According to a story being run by CIO.com,
PayPal is trying to “persuade email providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.”
Apparently PayPal is using many technologies to “digitally sign” its current emails. These technologies include DomainKeys, a technology developed by Yahoo!., which enables verification of the sender’s mail server and integrity of the message that’s sent.
I’m not all that keen on DomainKeys. As I understand it, DomainKeys only provides a compatible mail server with a means to confirm that a message really came from where it was sent (the originating, outgoing mail server). Yes, this does help, and I feel all mail servers should be doing this now, but the magic bullet is validating that a message really came from an individual. Not only that, but that the you have emailed that individual in the past.
When I get an S/MIME encrypted email message (in addition to securing the email’s contents) I can rest assured that the message is from who they say they are, AND that I have emailed that person before (thus giving them my public encryption key). If I were to get a message without encryption I’d know to be very suspicious of the sender (and the contents of the message).
The root of the problem comes from a practice known as Phishing, wherein an individual will send an email indicating a problem with the recipient’s account, and that information (including login) will need to be confirmed or the account will be closed. Most often the return address of the sender is spoofed to make it look “legitimate.”
When the recipient clicks on a link in the email they’re directed to a page that looks legitimate but is actually a site hosted by the sender (most often just an IP address somewhere) that serves to collect usernames and passwords. The recipient is then thanked for their time and told their account is “safe.” The sender then can do all sorts of malicious things with their account.
PayPal is one of the largest online payment processors and their users are therefore some of the most often targeted for this type of scam.
