It’s the front lines in the online fraud war: eBay and its PayPal subsidiary are the most-spoofed brands by fraudsters engineering
phishing scams, according to research firm Gartner. Mike Vergara, senior director of accounts protection at PayPal, is a foot
soldier in that war, contributing to the company’s efforts to defend hundreds of millions of eBay and PayPal customers. Vergara
recently discussed the e-commerce giant’s anti-fraud strategy with Network World Senior Editor Ellen Messmer.
What have eBay and PayPal been doing to fight online fraud attempts?
Read the latest WhitePaper - The High-Availability Business: How a Simpler Network Can Meet the Demands of Business-Critical Applications
To keep over 170 million PayPal accounts safe, we went live last June with our Security Key for two-factor authentication. I'm not free to tell you the exact numbers of people using this security token, but I can
say it’s been well accepted.
What’s the latest thinking about combating phishing aimed at eBay and PayPal customers?
We need better e-mail authentication, and for that we support the standard called DomainKeys Identified Mail, [which provides] for cryptographic signing of a piece of e-mail, to see where it came from. But there are two different standards
for this, with another called Sender ID SPF, which Microsoft supports. So we support both.
How does this work?
All the e-mail sent from PayPal -- such as funds transfers or transactions such as receipt and statement -- is signed using
DomainKeys and Sender ID SPF. Many ISPs, including Yahoo, Google, Comcast and AOL, now use DomainKeys. Over the summer, our partnership with Yahoo grew so that now Yahoo blocks phishing e-mail based on DomainKeys,
deleting it before it hits Yahoo accounts. Google and Gmail, Comcast and AOL do support the DomainKeys signature but they
don’t yet support blocking. They might label e-mail with a ‘suspicious variable’ in their spam filter instead. We know deploying the infrastructure to do blocking takes time. But our strategy is to have every ISP in
the world blocking phishing e-mail.
But isn’t it likely there will always be some ISP somewhere that doesn’t?
Yes, so we’re also taking another approach as well to make sure our customers are safe. We’re offering e-mail plug-in software
from a small start-up called Iconix that can read either the DomainKeys or Sender ID SPF signatures. This is a plug-in for e-mail, whether Web-based or other,
such as Microsoft’s Outlook Web Access. When e-mail arrives, it asks whether it should give a seal of approval for e-mail from PayPal or eBay.
It will show you that the e-mail is really from us.
Does this get eBay and PayPal into the area of software support?
This is our first e-mail product but most questions will go to Iconix and if they don’t know the answers, our help desk will
be there.
Is this add-on software free, and how did you decide on this buy-rather-than-build approach?
It’s free. We had the beta last year and compared the software against similar products from Message Level and Goodmail, and liked this one the most. We don’t have the design experience
in this field to build this ourselves, so we decided to go with the Iconix software, and we’re encouraging our customers to
use it.
