PayPal handles payment processing for somewhere in the neighborhood of 141 million users around the world. That equates to a huge amount of responsibility, and it makes the company a huge target for criminals who perpetrate phishing scams.

According to PayPal, in spring 2006, phishing scams against its customers accounted for approximately 80 to 90 percent of all phishing scam email in circulation. By spring 2007, the percentage had dropped to just over 10 percent. And now, the percentage is hovering somewhere around 5 percent. That's a dramatic reduction in attacks against PayPal customers. The obvious question is why did that figure drop?

PayPal isn't completely sure, but during that timeframe, the company did implement a detailed approach to preventing phishing scams from being effective. It's knowledge about this approach that I think will be valuable information for all security administrators who are responsible for helping to secure Web sites that handle some sort of transaction processing--particularly if the transactions involve money and people's private information.

In a newly released white paper, PayPal Chief Information Security Officer (CISO) Mike Barrett details the company's analysis of the overall phishing problem and how PayPal strategized to defend against it. The approach is both practical and logical.

The company first identified five aspects of the phishing problem: the fraudsters' profit-driven motive, the actual phishing scam email message, the financial loss and bad user experience of the victim when a phishing attack is successful, and thus lower activity at PayPal overall. In short, phishing was causing PayPal's business to decline as consumer confidence waned.

PayPal then came up with five silver bullets, one for each aspect of the overall problem. To address phishing email itself, the company came up with a strategy to help ensure that such email never reached people's inbox. Since the scams invariably involved spoofed PayPal Web pages, the company realized that it had to help prevent those pages from being displayed. In the event that a customer did fall prey, PayPal had to ensure that their stolen credentials could not be used. As a heavy disincentive to launch such scams in the first place, PayPal goes after fraudsters with the full weight of the legal system. And, to help protect its brand and its customers, the company educates consumers by providing security-related information for the layperson on its Web site and makes certain security decisions for customers if they fail to do so themselves.

The last measure was probably the most difficult for PayPal to decide on because it involves prohibiting users of certain browsers from conducting business at PayPal's site. However, taking such action is for consumers' own protection, and at the same it provides an opportunity to educate consumers and raise their awareness regarding online safety.

As you well know, older browsers are incredibly vulnerable to attack. PayPal draws three lines in the sand depending on which browser versions are in use, and this requires that the company stay on top of the latest browser releases. If you visit PayPal with a current browser version, you'll see no messages or warnings. If you're using the previous major version, you'll see a warning message, but you'll still be allowed to use the site. If you visit the site with a browser version more than one major release old, you'll see a warning message and will be barred from using the site.

The other prongs of PayPal's approach involve a considerable amount of partnering with various industries. For example, to help stop scam-related email from reaching inboxes, PayPal encourages ISPs to use Sender Policy Framework (SPF) and DomainKeys. PayPal also encourages people to use Iconix's email verification technology for email clients. To help block phishing sites, the company has to collect potential scam messages, extract embedded URLs, examine the Web pages, build blacklists, and feed the blacklist information to more than 50 blacklist providers. To pursue legal recourse against and create disincentives for scammers, PayPal works with law enforcement as well as government officials and policy makers.

While PayPal's approach is multifaceted and requires considerable resources that might not be available to many smaller organizations, it is nevertheless a very good outline of strategies that can be used either as a whole or in part by many of you. Consider taking some time to read the 11-page white paper. I think you'll find it very helpful in giving you some ideas about how you can strengthen your overall defenses and build goodwill with your online customers.

http://www.thepaypalblog.com/weblog/files/a_practical_approach_to_managing_phishing_april_2008.pdf