Google’s Gmail Joins eBay and PayPal in Phishing Fight

Google Inc.'s Gmail this week followed Yahoo! Inc. to become the second big e-mail provider publicly working with online auction host eBay Inc. and its PayPal payment service to fight phishing scams. With Google's Checkout service attempting to gain online charge volume in a PayPal-dominated alternative-payment market, the anti-phishing partnership shows that the common interest in fraud control can sometimes trump competitive concerns. An eBay spokesperson tells Digital Transactions News that the Gmail announcement is just the latest in an ongoing eBay/PayPal effort to enlist the top half-dozen or so Internet Service Providers (ISPs), which collectively account for more than half of the world's e-mail addresses, in joint fraud-fighting efforts. A Google spokesperson refuses to say how many consumers use Gmail, but puts the number in the “tens of millions of active users worldwide.” “We think it's great that PayPal and eBay have taken on the challenge of securing e-mail, and we're pleased to have put our best efforts together to make this work,” Brad Taylor, a Google software engineer and Gmail's “spam czar,” said in a post on Google's Gmail blog. “It's a bold move, but one that will really help fight phishing. Our hope is that this will set a good example for other organizations to follow (yes, it can be done!) and that over time more and more e-mail will become trustworthy.” Michael Barrett, PayPal's chief information security officer, said in a post on PayPal's blog that, “we're very excited that Google has taken this step and is working with us to help protect your online safety.” In phishing, a fraudulent e-mail purporting to be from a legitimate company?frequently a bank or financial firm?asks the recipient to click on a link to a spoofed Web site that, depending on the skills of the fraudsters, can look quite authentic. Such e-mails typically have an urgent tone and ask recipients to provide personal and financial data, including passwords, which enable the phishers to steal funds from accounts. The authentication technology behind the Gmail as well as the Yahoo screening effort eBay and PayPal announced last October is DomainKeys and DomainKeys Identified Mail (DKIM). E-mails going to Gmail users that have an “@paypal.com” or “@ebay.com” sender address will be authenticated with a DomainKeys digital signature. The Gmail system will reject any e-mail it can't confirm as actually having come from the real companies. And instead of routing an unverified message to the recipient's spam folder, the system won't even send unauthenticated e-mails to Gmail users. “It's hard to get phished if you never get the e-mail,” says the eBay spokesperson. Google has been testing the system for several weeks and “it's been working so well that few people really noticed,” Taylor said. According to PayPal's Barrett, Yahoo blocked more than 50 million e-mails in the first six months after its effort with eBay and PayPal took effect. As recently as 2006, PayPal alone accounted for more than 50% of phishing e-mails and, combined with eBay, the two firms attracted the “vast majority” of all phishing e-mails, Barrett said at a recent eBay conference (Digital Transactions News, June 20). PayPal's share was below 10% early this year, he said.