Friday, February 22, 2008

PayPal E-mail authentication

PayPal is one of the 2-3 most phished brands out there. That means they are targeted more often by phishing attacks than anyone else. If you use PayPal, then you need to be aware of the security capabilities they use to protect your account information. NetworkWorld had a recent interview discussing their security methods.
  1. Two-factor authentication - PayPal will issue you a token to more securely authenticate to your account. It costs $5 and you'll have to carry it around. I definitely adds more security to your account, but you have to carry the thing around. Did I mention you have to carry it around? I think using a strong password will provide enough security.

  2. Signed e-mail - PayPal also used a technology called DKIM (domain keys internet mail) to add a digital signature to any emails they send to you. Many of the major email client (yahoo and gmail for sure) will tell you the message is signed. This verifies that the message is actually from PayPal and not from an attacker. Below you can see what the signature looks like in Gmail. The "signed-by" and "mailed-by" fields show that has sent the message.

As usual, an ounce of awareness is worth a couple of pounds of protection. Your own knowledge is far and away your best defense.


Security Retentive said...


Also important from the article is the Iconix plugin. Its a pretty easy way for users to tell whether a mail was actually signed by PayPal. The visual clues it gives are pretty good for differentiating email.

Mike Rothman said...

That's good point and the Iconix stuff works OK. But it is something else that a user needs to load on their machine. I usually opt for the approach to teach people what they should be looking for. After the issue is understood, then I'm cool with the tool. But I don't like to use these tools as an excuse to not learn.