eBay chief Meg Whitman said on Thursday that phishers pose one of the biggest threats to the customer trust that has sustained the auction giant.
Speaking at the Visa Security Summit here, Whitman said her company has been developing fraud models aimed at detecting unauthorized account access and hires experts around the globe to help law enforcement find criminals. But she said additional safeguards and educational campaigns are necessary to prevent consumers from falling prey to phony requests for their sensitive information--or simply getting annoyed and canceling their eBay accounts.
"We need to plug the holes in the system and make it next to impossible for fraudsters to reach our users," she said. "We need to make this so hard for the bad guys that ultimately they determine it's not worth their time to reach our customers anymore."
According to security researcher Michael Sutton, eBay and Paypal are the two most common brands targeted by phishers--together accounting for more than half of all phishing activity.
Whitman outlined three major steps that her company is taking to prevent users from succumbing to the phony e-mails and Web sites.
To start, eBay and its alternative payment subsidiary Paypal have worked with Microsoft to develop a blacklist of fake sites that look and feel like those companies' products but are actually used to glean personal information for illicit purposes. Microsoft's Internet Explorer 7 is capable of filtering out those and other phishing sites, Whitman said. She urged other browsers to follow suit.
eBay and Paypal are also currently signing all of their e-mails with "domain key signing," which Whitman described as "the equivalent of putting a signature in the form of encryption on each legitimate e-mail that leaves our system." She said the firms are urging major e-mail and Internet service providers to allow only those e-mails containing that unique signature to pass through their systems.
Finally, Whitman pointed to the recent availability of a Paypal key fob that generates a unique security code, to be used in combination with the user's password, every 30 seconds.