PayPal’s decision to introduce an optional two-factor authentication system highlights the increasing concern of banks and online payment organisations over phishing.
The amount of money lost to online banking fraud in the UK increased 55 per cent to £22.5m in the first half of 2006, according to figures from banking industry body Apacs – and all the signs indicate this amount will continue to rise.
Most phishing emails now target PayPal and eBay customers, largely because they are such a huge demographic – 123 million customers at the end of 2006 – but also because PayPal is designed to make it easy to move money around, predisposing it to being phished.
Surprisingly, however, phishing is not a large financial problem for PayPal or its customers.
Michael Barrett, chief information security officer at PayPal, says the problem with phishing has more to do with perception than reality.
‘Financially, phishing is not even in the top five of categories that we suffer from fraud–wise. But when you say you work for PayPal, people say: ‘Oh I get all these emails from you. What are you doing about that?’ People perceive that there is an issue, so there is an issue,’ he said.
Customers receiving phishing emails lose confidence, so PayPal’s two-factor efforts should help with some of these worries.
‘Security is, of course, about relatives and risk assessment, and not absolutes. What we are seeing at the moment is a period of experimentation where different companies are trying different solutions,’ said Barrett.
Recent research by security vendor RSA shows that 91 per cent of bank account holders are willing to use stronger authentication methods, while more than half (52 per cent) are ‘less likely’ to sign up for or use online banking than they were.
As well as introducing two-factor, PayPal is responding to this drop in public confidence by introducing a new green light system where users of Internet Explorer 7 will see the browser flash green if the site is safe.
‘One of the other things we are doing is heavily pushing digital signature and email signing technologies so that all PayPal and eBay outbound email is digitally signed,’ said Barrett.
‘It is incumbent on us to set an example and say these technologies will help once they reach a critical mass,’ he said.
Peter Cassidy, secretary general of the Anti-Phishing Working Group, says nothing is absolute.
‘None of these solutions will stop online payment systems being attacked; criminals will just up their game. But two-factor systems will also get attention because consumers are experiencing something novel,’ he said.
What do you think? Email us at feedback@computing.co.uk
Further Reading:
Fraudsters use phishing tactics
reader comments