Online payment is a big business and companies like PayPal are determined to garner a bigger slice. In the 1990s, online payments or transacting online was viewed with great suspicion, as many users were uncomfortable putting their credit card numbers fearing misuse. With time, however, it became evident that apart from risks involved in transacting online, users fall prey to unauthorized emails cleverly disguised as a routine communication from a bank or a payment facilitator like PayPal. Commonly called as phishing, this has taken the Internet world by storm. PayPal has been a constant victim to phishing with people often receiving messages like update your personal information or your account has been suspended that are actually phishing emails duping users.

According to Antiphishing.org, phishing attacks use both social engineering and technical subterfuge to steal consumers personal identity and financial account credentials. Social-engineering schemes use spoofed emails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card number, account username, password and social security number. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using the trojan keylogger spyware. Meanwhile, the pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

Need for Proactive Measures
With some proactive measures, PayPal has significantly brought down the number of phishing attacks targeted at its users. A report by security vendor Sophos, which tracks spam and phishing mails, said that the number of messages pretending to be from eBay and PayPal reduced from 85% in 2006 to about 21% by September 2007. The drastic decrease in the number of such unsolicited emails, according to PayPal, is the result of educating users on phishing through its website.

Says Scott Thompson, CTO, PayPal: In the last two years, we have initiated lots of anti-phishing and spam activities aimed at proactive security. For instance, we have developed a security key, which is a device that generates a six-digit security code every thirty seconds. Moreover, we are a heavy user of Linux, and this gives us extreme scalability and security needed for mission critical transactions such as payments, enabling a robust payment system.

Security Online
Clearly, for companies like PayPal, managing security is a big challenge. It becomes more pronounced when a company processes multiple currencies across various geographies. For instance, PayPal has more than 164 mn accounts spread across 190 countries. Here IT systems play a key role in enabling these transactions. The fact that its runs all its apps only on Linux is clear proof of Linuxs robustness. Thompson says that it has saved millions of dollars by going the Linux way, as it is easy to scale and saved the company from costly upgrades.

Given the spread of PayPals operations, it offers various security tools to it users, so that they can create a secured end-point. Some tools provided by PayPal to its users include the free utility tool, called Iconix Email ID. that helps a user to identify whether an email received from PayPal is genuine. For heavy users who transact large volumes, the security key available of $5 in select geographies, makes for an added security layer.

We are a heavy user of Linux and this gives us extreme scalability and security needed for mission critical transactions such as payments, and has created a robust payment system Scott Thompson, CTO, PayPal

With online transaction becoming a necessity, it is important for the user to stay safe online. Experts advocate various safety tips that will make for a secured online experience. The starting point of any online transaction is in signing up with particular service provider. For instance, user must carefully read the terms and service agreement and understand how that information will be used. It is wise to fill just the mandatory fields and ignore optional information like mobile numbers and physical address. The more personal information one gives the more susceptible the user is to receiving spam mails.

Companies like PayPal are also tying up with ISPs and email providers to reduce the amount of phishing mails. Recently, PayPal and eBay have joined hands with Yahoo to bring down email fraud. PayPal and eBay customers using Yahoo Mail will see less of phishing mails through the implementation of DomainKeys Email Authentication technology. The DomainKeys technology facilitates the verification of the authenticity of email messages, allowing Internet service providers to determine if messages are real and whether it should be delivered to a customers inbox.

Today, some companies offer subscription-based credit monitoring services. These services track users credit report, and send an email alert reflecting recent activity, such as an inquiry or new account. Typically, the more frequent or more detailed the report, the more expensive the service. Some companies also offer additional services, including removing ones name from mailing lists.

Thompson says that most spam and phishing emails originate in Eastern Europe, and it is very difficult to pin culprits due to factors like geographical jurisdiction, and different forms of government regulations, among others. End-user education and end-point best practices reduce these security threats greatly. Companies like PayPal are just doing that. While phishing methods evolve, PayPal is investing in developing new products aimed at strengthening security. As part of its expansion plan and commitment to India, PayPal has recently opened a product development center in Chennai.

Shrikanth G
shrikanthg@cybermedia.co.in

Page(s)   1