things off the Web site, from gift cards to new and used DVDs.
Blockbuster is offering users a $10 cash back to their PayPal account, if they sign up for a new online Blockbuster rental subscription.
Buyers and sellers on eBay are due to get a bigger cushion for transactions gone bad.
At its eBay Live community conference this week, the online auction giant offered details on more generous PayPal protections and incentives for its top sellers, and also feted the anniversary of its Kijiji classified ad service.
Starting in the fall, the company says it will cover 100 percent of an item's purchase price on most transactions for buyers who use eBay's PayPal service, with no cap on coverage. The policy addresses items that are not received by buyers and those that are significantly different from their listing descriptions.
For sellers in PayPal transactions, eBay in the fall plans to boost protection against claims, charge-backs, and reversals connected to an unauthorized payment or failure of an item to arrive at its destination in 190 markets worldwide. The coverage, eBay says, will come at no additional cost to the seller and with no dollar limit.
The current ceiling for buyers' and sellers' coverage generally has been just a few hundred dollars, and sellers had been protected on shipments to only a handful of countries.
Starting this summer, meanwhile, top-rated PowerSellers will qualify for additional discounts based on their customer experience ratings. They could see 20 percent lopped off the commission that eBay charges sellers for sold items and a 23 percent reduction in daily rates for UPS ground shipping.
That move is likely to stir further resentment among smaller sellers already up in arms over existing discounts to top performers.
In addition, eBay noted the first anniversary of Kijiji's debut. While it's clearly pleased to have 4 million unique users per month for the classified ad site, it's also embroiled in a lawsuit filed by Kijiji rival Craigslist that accuses eBay of unfair competition, among other charges.
Google won't say who's behind it (um, Google, maybe?), but more than 50 merchants using the Google Checkout service for online payments are offering $10 discounts this summer.
Google mentioned the promotion on its Google Checkout blog on Wednesday.
The promotion applies to purchases of $60 or more from participating retailers. That includes better-known outfits such as Buy.com and TigerDirect.com as well as niche sites such as YoYoCrazy.com, Beefjerky.com, PondDeals, and MyHipHopBling.com.
Google Checkout's most obvious competitor is eBay's PayPal service, although the services aren't identical.
A problem this week hampered some Gmail users trying to use their PayPal accounts.
The problem caused Gmail to reject some legitimate PayPal service e-mails, Google confirmed in a statement Friday. The problem, reported Tuesday, prevented people from using Gmail to receive confirmation e-mails, set up new accounts, or reset passwords for eBay's online payment system.
The problem "affected a very limited number of users," Google said. "We worked quickly to fix the problem, and we apologize for any inconvenience this issue may have caused." The company encourages those with technical difficulties to report them to the Gmail Help Center.
In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.
While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.
Google Checkout for Political Contributions
(Credit: Google)In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.
The phishing problem is a particular threat to campaign sites, for a number of reasons:
- The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
- Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
- While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
- Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.
In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.
A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.
I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.
Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.
The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.
First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.
Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.
Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.
With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.
It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.
Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.
Correction 9:30 a.m. PST: This blog initially misstated the day the deal was announced. It is Monday.
eBay company PayPal announced Monday it plans to acquire Fraud Sciences in a cash deal valued at $169 million.
Fraud Sciences, a privately held Israeli company, will lend its online risk tools and analytics to both eBay and PayPal's fraud management systems. Fraud Sciences' technology will also be baked into the companies' next-generation fraud detection tools.
Just last June, eBay was busy trying to nab fraudsters in Romania. The company said thieves were trying to lure losing bidders off the eBay site to give them the proverbial "second chance" to win the item they were bidding on.
Several months earlier, the FBI arrested a Bulgarian woman for allegedly bilking eBay users out of $350,000 for expensive goodies that they never received.
Needless to say, eBay is looking to take the Fraud Sciences technology and meld it into its plans this year to improve the trust and safety of its sites, including PayPal.
The Fraud Sciences deal is expected to close within the next 30 days.
I had to wake up early to do it, but I was able to order an XO laptop from the One Laptop Per Child Foundation (and donate another at the same time).
I was prepared to discover the project's Web site overloaded with visitors--one observer predicted the alloted systems would sell out "in 30 seconds." But I had no problems.
The XO laptop from the OLPC Foundation
(Credit: OLPC Foundation)I visited Laptopgiving.org promptly at 3 a.m. Monday, saw that the main page had changed to show the start of the "Give One Get One" program, and clicked the "Find out more" button. That took me to a page providing a small amount of additional detail on the program plus a link to place an order.
The ordering link took me to PayPal--so that could explain why the OLPC site wasn't overwhelmed; they're only providing two pages to most visitors. All the e-commerce overhead happens on PayPal's network. I was able to complete the transaction without delays, for a total of $423.95 including shipping.
Back on the OLPC site, I learned that T-Mobile is providing a full year of complimentary access to the company's HotSpot Wi-Fi access points for OLPC buyers. This service applies to any Wi-Fi device, too, not just the XO. T-Mobile values this donation at "more than $350."
That won't mean much to me because I prefer to use my Option GT Max 3.6 Express cellular wireless modem card on the AT&T network when I'm traveling. But for those who would otherwise pay for T-Mobile access, this is a pretty nice offer.
Here's an interesting note in the "Terms and Conditions" page for the purchase:
9. Neither OLPC Foundation nor One Laptop per Child, Inc. has service facilities, a help desk or maintenance personnel in the United States or Canada. Although we believe you will love your XO laptop, you should understand that it is not a commercially available product and, if you want help using it, you will have to seek it from friends, family, and bloggers. One goal of the G1G1 initiative is to create an informal network of XO laptop users in the developed world, who will provide feedback about the utility of the XO laptop as an educational tool for children, participate in the worldwide effort to create open-source educational applications for the XO laptop, and serve as a resource for those in the developing world who seek to optimize the value of the XO laptop as an educational tool. A fee based tech support service will be available to all who desire it. We urge participants in the G1G1 initiative to think of themselves as members of an international educational movement rather than as "customers."
Personally I still feel more like a customer than a member of a movement, but maybe after I've spent some time working with the XO, I'll feel differently.
I have no idea when I'll get the XO I just ordered, nor any idea where the second XO I've paid for will end up. But the project says it'll try to ship my system, at least, before the holidays. When it arrives, I'll write more about it here.
If you use Yahoo Mail you should be seeing a significant reduction in the number of e-mail scams purporting to be from eBay and PayPal very soon.
Yahoo will be upgrading its system beginning on Thursday with technology--dubbed "DomainKeys"--designed to block phishing spam and other fraudulent e-mails that look like they come from eBay and PayPal but don't. The system works by verifying the domain of the sender of the e-mail, allowing ISPs to block messages they deem illegitimate.
The upgrade is expected to be accomplished globally over the next several weeks.
Typically, the phishing scams masquerade as e-mails from trusted financial sources and direct a recipient to a Web site where they're asked to enter their user name and password. From there, their information is stolen.
Although most companies warn their customers that they won't send unsolicited e-mails asking for usernames and passwords, many people are still fooled. Blocking the scam e-mails before they hit in-boxes should cut down on the problem. Now, when is Yahoo going to do this for the major banks?
The days of PayPal's dominance over casual payments online are changing rapidly. A little over a year ago, Google unveiled its Checkout service, which has become an increasingly popular way to purchase items from various online retailers using a single account. Today, Amazon.com is unveiling its own payment program that lets Amazon.com users purchase items or services using their Amazon.com account credentials and billing information.
The new program is called "Flexible Payment Service", or FPS, and is launching with an invite-only API for developers who want to integrate the new payment service. What does this mean to you, the user? If you've got an Amazon.com account, you won't have to create a special log-in or give up your personal information to participating sites in order to make a purchase. Considering how many users Amazon.com has, and the one-click nature of its Web-shopping model, this is kind of a big deal.
Of course, this doesn't come free. While there are no start-up charges for users or sites, Amazon collects a small fee for each transaction, from purchases as small, or smaller than $.01. The rates are listed on the FPS info page, and from the looks of things seem like a better deal for smaller transactions when compared to Google Checkout and PayPal.
One of the first sites out the gate with Amazon FPS integration is FreshBooks, an invoicing service we covered last year. Expect to see many others in the coming months as Amazon opens up the beta.
