Attacking phishing at the source

Attacking phishing at the source

Summary: Good news on the phishing front. Google reports that they are now authenticating all e-mail that purports to come from eBay and PayPal.


Good news on the phishing front. Google reports that they are now authenticating all e-mail that purports to come from eBay and PayPal.

Using e-mail authentication standards including DomainKeys and Domain Keys identified Mail, and working with PayPal and eBay, Google's Gmail now verifies every e-mail that claims to come from PayPal or eBay. If it doesn't verify you'll never see it.

Angry eBay buyer The first time I got one of those angry eBay buyer emails - "where's my stuff, you thief!" - it got me going for a second. But now if you use Gmail, those e-mails won't even make it to your trash folder. They're just gone.

EBay and PayPal had to undertake the effort to ensure that all of their e-mails used the domain Keys and domain keys identified Mail authentication protocols. They have blazed a trail for all companies who want their customers trust.

Accountability for banks In even better news a German court has ruled that banks are liable for phishing attacks on customers. Criminals compromised a German couple's PC and it used their bank information to pay out €4000 on a fraudulent eBay transaction.

The court held that the payment request demonstrably did not come from the customer. "The bank bears the forgery risk of the transfer order" the judge said. Yay!

Financial institutions love getting customers to use the Internet for payments, statements and applications because they save money. But when there is a problem it is the customer who sorts it out.

The Storage Bits take Kudos to Google, eBay and PayPal for implementing e-mail authentication. It points the way to a future where all financial institutions use authentication to ensure that e-mails bearing their names are genuine.

Kudos also to the German court for holding banker's feet to the fire. For too long banks and other financial institutions have underspent on security, leaving the burden of enforcement to individuals and local police who are ill-equipped to handle sophisticated online thievery.

Sadly, in the United States, the U.S. Congress is a wholly owned subsidiary of the American Banking Association. Do not expect any relief for consumers here anytime soon. Do not look to the courts either: the current rage for judicial inactivism means that justice, or even simple fairness, will be denied to netizens.

While it moves us in the right direction, there is a downside to partial protection. As e-mail becomes a more trustworthy, some people will become more vulnerable to scams. But the ultimate goal is to squeeze the profits out of online crime so the criminals find something else to do.

Comments welcome, of course.

Topics: Collaboration, Banking, E-Commerce, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • DomainKeys--it's a start

    Now if mandated changes were in effect 'with teeth' that enforced usage of PGP or GnuPG or S/MIME for signed encrypted email, that would take down the spam to 0%!
    D T Schmitz
    • There's a market opportunity

      Create a GPG - S/MIME mailer management tool that my
      grandma can use and you'll lock the whole thing up.
      However, therein lies the problem - configuring and using
      these mechanisms is too difficult for most of the targets for
      these attacks and the culprits know that...
  • RE: Attacking phishing at the source

    Since phishing has cost countless pains to so many people, I suggest large companies whose business have been badly affected pool together & contribute to a large fund to hire ex-CIA, ex-FBI agents, etc. to track the culprits down & SHOOT THEM IN THE HEADS! Bringing them to courts is a waste of time because these criminals have all the money in the world to hire smart twisted lawyers to defend them...
  • "Judicial Inactivism"

    I understand that Judges sometimes have to be activists. <u>Brown v. Board</u> is a good example. But by saying, "judicial inactivism," you make interpreting the laws only based on the Constitution and enumerated laws seem like a crime. You should have called it judicial restraint.
    • If you're against judicial activism . . .

      you are FOR judicial inactivism. Against justice and for
      barren legalisms.

      Calling it restraint, originalism or strict construction is
      simply a cover for neutering a co-equal branch of

      It is a cover with the agenda of sabotaging the American
      revolution. None of the "judicial restraint" crowd shrink
      from exercising their perogatives when they feel like it.

      The American Revolution isn't over. The spiritual heirs of
      the loyalists are still strong among us.
      R Harris
      • Not to pile on...

        ...but I agree. Moreover I like the way you put it.
  • RE: Attacking phishing at the source

    "the U.S. Congress is a wholly owned subsidiary of the American Banking Association."

    How true, forward this to your representative, and ask them to explain themselves. Then maybe judges would not have to act on our behalf.
  • RE: Does attacking phishing at the source work?

    Then why did I get a "phishy" email purporting to come from ACIPCO Federal Credit Union telling me someone was trying to access my eBay account just this morning? As usual I forwarded it to eBay and got the standard automated response that it didn't come from them. The "phishers" are just changing the bait a little bit.
    • Did it come from Gmail?

      If it did I would also forward to Google. Maybe the crooks
      have broken this already.

      R Harris
    • Because it's not pretending to be from ebay

      It's pretending to be from the credit union and mentioning ebay. Completely different.
  • RE: Attacking phishing at the source

    Now if we can do something about all the advance fee spam from Nigeria (and other places) we would cut the noise level on the Internet by at least a factor of two!