What do you get when Yahoo, eBay, and PayPal join forces against malware? A collaborative effort to help protect consumers against fraudulent e-mails and dangerous scams commonly called phishing attacks.
A movement got underway on Thursday that gives eBay and PayPal customers who use Yahoo Mail an upper hand against fraudsters by blocking fake e-mails that claim to be coming from these popular online properties.
Michael Barrett, chief information security officer at PayPal, called it an aggressive move and a significant step in the fight to protect consumers against e-mail-based crimes. "While there is clearly no silver bullet for solving the problems of phishing and identity theft," he said, "[the] announcement is great news for our customers who rely on Yahoo Mail."
The Domain Keys Equation
Yahoo's Domain Keys technology is designed to verify the authenticity of e-mail messages, allowing ISPs to determine whether messages are real and should be delivered to a customer's inbox. Yahoo developed Domain Keys, which uses cryptographic keys, to address the widespread issue of e-mail forgery.
Essentially, the Domain Keys technology allows e-mail providers to validate an e-mail's originating domain, making use of blacklists and whitelists more effective. It also makes phishing attacks easier to detect by helping to identify abusive domains. In May 2007, the Internet Engineering Task Force approved Domain Keys as a proposed Internet standard.
Domain Keys is seeing terrific industry adoption, in part due to the widespread consensus about its potential as an Internet standard, according to Nicki Dugan, Yahoo's blog editor.
"About 40 percent of the e-mail we deliver on Yahoo Mail is signed with Domain Keys," Dugan wrote in a recent blob. "And we hope [this] news gets the attention of information security officers at some of the more obvious phishing targets so we can help protect even more consumers from the havoc these scams wreak."
Toward Mutual Authentication
Andrew Braunberg, a research director for the Enterprise Software and Security group at Current Analysis, said Domain Keys is a good approach to authentication as it flows in the same vein of the movement in other markets, especially financial services, toward risk-based authentication.
But Braunberg said companies have to consider the level of authentication that is appropriate to the communication. "There is always some overhead associated with any security technology," he said. "There's always a trade-off between productivity and security, or access and security."
Braunberg pointed out that you don't want to make people jump through six hoops every time they want to open Outlook. "It doesn't make sense," he said. "It's got to be a more rationalized, prioritized approach to defining security requirements. That's where the market is moving."
While the Domain Keys method might sound like an ideal solution to the problem of phishing and spam, because it works automatically in the background so that users never see the e-mail that is identified as fraudulent, it is of limited usefulness unless a majority of e-mail providers back it.