KEY POINTS:
SAN FRANCISCO - Yahoo is working with auction leader eBay and its PayPal payments unit to block fake emails to users purporting to be from eBay and PayPal, hoping to spur on an industry that has been slow to fight the scourge of so-called phishing attacks.
EBay and PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo that authenticates email senders are who they say they are, allowing Yahoo to block fake emails.
The technology upgrade will be made available to Yahoo Mail users worldwide over the next several weeks, the company said.
"It is a big step forward for consumers in defence against the bad guys," John Kremer, vice president of Yahoo Mail, said in a phone interview.
Along with banks and pharmaceutical makers, eBay and PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud.
Over the past decade, phishing has been clogging the inboxes of email users worldwide with ever more sophisticated attempts to fool users into clicking on fraudulent sites or giving up personal financial details to commit fraud.
But to date, many of the defences put forward by security software vendors and industry consortiums have failed to take hold with email senders due to their complexity or costliness, or political in-fighting over standards, leaving individual consumers always guessing which email may be real or fake.
A PayPal official said Yahoo's system provides a way of automatically detecting potential phishing attacks without relying on the consumer to do anything new.
"If the consumer doesn't receive an email in their inbox then it is very hard for the phisher to victimize them," Michael Barrett, PayPal's chief information security officer.
Fear of blocking legitimate mail
Two camps have emerged among technology providers seeking to develop a coherent approach to identifying email senders.
One backed by Yahoo and Cisco Systems along with AOL, Google, IBM, Sendmail and VeriSign is the DomainKeys Identified Mail (DKIM) technology, which allows email providers to identify the web domain from which a sender has sent email.
A second standard known as Sender Policy Network (SPF) has been led by Microsoft, which offers its own version of SPF known as Sender ID. SPF-based protections are used by Amazon, AOL, GoDaddy and eBay, which supports both DKIM and SPF.
Chenxi Wang, a security analyst with Forrester Research, said DomainKeys relies on more sophisticated cryptography than the Microsoft-supported approach. This sophistication can make DomainKeys harder for websites to install but offers greater long-term defence against phishing attacks, she said.
So far, most customers have installed sender authentication inside their email systems as a monitoring tool but do not block email for fear of false positives - mistakenly treating legitimate customer email messages as phishing attempts.
However, despite the industry disagreements, an underlying consensus is emerging among software vendors, internet service providers and corporate websites that digital email signing in one form or another is the best shot to combat phishing.
"Two years ago if you asked companies whether they were using email authentication, most people wouldn't have cared," Wang said. "Today if you ask most organisations if they think it is a good thing people would say, 'Yes."'
"The industry is slowly coming around," Wang said. "EBay and PayPal are some of the first to actively block unauthenticated emails."
- REUTERS