PayPal Anti-Phishing – The Good, the Bad, and the Ugly

So, my recent blog about PayPal calling its own email phishing seems to have received a bit of attention.

The Good

In response, I got an email from their Principal Security Engineer who asked me for a copy of the email that was incorrectly identified as a phish so he could use it to help identify the problem and fix their system. I also received a phone call from PayPal’s executive office indicating they took the issue seriously and had their top security people fixing the problem. This is a good thing and I am glad to have helped them find a fix a problem, even though it really is a relatively harmless error. Reporting a phish as not a phish would be really bad.

The Bad

As I explained to the friendly person from PayPal’s executive office, the real problem is that PayPal is grooming users to get phished by including links to log into their accounts. If PayPal could tell users “If the email has a link in it, it is a phish” they would teach magnitudes more users not to fall for phishing attacks against their PayPal accounts. While acknowledging that they have considered this, PayPal will not commit to changing their ways.

The Ugly

Michael Barrett, the Chief Information Security Office at PayPal wrote a response to my blog at http://www.thesecuritypractice.com/the_security_practice/2009/12/what-works-in-fighting-phishing.html and there are some things I take issue with.

To begin with, Mr Barrett states “Because of our status, we’re also used often used as an example of whatever particular idea an individual security researcher is arguing for.” This really is not an example of an individual security researcher arguing for something. The idea that the practice of financial institutions sending links to log in to customer accounts is a bad idea is widely held in the security community. I would bet that there are security folks at PayPal who would argue against PayPal sending account links in customer communications that lead to a log on page. Certainly some banks have discontinued the practice and advised their customers that they will not get a link in an email and if they do, it is a phish.

Mr Barrett states “First, we doubt the effectiveness of removing all links in e-mails as a way to eradicate phishing.” No solution eradicates phishing, you use multiple solutions as defense in depth to mitigate the attack. If a solution is dismissed because it does not eradicate phishing then PayPal would have to dismiss all of the really good work they do to combat phishing, because it isn’t eradicating the problem.

Mr Barrett goes on to say “Thus, even if we didn’t send e-mails with links in them, there would be nothing to prevent criminals from sending phishmails with links, and some small percentage of users would almost certainly fall for those e-mails.” Yes!!! A hundred times yes! Let’s make the percentage of victims smaller. It is far easier to teach many people that if an email comes from PayPal and it has a link to log into their account it is a phish than to teach them how to spot phish. There are a couple of approaches that are great in combating phishing, teaching identification is awesome, but limited in how many users will be able to master the skill. Teaching what simple behaviors to avoid will educate a lot more users and be more effective across the board. Hence my tip at http://www.sdchamber-members.org/TechTipArchive_000.htm#AntiPhishing

Another comment “But, there were others that would be very problematic – sending someone a reference to a transaction, for example.  (“Log on, go to your transaction history page, scroll forward three pages, go to the transaction three quarters of the way down the page …”)” assumes that it must be this complicated. One solution is to give each transaction a unique identifier and allow a simple search. No, it is not as convenient as a link in an email, but removing those links is a much smarter security practice. I’m sure there are many other solutions that will minimize the inconvenience factor.

Mr Barrett states “We have indeed done a number of things around consumer education.  Our first rule – which Mr. Abrams indeed followed –“forward uncertain PayPal e-mails to spoof@paypal.com” is generally a very good one.” The problem is that I did not follow the rule as it was not at all applicable to my situation. I forwarded a known legitimate email. There was nothing suspicious about it. At the end of the paragraph you see “if you’re unsure of the legitimacy of an e-mail, close the e-mail, open a new browser and go to the website concerned (https://www.paypal.com in our case) and just log on there.”  The problem is that the victims of the phishing attacks were not uncertain. They were wrong, but not uncertain. The advice to open a new browser and go to the website concerned is right on. It should be adopted in all PayPal transaction confirmations, etc.

Incidentally, around consumer education, PayPal get’s a score of 80% on their own test. The first true or false question at https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/antiphishing/AntiPhishingQuiz-outside is “Phishing is a form of fraud designed specifically to steal your identity.” The correct answer is false. Some phishing is about identity theft, but a lot of phishing is simply about stealing your money, your email account or your virtual characters, weapons, and treasures. Many phishers don’t care about stealing your identity. I’ve asked PayPal to correct their quiz, but have not yet heard back. Simply using an accurate definition of phishing would help.

The Conclusion

On the whole PayPal is doing great things to combat phishing. PayPal is a valued partner in the fight against cybercrime. PayPal, as well as Chase Bank, American Express, and many other financial institutions can do a lot more to help fight phishing by simply discontinuing the practice of including links to log in to your account in their correspondence. Some financial institutions already have discontinued the practice to help protect their customers from phishing attacks. It is magnitudes easier to teach people that if the email from their financial institution contains a link it is a phish than it is to teach them to identify all phishes. Something to consider… The automated system that one or more really, really, smart people at PayPal created has far more knowledge of the composition of  phish than most users do and it still got it wrong. Do you really think that teaching people how to look at headers and all the other components of a phish will be as effective as teaching them that if the email from PayPal has a link it is a phish?

There is no single solution that works in fighting phishing, it is a combination of technologies, such as those built into the browser, security products, education, policies (no links to your account), phishing site take downs, and the types of things that PayPal is already doing that works most effectively.

Randy Abrams
Director of Technical Education