PayPal reduces fraud attacks

PayPal reduces fraud attacks

Internet payment firm reduces phishing with layers of defences

The proportion of worldwide phishing scams targeting PayPal has dropped from three-quarters to less than two per cent in just 18 months.

Phishing ­ where criminals send emails purporting to be from a financial institution to obtain customers’ details ­ cost the UK alone £33.5m in 2006. And the internet payments firm’s vast user base of more than 153 million accounts was proving an attractive target.

But PayPal’s work with industry and law enforcers has taken back the initiative, chief information security officer Michael Barrett told Computing.

“Such a huge drop is due to the fact that we have implemented a layered series of defences, including both technical and educational measures,” he said.

The company has an agreement with web-hosted email servers that only “digitally signed” emails from PayPal will be accepted by account inboxes ­ drastically reducing the number of bogus mails reaching users.

The firm has tackled phishers’ practice of redirecting customers to a fake site by working with major internet browsers to introduce an authentication marker that turns the address bar green or red, depending on whether or not an address is trusted.

PayPal also offers users security keys which issue a one-time password that changes every few seconds, thus preventing criminals from accessing accounts.

Working with other firms has been crucial, said Barrett.

“Industry co-operation is always better than trying to solve the problem alone,” he said. “We have also developed deeper relationships with law enforcement agencies.”

But the growing sophistication of the criminals means the problem will never be solved.

Phishers will always target the “low-hanging fruit”, said Peter Cassidy, secretary general of the Anti-Phishing Working Group. “In 2004 there were only a dozen targets, now there are more than 170,” he said.

The phishing figures were collected by anti-spam company ClearMyMail.