Attacking phishing at the source
Good news on the phishing front. Google reports that they are now authenticating all e-mail that purports to come from eBay and PayPal.
Using e-mail authentication standards including DomainKeys and Domain Keys identified Mail, and working with PayPal and eBay, Google's Gmail now verifies every e-mail that claims to come from PayPal or eBay. If it doesn't verify you'll never see it.
Angry eBay buyer The first time I got one of those angry eBay buyer emails - "where's my stuff, you thief!" - it got me going for a second. But now if you use Gmail, those e-mails won't even make it to your trash folder. They're just gone.
EBay and PayPal had to undertake the effort to ensure that all of their e-mails used the domain Keys and domain keys identified Mail authentication protocols. They have blazed a trail for all companies who want their customers trust.
Accountability for banks In even better news a German court has ruled that banks are liable for phishing attacks on customers. Criminals compromised a German couple's PC and it used their bank information to pay out €4000 on a fraudulent eBay transaction.
The court held that the payment request demonstrably did not come from the customer. "The bank bears the forgery risk of the transfer order" the judge said. Yay!
Financial institutions love getting customers to use the Internet for payments, statements and applications because they save money. But when there is a problem it is the customer who sorts it out.
The Storage Bits take Kudos to Google, eBay and PayPal for implementing e-mail authentication. It points the way to a future where all financial institutions use authentication to ensure that e-mails bearing their names are genuine.
Kudos also to the German court for holding banker's feet to the fire. For too long banks and other financial institutions have underspent on security, leaving the burden of enforcement to individuals and local police who are ill-equipped to handle sophisticated online thievery.
Sadly, in the United States, the U.S. Congress is a wholly owned subsidiary of the American Banking Association. Do not expect any relief for consumers here anytime soon. Do not look to the courts either: the current rage for judicial inactivism means that justice, or even simple fairness, will be denied to netizens.
While it moves us in the right direction, there is a downside to partial protection. As e-mail becomes a more trustworthy, some people will become more vulnerable to scams. But the ultimate goal is to squeeze the profits out of online crime so the criminals find something else to do.
Comments welcome, of course.