Stamping out fraud

It’s been called the most ‘phished’ brand on the internet, and with 143 million registered account holders, PayPal has more stake than most in the fight against online fraud. FST met with PayPal CISO Michael Barrett, who outlined how the company is approaching the fight against the bad guys.

“I wish we could say there will be some grand conference when we get together and make phishing history, but it doesn’t happen like that”

“Consumers often ask the question, ‘am I safe online?’,” says Michael Barrett, PayPal’s Chief Information Security Officer, as we sit down to discuss online security. “You hate to say no, but the fact is you’re not actually safe anywhere in your life, all you’re doing is appropriately minimising the risks you can manage.” It’s a point that anyone involved in financial security will instinctively agree with. And yet it’s a message that customers don’t want to hear. As Barrett sees it though, one of the key challenges PayPal faces in the fight against online fraud is in educating customers what risky behavior looks like, and how it can be reduced to an acceptable level. “Lugging a wallet of money around is dangerous because you could get mugged, but most of us do that on a daily basis,” he points out.

Since its beginnings in 1998, PayPal has been one of the success stories of the internet revolution. Building on the existing financial infrastructure, its model of person-to-person payments, backed by its sophisticated back-end fraud prevention systems, has created a global real-time payment solution. In a sense PayPal’s success ran in parallel to the rise of e-Bay – its model being ideally suited to the payments between individuals that are the lifeblood of the auction site. Indeed it was no surprise when e-Bay acquired PayPal in 2002. On 2007 Q1 figures PayPal now has 143 million customers worldwide, and it has won a host of awards throughout its nine-year history.

The downside of this success is that, like its sister brand e-Bay, PayPal has become a focus for the efforts of the financial criminals who specialise in electronic crime; phishers. It has been said that PayPal is the mot phished brand on the internet. Barrett points out that the data on this claim is “spiky”, and that the recent figures he has seen place it at five on the list. However he acknowledges that the threat to his customers from criminals is always at top-of-mind for the company. “Half of what I do could be called information security 101,” he says. “The general risk, security and systems management that any company such as ours is involved in. The other half could be best described as protecting consumers from themselves.”

Customer responsibility
Following up on the issue of consumers protecting themselves, what are the key messages that company’s such as PayPal needs to communicate? “There are three major threat factors against consumers that we need to be aware of,” Barrett argues. The first is brute force password guessing. “For a whole bunch of technical reasons it’s difficult to move the volume of this to zero, so just teaching people about how to construct a safe password, and how to manage that is one key message.”

The second threat factor he outlines is phishing, and the answers to this from a consumer perspective are simple: “The message to consumers of don’t click on links, start up a new browser, and go directly to the site concerned is actually a really good one – if everyone did that phishing as a crime wouldn’t exist.”

The final threat that Barrett is concerned about is the threat of malware, which he describes as moving away from just serving up obnoxious ads, to something far “nastier”. For consumers there is safer and riskier behavior, but the key is to run your computer on an up-to-date OS such as Vista or Mac OS10, and keep it patched with up-to-date virus signatures. “You’d be amazed by how many users are still using Windows 98 to do e-commerce,” he confides. “I personally view that as suicidally dangerous, because those older platforms have got vulnerabilities that will never be patched as they’re out of support. So we have to educate consumers on that set of behaviors I think.”

Given that he’s speaking to an enthusiastic online shopper and web user, with countless log-ins to different online accounts, the room goes a bit quiet when Barrett talks about password security. Of course, everyone knows that you should have a random collection of letters and digits, but really, who’s got time to remember that? And a different password for each different account? It’s far easier to pick a memorable name, and stick to that. Given that this particular online shopper’s attitude to these issues is far from unusual, is it time for company’s such as PayPal to start thinking about passing on some of the ‘hit’ of a data-breach to customers who haven’t taken their own security as seriously as they should?

“This is not a conceptual step that PayPal has made so far, and to be honest I’m not sure it’s one that we would want to make,” he replies.

“I don’t think as a society that we’re ready for the implications of giving more responsibility to the consumer just yet. Using the analogy of road safety there’s a shared responsibility across an eco-system of players – driving is a privilege, and in order to exercise that privilege you have to have a driver’s license, so where is the same framework for internet access?” So, does this mean that he thinks people should need a license to connect to the internet? Not really. The point to be made is that PayPal, or the industry in general, can’t move faster than the prevailing culture will allow.

“I believe there is a personal responsibility on the part of individual internet users, the problem being that at the moment there is no framework for what that might be. The answer is that as a culture we’re not ready to push more of the responsibility for fraud onto the individual consumer, though I suspect that sooner or later we may actually stare that one in the face. And that’s really my point, any given commercial enterprise can’t get too far ahead of the culture they operate within, because we all have to act as one for that to work. So at this stage there’s no way we’d do something like that.”

E-mail blocking
It’s not an unreasonable position, so given that relying on consumers not to be dumb is obviously not a strategy for complete success, we move onto a discussion of what PayPal can do itself to reduce fraud. It’s clear that Barrett is a can-do kind of guy, and it’s no surprise that the PayPal strategy is multi-faceted. “There’s no magic bullet to any of this,” he says, “so PayPal has taken a shotgun approach.”

What this means in practice is that PayPal has eight different strands of activity (see box). “A lot of what we’re doing with our general anti-phishing strategy could be described as experimental,” Barrett suggests. “Experimental in the sense that we don’t know exactly what’s going to work, but we’re prepared to take some risks, and see what does.” The strategy, he explains, relies on the assumption that if you attack several different points in the phishing life-cycle you increase your chance of success and of disrupting the entire eco-system the criminals are operating within. “The problem is that the crime of phishing is too profitable at the moment. For the criminal it’s half a days work, and it doesn’t really cost a thing, there’s only really a return. So anything we can do to disrupt this has got to help.”

One of the interesting initiatives PayPal is involved in has been to work with some of the biggest ISPs to block unsigned e-mails that purport to be sent from PayPal. Barrett argues that a small number of ISPs such as AOL, MSN, gmail and Yahoo! account for the vast majority of e-mail traffic. PayPal he suggests is set to announce an initiative with two of these ISPs later in the year. The idea is that these ISPs will block e-mails with an @paypal.com address unless they come with authentication signatures from PayPal itself.

PayPal is has taken a pragmatic approach to the authentication standard it uses on its e-mail. “Of the two main signature standards [SPF and DKIM], there hasn’t one that has been clearly adopted by the whole industry. We’re standard neutral, so we’ll be using both,” he explains.

“We don’t know how successful email blocking will be, as we’re just turning it on. Our untested hypothesis, is that as we block e-mail in those ISPs, those ISPs become relatively safer for customers. What we may find is the way to protect the entire population is to get this strategy in 50 percent of the ISPs, but in all of them.”

Surely it would be problematic rolling out to the vast majority of ISPs which each serve tiny segments (less than one percent) of the overall internet population? As Barrett sees it, if the approach works, and could be adopted on mass, it has the potential to disrupt the eco-system that currently allows criminals such an incentive to go to work. “I think what we’re doing is taking the first tentative steps, but the long-term end-game is clearly a much bigger industry engagement,” he argues.

This is of course no easy task, but Barrett is optimistic. “That’s probably two years out realistically – we’ll know by the end of this year how successful it is for us, and then we’ll have to work with the rest of the industry.” What this might mean is building some kind of industry clearing house to help co-ordinate the infrastructure.

“Of course that doesn’t exist yet, so we’d have to create that, or work within the confines of an existing industry organization, and turn that into a clearing house,” Barrett acknowledges. “There’s an enormous amount of work still to be done on this, as we start to get through the experimental hypothesis verification stage, and start to talk about productisation.”

Security keys
Aside from this e-mail blocking intitiative, PayPal is also involved in trying to introduce stronger authentication methods. A great example of this has been its launch of security key tokens. These are based on Verisign VIP technology, and essentially a customer is provided with a token that will provide a unique password each time that customer signs in. This technology isn’t new, but there are problems with user acceptance – the token has to be carried around, can get lost, and users have frankly found it a pain to use. These are issues that PayPal acknowledges, and Barrett is clear that the keys will be offered on a voluntary basis – in deed if 10 percent of the customer base sign up then PayPal will be more than happy.

“The driver behind launching the security key is to give customers who are concerned about online safety and security issues a direct way of impacting and controlling that,” Barrett suggests. “The security key offers that, so we’re very keen they have that available.”

Obviously there is a balance between increased security, and commercial demands. Would PayPal consider rolling out this kind of solution on a more mandatory basis? “It’s very difficult to make these solutions mandatory,” Barrett argues. “Simply because there is always a set of customers who do understand the risks, and choose to accept them, as well as a larger set of customers who don’t properly understand the risk but want the most frictionless solution you can give them.”

As he explains though, this token is not the be-all and end-all from the authentication perspective. “We do expect to have other forms of authentication over the next couple of years, this just happens to be the solution we’re rolling out first.” And even though this is not a mandatory scheme, rolling it out is still a massive undertaking.

“No one has attempted rolling out tokens to a customer base that is 143 million strong globally, so we’re doing something at a scale that is genuinely breaking new ground. There is no good industry data on how this will be received, so in those terms it is experimental. And while this isn’t considered a pilot, we’ll all look back in a couple of years and write the proverbial text-book on how this all went.”

Industry co-operation
Throughout our conversation it’s clear that Barrett has his sites set on a wider vision of internet security, one that transcends PayPal’s own specific operations, and one based on industry wide solutions. But how does the industry reach these solutions?

“That’s a really difficult question and there’s no single right answer,” he ponders. He then likens the present environment to the development of PCI. “You go through this series of stepwise improvements, and eventually you arrive at a standard such as PCI.”

For Barrett a similar iterative process will be needed to tackle issues such as e-mail blocking, better consumer education, and a general codification of appropriate online behavior. “I wish we could say there will be some grand conference when we get together and make phishing history, but it doesn’t happen like that. You can look at all these things and say they go through about those same series of steps, where individual things start to happen, and then we collectively get together and say we have to pursue these things together, and then we keep refining it, until you get it to some kind of industry level solution.”

It’s been a fascinating conversation, and as our time is drawing to a close, and Barrett is obviously eyeing his lunch, we draw to a close on his view of whether this industry level solution is possible. “Generally I’m optimistic about the future. It’s a long process, but ultimately the industry, consumers, and government can all make a difference. We’ve just got to keep the pressure on the bad-guys.”

BIG FIGURE
143 million
registered PayPal customers

BIG FIGURE
0.31%
PayPal’s fraud rate