« Something New in the Air | Main | Recently Heard on PayPal Radio »

A Practical Approach to Managing Phishing

Michaelb Hi, I’m Michael Barrett, chief information security officer at PayPal.

I joined PayPal almost exactly two years ago.  Within the first couple of weeks, I sat down with my colleague who runs the team responsible for our anti-phishing programs and we evaluated PayPal’s strategy for combating phishing.  We realized that our strategy focused on preventing financial loss to our customers’ accounts, and we did this quite well since we always reimburse users 100 percent if their accounts are accessed by a fraudster.  But we also realized that there was a holistic dimension that our approach was missing – how do we prevent phishmail from getting to our customers in the first place?

Since then, we've completely rethought our approach to how we deal with phishing, and deployed many barriers to help reduce its impact to our customers and our business.  We've been executing against this strategy for close to 18 months, and have a great deal of first-hand experience about what works, and what doesn't.  Over that period of time, we've been able to move PayPal from being one of the most phished brands on the Internet to a much less prominent target.

A certain number of people in the Information Security business have become fatalistic and seem to believe that phishing is an unsolvable problem.  Our experience suggests this is far from the case, and that if organizations adopted the techniques we've demonstrated, we can collectively make the Internet a great deal safer for our customers.

I speak quite a bit on this topic at Information Security conferences around the world.  One of the questions that I'm often asked is this: "The presentation was great, but where can I find more information?"  We therefore thought that an excellent way to address this question was to lay out our strategy in more detail.  So, my colleague Dan Levy and I wrote a paper on the topic, which we’ve published today in conjunction with the RSA Conference, which is the largest security conference in the world.

If you're in the IT or Information Security business, we think you'll find it to be useful and relevant.  I invite you to download the whitepaper here. (you may need to right click and select Save As)

Posted on April 10, 2008 at 08:00 AM in Online Safety |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/2408634/27960948

Listed below are links to weblogs that reference A Practical Approach to Managing Phishing:

Comments

Hi Michael,

I attended your talk at RSA and thought it was one of the most informative presentations at the conference. I spoke to you briefly afterwards, asking you about defending man-in-the-middle attacks.

[remainder of comment edited]

Regards,

jon

Posted by: Jon | April 12, 2008 at 12:49 PM

Absolutely GREAT white paper regarding phishing. Thank you for your leading edge work in this problem area. Regards, Richard

Posted by: parkavenue | April 14, 2008 at 08:19 AM

I am curious to when Paypal, clearly the gold standard for money everywhere will replace paper and coin currency as a way to transact.

If anyone would know phishing, it's Paypal.

Posted by: Shadow Fire Promotions, Inc. | April 14, 2008 at 10:56 AM

Jon,

Thanks for your comment! This is quite a sensitive topic and not something we’re prepared to discuss in a public forum like this blog. If I may suggest, please leave another comment with your email address (we won’t publish it) and I will reach out to you directly.

Posted by: Michael Barrett | April 16, 2008 at 09:34 AM

Could you clarify reports that PayPal won't allow the use of Safari in the future due Apple's lack of support for extended validation SSL certificates? That sounds unlikely, and some reports indicate that the first announcement from PayPal wasn't clear enough, and subsequent statements (that don't appear to have been posted publicly) deny that Safari will be excluded.

Further, I expect that Apple could support EV SSL quite easily if it became something that they needed to do.

Posted by: Glenn Fleishman | April 19, 2008 at 09:39 AM

I just got this phishing email with a link saying:

Information Regarding Your account:
Dear PayPal Member:

Attention! Your PayPal account has been limited!

As part of our security measures, we regularly screen activity in the PayPal system.We recently contacted you after noticing an issue on your account.We requested information from you for the following reason:

Our system detected unusual charges to a credit card linked to your PayPal account.

Reference Number: PP-259-187-991

I almost believed it, but when I whent to the link and changed the language to Spanish the site did not showed the "ñ" which made me suspectful, then there was no spanish site which proved that it was a scam, but the site looks excatly the same!
http://www.popay12.ns8-wistee.fr/www.Paypal.com/

Posted by: John Savage | April 20, 2008 at 05:42 PM

I received this and know it is a hoax.

I thought you might want to see who is sending this out. They don't even have the name spelled correctedly in their "From" address.

From: service@paypall.com
Cc: recipient list not shown:
Sent: Sunday, April 20, 2008 9:52 AM
Subject: Notification of Limited Account Access.

Dear PayPal valued account holder,

We recently noticed one or more attempts to log in your PayPal account from a foreign IP address and we have reasons to believe that your account was hijacked by a third party without your authorization.
If you recently accessed your account while traveling, the log in attempts may have initiated by you.

However if you are the rightful holder of the account, click on the link below and submit, as we try to verify your account.

Please click " here "(this "here" part will not print out as it is in the email) to login into your PayPal account and then fill in the required informations. This is required for us to continue to offer you a safe and risk free environment.

The log in attempt was made from:

IP address: 83.142.129.17
ISP host: www.germany-tourism.de

If you choose to ignore our request, you leave us no choice but to temporally suspend your account.
We ask that you allow at least 48hrs for the case to be investigated and we strongly recommend not making any changes to your account in that time.

* Please do not respond to this email as your reply will not be received.

Thank you for your patience as we work together to protect your account.



Copyright © 1999 - 2008 PayPal. All rights reserved.

Posted by: newsoklahoma@yahoo.com | April 20, 2008 at 05:49 PM

Jon I enjoyed RSA immensely, and I am now more sorry than ever I missed your presentation. Nice work on the paper, I'm glad I found this blog (through Verisign).

Posted by: Heinrich | April 22, 2008 at 07:41 AM

Post a comment

Comments are moderated, and will not appear on this weblog until the author has approved them.

We value your feedback, but please keep comments on-topic and do not use abusive language. If you like our point of view, let us know. And if you don’t, tell us why.

We may, in our sole discretion, reject and delete any comments without notice if they are abusive, defamatory and offensive or for any other reason we deem appropriate.

Please note that this is a moderated site and comments will appear if and when they are approved. We review the queue throughout the day during business hours, so please don't resubmit if your comment doesn't appear immediately.

The opinions expressed in comments are not necessarily the opinions of PayPal, and we assume no responsibility for such content. Please do not post any private information unless you want it to be available publicly, including information about your job or your employer.