News

Wednesday, April 23, 2008

PayPal's Approach to Fighting Fraud

WIN_SECURITY UPDATE_
A Penton Media Property
April 23, 2008


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616189-0-0-0-1-2-207

----------------------------------------
ADVERTISEMENT
CA

Data Protection and Disaster Recovery Tips

Discover a wealth of information about how to protect and secure your
data in the event of a disaster. You may not be able to predict the
exact details of a disaster, but you can be prepared with a solid
response for when one strikes. Disaster can strike anywhere -- not just
where severe weather can hit -- so make sure you're ready when it does.

http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616190-0-0-0-1-2-207
----------------------------------------

IN FOCUS

--PayPal's Approach to Fighting Fraud
by Mark Joseph Edwards, News Editor
PayPal handles payment processing for somewhere in the neighborhood of
141 million users around the world. That equates to a huge amount of
responsibility, and it makes the company a huge target for criminals who
perpetrate phishing scams.

According to PayPal, in spring 2006, phishing scams against its
customers accounted for approximately 80 to 90 percent of all phishing
scam email in circulation. By spring 2007, the percentage had dropped to
just over 10 percent. And now, the percentage is hovering somewhere
around 5 percent. That's a dramatic reduction in attacks against PayPal
customers. The obvious question is why did that figure drop?

PayPal isn't completely sure, but during that timeframe, the company did
implement a detailed approach to preventing phishing scams from being
effective. It's knowledge about this approach that I think will be
valuable information for all security administrators who are responsible
for helping to secure Web sites that handle some sort of transaction
processing--particularly if the transactions involve money and people's
private information.

In a newly released white paper, PayPal Chief Information Security
Officer (CISO) Mike Barrett details the company's analysis of the
overall phishing problem and how PayPal strategized to defend against
it. The approach is both practical and logical.

The company first identified five aspects of the phishing problem: the
fraudsters' profit-driven motive, the actual phishing scam email
message, the financial loss and bad user experience of the victim when a
phishing attack is successful, and thus lower activity at PayPal
overall. In short, phishing was causing PayPal's business to decline as
consumer confidence waned.

PayPal then came up with five silver bullets, one for each aspect of the
overall problem. To address phishing email itself, the company came up
with a strategy to help ensure that such email never reached people's
inbox. Since the scams invariably involved spoofed PayPal Web pages, the
company realized that it had to help prevent those pages from being
displayed. In the event that a customer did fall prey, PayPal had to
ensure that their stolen credentials could not be used. As a heavy
disincentive to launch such scams in the first place, PayPal goes after
fraudsters with the full weight of the legal system. And, to help
protect its brand and its customers, the company educates consumers by
providing security-related information for the layperson on its Web site
and makes certain security decisions for customers if they fail to do so
themselves.

The last measure was probably the most difficult for PayPal to decide on
because it involves prohibiting users of certain browsers from
conducting business at PayPal's site. However, taking such action is for
consumers' own protection, and at the same it provides an opportunity to
educate consumers and raise their awareness regarding online safety.

As you well know, older browsers are incredibly vulnerable to attack.
PayPal draws three lines in the sand depending on which browser versions
are in use, and this requires that the company stay on top of the latest
browser releases. If you visit PayPal with a current browser version,
you'll see no messages or warnings. If you're using the previous major
version, you'll see a warning message, but you'll still be allowed to
use the site. If you visit the site with a browser version more than one
major release old, you'll see a warning message and will be barred from
using the site.

The other prongs of PayPal's approach involve a considerable amount of
partnering with various industries. For example, to help stop
scam-related email from reaching inboxes, PayPal encourages ISPs to use
Sender Policy Framework (SPF) and DomainKeys. PayPal also encourages
people to use Iconix's email verification technology for email clients.
To help block phishing sites, the company has to collect potential scam
messages, extract embedded URLs, examine the Web pages, build
blacklists, and feed the blacklist information to more than 50 blacklist
providers. To pursue legal recourse against and create disincentives for
scammers, PayPal works with law enforcement as well as government
officials and policy makers.

While PayPal's approach is multifaceted and requires considerable
resources that might not be available to many smaller organizations, it
is nevertheless a very good outline of strategies that can be used
either as a whole or in part by many of you. Consider taking some time
to read the 11-page white paper. I think you'll find it very helpful in
giving you some ideas about how you can strengthen your overall defenses
and build goodwill with your online customers.
www.thepaypalblog.com/weblog/files/a_practical_approach_to_managing_phishing_april_2008.pdf
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616191-0-0-0-1-2-207)

--Security Horror Story Contest
Tell us about a security hole that you found, a virus that shut down
your network, an embarrassing or scary near-miss or direct hit. (Be sure
to describe how you solved the problem too.) We'll print the best tales
in a Windows IT Pro cover story (anonymously, if you like), and you'll
win a 1-year Windows IT Pro VIP subscription. Send your security horror
stories (no more than 500 words) to Lavon.Peters@windowsitpro.com
(mailto:Lavon.Peters@windowsitpro.com) by May 9.

----------------------------------------
ADVERTISEMENT
Macrovision

So You Think You're Compliant...

According to Gartner, 30 percent of enterprises will experience at least
one audit per year*. There's no way for you to be entirely sure that
your organization is in compliance with software regulations... Unless
you have Macrovision's License Planning and Management Solution!

Register for the webinar now and learn how you can gain the confidence
to avoid software audits!

* Gartner, December 2006.

http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616192-0-0-0-1-2-207
----------------------------------------


SECURITY NEWS AND FEATURES

--Microsoft Warns of Vulnerabilities with Windows, IIS, and SQL Server
Microsoft issued an advisory last Friday warning administrators that
intruders might be able to gain system-level privileges.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616193-0-0-0-1-2-207

--Microsoft Issues One-Year Vulnerability Report for Windows Vista
Microsoft issued a report analyzing the vulnerability disclosures and
security updates for Windows Vista's first year on the market, comparing
this information to similar first-year data for its predecessor, Windows
XP, and contemporary competition such as Red Hat Enterprise Linux,
Ubuntu Linux, and Apple Mac OS X.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616194-0-0-0-1-2-207

--Mystery IIS Hack Unveiled
Researchers at SANS have discovered how thousands of sites were
compromised earlier this year. As a result of the compromises, countless
users' computers were infected with malware.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616195-0-0-0-1-2-207

--Trading Passwords for Chocolate
A recent survey conducted in London showed that 21 percent of
respondents were willing to reveal their passwords for a chocolate bar.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616196-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at

www.windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616197-0-0-0-1-2-207)


GIVE AND TAKE

--SECURITY MATTERS BLOG: Targeting the Top Brass
by Mark Joseph Edwards
Phishing scams took a decidedly direct aim at CEOs this week by using a
scare tactic that would lead some to at least click a link in an email
message.
windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616198-0-0-0-1-2-207)

--INDUSTRY BYTES BLOG: What I Learned at RSA 2008 (Part One)
by Jeff James
Several evolving trends were in evidence. Securing virtual machines was
a popular topic for attendees and vendors alike, as was hardening mobile
devices and providing complete protection for enterprises with sensitive
data. This is the first part of a three-part report that presents some
of the more interesting products and trends Jeff came across.
windowsitpro.com/article/articleid/98934
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616199-0-0-0-1-2-207)

--FAQ: Domain Password Policies
by John Savill
Q: Is there a maximum number of fine-grain password policies (FGPPs) in
a single domain?

Find the answer at
windowsitpro.com/article/articleid/98892
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616200-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in
Security Pro VIP's Reader to Reader column. Email your contributions to
r2r@securityprovip.com (mailto:r2r@securityprovip.com). If we print your
submission, you'll get $100. We edit submissions for style, grammar, and
length.


RESOURCES AND EVENTS

Five Essential Considerations for Exchange 2007 Implementations
For most organizations, taking full advantage of Exchange 2007's
features will require a substantial investment. Unlike previous
upgrades, Exchange 2007 requires the replacement of existing servers
with new 64-bit hardware and software. Read this white paper to
understand the considerations involved and get tips you can use to
leverage your Exchange 2007 upgrade.
windowsitpro.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=5da6e1d6-cae8-44fe-893a-700ea3e743e4&code=041608er
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616201-0-0-0-1-2-207)

Want to keep abreast of the latest SQL Server business intelligence (BI)
news, views, tips, and techniques? Subscribe to Essential BI UPDATE, a
new twice-monthly BI email newsletter from SQL Server Magazine. You'll
get how-to information, industry trends, commentary by experts, valuable
insight into BI Reporting Services, and more. Subscribe today--it's
free!

www.sqlmag.com/email/dsp_SubscribeConfirmation.cfm
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616202-0-0-0-1-2-207)

Data Protection and Disaster Recovery Tips
Regardless of the type of disaster that might befall your organization,
the response is usually similar. You can make a disaster-recovery plan
based on factors such as the expected duration of recovery and the
impact of the disaster on your facilities and the surrounding areas.
This eBook will help you prepare a disaster plan that works for your
organization.
www.windowsitpro.com/go/ebooks/ca/disaster/?code=041608e&r
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616203-0-0-0-1-2-207)


FEATURED WHITE PAPER

This white paper will discuss how Network Access Control (NAC) handles
rogue computers, how to fit NAC into any environment, the main
components to look for in a NAC solution, and the results you can expect
when you put a NAC solution into place. Download this white paper to
ensure that your company can combat today's threats while remaining
nimble enough to address tomorrow's.
www.windowsitpro.com/go/wp/sophos/nac/?code=041608e&r
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616204-0-0-0-1-2-207)


ANNOUNCEMENTS

SQL Server Magazine Master CD: Take the Experts with You!
Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the SQL Server
Magazine Master CD. A Master CD subscription buys you portable access to
the entire SQL Server Magazine article database plus exclusive access to
the new articles we publish on SQLMag.com every day. It's like having a
team of SQL Server consultants in your pocket! Get real-world solutions
fast--order the SQL Server Magazine Master CD today.
store.pentontech.com/index.cfm?s=9&promocode=EU2884SC&
(http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616205-0-0-0-1-2-207)

CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616206-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616207-0-0-0-1-2-207

You are subscribed to this newsletter as boy.blogger@gmail.com

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616208-0-0-0-1-2-207.

To unsubscribe:
http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616209-0-0-0-1-2-207&list_id=803&email=boy.blogger@gmail.com&message_id=6279

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616210-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-6279-803-202-62923-616211-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2008, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive