Log in | Register

PayPal Urges Phishing Legislation

theWHIR.com on April 18, 2007

Related Topics: , , , , , , , , ,

PayPal Urges Phishing LegislationBy Justin Lee, theWHIR.com

April 18, 2007 — (WEB HOST INDUSTRY REVIEW) — While Internet security firms are constantly upgrading their arsenals in the fight against fraud, phishing attacks continue to occur, threatening the profits of online businesses and the safety of their customers.

Some experts, including security software firm Symantec, argue that technology alone cannot eliminate phishing. Rather, Internet users must be educated in the basics of phishing prevention, and how to effectively communicate with one another in order to solve this significant problem.

Some partially blame Web hosting companies for doing an inadequate job in fighting phishers. Online payment service Paypal (paypal.com) recently pointed the finger at European Web hosts for not taking a more proactive stance against phishers and for not shutting down their Web sites more promptly.

PayPal says it takes phishing seriously, placing security at the top of its list of priorities. With the issue growing publicly along with online shopping, the company says it is striving to do as much as it can to eliminate phishing.

At last month’s 2007 e-crime congress, Paypal’s associate general counsel Joseph E. Sullivan voiced his disappointment in Web hosting companies. Paypal, he said, is pushing for European legislation comparable to the “good samaritan” laws in the US, which allow Web hosts to take action against phishers without making the Web hosts liable.

“We haven’t drafted anything specific,” says Michael Barrett, PayPal’s chief information security officer. “However, because we have found in practice that hosting services with this type of protection written into the laws of their jurisdiction are more willing to be proactive in their efforts, we have urged in a number of meetings with legislative authorities in Brussels and national capitals that such legislation be considered.”

Barrett says the fight against phishing attacks is ultimately the responsibility of everyone, but especially that of Web hosting providers. PayPal is hesitant to single out any company in particular, as it hopes to build partnerships with many of these companies to help improve their anti-phishing practices.

And while everyone who uses the Internet is in some way affected by phishing, PayPal pays a price in a most literal sense. The company reimburses its users for unauthorized transactions on their accounts, and it loses an indeterminable but incremental value every time a fraudulent email threatens the its reputation as a trusted online money delivery service, says Barrett.

Smaller Web hosts sometimes argue that it is difficult to take down phishing sites promptly because phishers often put sites up on a Friday night when the Web host’s technical staff have already gone home for the weekend, or that they lack the manpower to respond to phishing discoveries as they occur. These, Barrett says, are mostly baseless excuses.

“All [Web hosting companies] need is a documented procedure by which their support representatives answer their phone or email, review the Web site concerned to see if it is obviously a fake site, and if it is, shut it down,” says Barrett. “Unless a Web hosting company gets dozens of calls about Web sites per day (in which case they have really poor customer vetting procedures), hiding behind the ‘limited manpower’ argument is simply a red herring.”

There are basic precautions that hosting services can take to ensure the security of their hosting clients, says Barrett. For instance, technical staff should promptly respond to requests for the removal of phishing sites, as well as proactively maintain ingress/egress control of traffic on their networks to prevent any of their servers being used as command/control servers for “botnets” of compromised PCs.

Administrators should also prevent Web sites from being hosted by just a TCP/IP address, since a large number of spoof sites are hosted by servers that don?t have domain names, but rather are merely IP addressed.

“While laws vary across jurisdictions, in general, those of us who don’t host content do not have legal responsibility for content generated by others,” says Barrett, “But they do have a clear responsibility to promptly remove Web sites that are hosting phishing sites, as soon as they are notified by a legitimate representative of the business being phished.”

The Web hosting issue, however, is just one component of PayPal’s anti-phishing program, which also includes working with ISPs to eliminate phish-mail from consumers inboxes, educating customers on what represents safe behavior online, educating customers on using safe Web browsers and offering stronger authentication options for users who want to use them.

“Fundamentally, though, every company that profits from the success and continued growth of the internet should out of self interest feel a responsibility for joining into the ongoing fight against phishing sites,” says Barrett. “Phishing undermines the integrity of the Internet as a trustworthy place to do business, and that erosion harms us all. If people stop trusting email and refuse to do business online, hosting services will suffer as much as anyone.”

theWHIR.com

About

Since 2000, The Web Host Industry Review has made a name for itself as the foremost authority of the Web hosting industry providing reliable, insightful and comprehensive news, interviews and resources to the hosting community. TheWHIR is an iNET Interactive property. For more information on iNET Interactive, visit http://www.inetinteractive.com

No related posts.

Leave a Comment