With 133 million consumers worldwide PayPal is arguably one of the most recognizable Internet brands -- and one of the most frequently phished as well. With that in mind, PayPal's chief information security officer, Michael Barrett, talked in an interview about the problem and his company's multipronged strategy for dealing with it. Excerpts from the interview follow:
How does it feel to be CISO of what is perhaps one of the most targeted companies on the Internet? I guess it's the old, 'You've got to be careful what you wish for' thing. Actually, it's been fun. I have enjoyed working here. It's a job you can really sink your teeth into. It's a great culture, it is very entrepreneurial, it's relatively easy to make decisions and get funded and to make an impact.
Why do you think PayPal is targeted so much by malicious attackers? That's an incredibly easy answer to give. Actually, there are two reasons. One is we have a very large customer base by the standards of most companies. We have 133 million customers on a global basis. We also have a business model that makes it easy by design to move money around between those 133 million individuals. By definition that's going to make both us and our customers targets. That's one of those things there isn't much to do about other than make it as difficult as possible for the bad guys to victimize them.
What's your biggest security challenge? Essentially, the most significant issue is phishing. It is not so much a financial issue because we make our customers whole. If a consumer ever does get victimized by phishing we 100 percent reimburse them. But clearly it causes a perception problem. Phishing definitely is something we hear [about] loud and clear from our customers. They want us to take that away and we are actually working very actively on addressing that. We don't believe it's a problem that there is a single silver bullet for. We also think it is an industry problem. In fact, quite a lot of what we are trying to do is link the industry in coming up with a solution. But we do want to make a significant dent. Of all of the things that we worry about, this is pretty much top of mind for the company.
So what is PayPal doing in this regard? Basically, what we are doing is taking a broad brush strategy. It has a number of elements. Essentially, it is incredibly simple and yet incredibly hard to argue against. If consumers don't receive phish mail in their e-mail inbox it's kind of tough to victimize them. Sometimes people say, and I don't subscribe to the belief, that spam is an uncontrollable problem. If you mean, can you catch every bit of spam and phish mail -- that is probably very difficult to achieve. But can you deal with it such that you see very little spam and very little phish mail? I would submit [that] technically we already know how to do that. I am actually a great poster child for that because I have had a personal e-mail address since 1996 but I see effectively no spam when I have my spam control filter turned on. But I see hundreds of spam mails a day when I turn my spam filters off. So I don't believe that we can't solve the problem; I just think by and large we haven't put the controls in front the consumers.
What sort of controls are these? A couple of years ago, there was a lot of discussion in the industry about digitally signing e-mails on their way out of corporations like ours. And then there was a standards war and essentially all the momentum got lost and by and large nobody did anything. We have decided that it is time again for somebody to take a leadership position. We are in fact completely agnostic about what drives standards. We would prefer to go with what we want but as it stands today there are two perfectly functional ones: SPS and Domainkeys. We are all ready 100 percent to start signing all outbound e-mail from [eBay and PayPal] using both SPS and Domainkeys. [Also] we are working with the major ISPs [such as] Yahoo, MSN, Hotmail, AOL and [the] Gmails of the world. Between the top six, they account for more than 50 percent of the consumers in our inbox. So what we are doing is simply working with those ISPs and giving them permission, if they see a piece of e-mail that claims to originate from us, but is not legitimately signed by us, to delete it. I think by the end of this year we actually would have done that with several ISPs. I can't give you any dates or any names or by when but that is absolutely something that we have in the works. The other thing we are doing is finding ways of working with the e-mail client vendors to make it much clearer when e-mail has been legitimately signed or not. So even in the e-mail inbox, a consumer can look at it and say of these six e-mails that purport to come from PayPal, five are not properly signed but one of them is and that must be the legitimate one.
What else is being done? The next step of our strategy is the education. It's something we have been associated with for a long time. We do a great deal of public outreach. But with 133 million customers it is fairly difficult to get to all of them and get the right message across to them. So that is the problem in that area. We do believe that part of the issue is the messages that have been delivered to consumers have not been specific enough. Essentially, we'd love to be able to say don't click on links in e-mails. But I don't think the industry's quite there yet. But we do think it is entirely valid to say be extremely careful about clicking a link in an e-mail and use judgment.
The next piece of our line of defense is the whole safe browser question. I seen some splash at RSA about Extended Verification SSL Certificates. Essentially, if you are using a modern browser such as IE7 or any other browser, if you come to paypal.com your address bar in the browser will glow green. Before you actually enter any data, make sure you are using a modern browser and do check to see if your URL bar is green. And if it is, it is now safe to do enter information.
What about the strong authentication initiative Paypal announced last year? This year we have actually launched it. As of now, we are enabling consumers to apply for a security key. It is simply a one-time password generator, a piece of hardware that allows a customer to associate with their PayPal account and have it as a sort of second factor of authentication. So they will still have their user ID and password, but now to log on they will enter that information and then they enter the one-time password. So if your credential got stolen, the bad guy would not be able to do anything with your account. It is just now running out in a public beta in the U.S., Australia and Germany. We want to see what or customers think about it. We are giving the tokens away for free to our [business accounts]. We are charging a nominal $5 fee for the others. We are not making any money on it, but we do need to cover our shipping and handling costs. We also believe it is important to show that these tokens have a value.
What percent of your resources and security efforts are focused on dealing with the phishing problem? There are two elements in my job. One of them is focused on ensuring that the company has all of the right internal controls so we can pass all the necessary audits. Then the other part of my job is to essentially help ensure that our customers are appropriately protected. It is essentially very hard to say exactly how much we are spending on this problem. I will say it is absolutely a top priority for the company and we are most certainly prioritizing it.
Besides tokens, what are some of the other measures for mitigating fraud? We already do quite a bit of fraud modeling -- some of which is behavioral and some of which is IP-based. We generally don't talk a lot about the details simply because it is proprietary and because the more we talk about it the more information we give to our adversaries. Suffice it to say we already have extensive security controls, as evidenced by the fact that our total fraud rate is significantly lower than the total fraud rate in the credit card industry. Our fraud rate is four-tenths of 1 percent. If you go look up average numbers in the credit card industry, it's a whole lot higher than that. That fact is a testimony to the effectiveness of our security controls.
The last thing we do is work very closely with law enforcement on a global basis in research cases, building a dossier on some particular criminal, building a case that law enforcement can then use to go arrest that guy. While we have a great deal of grudging respect for the intelligence and determination of our adversary, we ultimately want to see them in handcuffs and orange jumpsuits.
Ad Choices
Comments