In War on Phishing, eBay Completes Journey to Total Authentication

E-mail authentication measures such as DomainKeys (define), referred to as DKIM, and Sender ID (define) only go so far by themselves to block phishing (define) attempts. A partnership between Yahoo and eBay, including its online payment system PayPal, aims to minimize the influx of messages pretending to be from eBay and PayPal to Yahoo Mail readers.

The move made last week by Yahoo, eBay and PayPal took this long because eBay and PayPal had to be sure its authentication processes covered every piece of outbound communication — not merely the vast majority. “Yahoo is now blocking unauthenticated messages purporting to be from eBay and PayPal based on the DomainKeys signatures, and we are able to do so because eBay and PayPal are now confident that they are signing 100 percent of their legitimate outbound mail,” said Mark Risher, group product manager for Yahoo Mail.

With 153 million PayPal accounts, and 241 million registered eBay users worldwide, that took a while. “We are signing 100 percent of outbound mail [with DomainKeys],” said PayPal company spokesperson Michael. “It’s taken a few months for us to get to that point because our global infrastructure is so complex.”

Phishing continues to be a major problem for e-mail, with eBay and PayPal among the hardest hit. The auction category accounts for 32 percent of phishing attacks, and payment services represent 25 percent of phishing threats, according to the Brandjacking Index report released by MarkMonitor in August. While the data do not break out individual companies the two represent significant portions of their respective categories.

PayPal and eBay are agnostic on e-mail authentication protocols, using both SPF and DKIM authentication standards to work with multiple Internet service providers. Oldenburg said, “The industry is still fighting to find a standard.”

The global reach of Yahoo Mail makes the partnership beneficial for all parties. “The most time-consuming portion of the implementation is usually the audit of all machines sending e-mail on a company’s behalf, particularly for large, global brands,” said Risher. “For this project, Yahoo was able to use its worldwide reach to help PayPal and eBay track down all of their machines and ensure they were signing all messages. EBay and PayPal are such large scale senders that we think their success demonstrates that 100 percent signing with DomainKeys can be accomplished.”

eBay/PayPal continues to work with the larger ISPs to combat phishing issues related to the two brands. Both companies also monitor reports of phishing and other malicious messages from users who forward e-mails to “spoof” addresses.

Related reading