Stamping out fraud

It’s been called the most ‘phished’ brand on the internet, and with 143 million registered account holders, PayPal has more stake than most in the fight against online fraud.
FST Editor Tim Young met with PayPal CISO Michael Barrett, who outlined how the company is approaching the fight against the bad guys.

“I believe there is a personal responsibility on the part of individual internet users, the problem being that at the moment there is no framework for what that might be”

“Consumers often ask the question, ‘am I safe online?’,” says Michael Barrett, PayPal’s Chief Information Security Officer, as we sit down to discuss online security. “You hate to say no, but the fact is you’re not actually safe anywhere in your life, all you’re doing is appropriately minimizing the risks you can manage.” It’s a point that anyone involved in financial security will instinctively agree with. And yet it’s a point that is not perhaps the one that your customers want to hear. As Barrett sees it though, one of the key challenges PayPal faces in the fight against online fraud is in educating customers what risky behavior looks like, and how it can be reduced to an acceptable level. “Lugging a wallet of money around is dangerous because you could get mugged, but most of us do that on a daily basis,” he points out.

Since its beginnings in 1998, PayPal has been one of the success stories of the internet revolution. Building on the existing financial infrastructure, its model of person-to-person payments, backed by its sophisticated back-end fraud prevention systems, has created a global real-time payment solution. In a sense PayPal’s success ran in parallel to the rise of e-Bay – its model being ideally suited to the payments between individuals that are the lifeblood of the auction site. Indeed it was no surprise when e-Bay acquired PayPal in 2002. On 2007 Q1 figures PayPal now has 143 million customers worldwide, and it has won a host of awards throughout its nine-year history.

The downside of this success is that, like its sister brand e-Bay, PayPal has become a focus for the efforts of the financial criminals who specialize in electronic crime; phishers. It has been said that PayPal is the mot phished brand on the internet. Though Barrett points out that the data on this claim is “spiky”, and that the recent figures he has seen place it at five on the list, he acknowledges that the threat to his customers from criminals is always at top-of-mind for the San Jose based company. “Half of what I do could be called information security 101,” he says. “The general risk, security and systems management that any company such as ours is involved in. The other half though could be best described as protecting consumers from themselves.”

Customer education
Following up on the issue of consumers protecting themselves, what are the key messages that company’s such as PayPal needs to communicate? “There are three major threat factors against consumers that we need to be aware of,” Barrett argues. The first is brute force password guessing. “For a whole bunch of technical reasons it’s difficult to move the volume of this to zero, so just getting people about how to construct a safe password, and how to manage that is one key message.”

The second threat factor he outlines is phishing, and the answers to this from a consumer perspective are simple: “The message to consumers of don’t click on links, start up a new browser, and go directly to the site concerned is actually a really good one – if everyone did that phishing as a crime wouldn’t exist.”

The final threat that Barrett is concerned about is the threat of malware, which he describes as moving away from just serving up obnoxious ads, to something far “nastier”. For consumers there is safer and riskier behavior, but the key is to run your computer on an up-to-date OS such as Vista or Mac OS10, and keep it patched with up-to-date virus signatures. “You’d be amazed by how many users are still using Windows 98 to do e-commerce,” he confides. “I personally view that as suicidally dangerous, because those older platforms have got vulnerabilities that will never be patched as they’re out of support. So we have to educate consumers on that set of behaviors I think.”

Consumer responsibility
Given that he’s speaking to an enthusiastic online shopper and web user, with countless log-ins to different online accounts, the room goes a bit quiet when Barrett talks about password security. Of course, everyone knows that you should have a random collection of letters and digits, but really, who’s got time to remember that? And a different password for each different account? It’s far easier to pick a memorable name, and stick to that. Given that this particular online shopper’s attitude to these issues is far from unusual, is it time for company’s such as PayPal to start thinking about passing on some of the ‘hit’ of a data-breach to customers who haven’t taken their own security as seriously as they should?

“This is not a conceptual step that PayPal has made so far, and to be honest I’m not sure it’s one that we would want to make,” he replies. For Barrett internet security has to be understood in the context of the larger effect internet adoption is having on our society. As an analogy he gives the example of the invention of the motorcar – in the early days there were no driving tests, and drivers were required to employ a man with a red-flag to walk in front of them. For Barrett, the adoption of the internet at the moment can usefully be thought of in the same way as these early days of the motorcar. And the implication is that it will take time for our culture to normalize the internet and codify an appropriate set of behaviors.

“I don’t think as a society that we’re ready for the implications of giving more responsibility to the consumer just yet. Using the analogy of road safety there’s a shared responsibility across an eco-system of players – driving is a privilege, and in order to exercise that privilege you have to have a driver’s license, so where is the same framework for internet access?” So, does this mean that he thinks people should need a license to connect to the internet? Not really. The point to be made is that PayPal, or the industry in general, can’t move faster than the prevailing culture will allow.

“I believe there is a personal responsibility on the part of individual internet users, the problem being that at the moment there is no framework for what that might be. The answer is that as a culture we’re not ready to push more of the responsibility for fraud onto the individual consumer, though I suspect that sooner or later we may actually stare that one in the face. And that’s really my point, any given commercial enterprise can’t get too far ahead of the culture they operate within, because we all have to act as one for that to work. So at this stage there’s no way we’d do something like that.”

E-mail blocking
It’s not an unreasonable position, so given that relying on consumers not to be dumb is obviously not a strategy for complete success, we move onto a discussion of what PayPal can do itself to reduce fraud. It’s clear that Barrett is a can-do kind of guy, and it’s no surprise that the PayPal strategy is multi-faceted. “There’s no magic bullet to any of this,” he says, “so PayPal has taken a shotgun approach.”

What this means in practice is that PayPal has eight different strands of activity (see box). “A lot of what we’re doing with our general anti-phishing strategy could be described as experimental,” Barrett suggests. “Experimental in the sense that we don’t know exactly what’s going to work, but we’re prepared to take some risks, and see what does.” The strategy, he explains, relies on the assumption that if you attack several different points in the phishing life-cycle you increase your chance of success and of disrupting the entire eco-system the criminals are operating within. “The problem is that the crime of phishing is too profitable at the moment. For the criminal it’s half a days work, and it doesn’t really cost a thing, there’s only really a return. So anything we can do to disrupt this has got to help.”

One of the interesting initiatives PayPal is involved in has been to work with some of the biggest ISPs to block unsigned e-mails that purport to be sent from PayPal. Barrett argues that a small number of ISPs such as AOL, MSN, gmail and Yahoo! account for the vast majority of e-mail traffic. PayPal he suggests is set to announce an initiative with two of these ISPs later in the year. The idea is that these ISPs will block e-mails with an @paypal.com address unless they come with authentication signatures from PayPal itself.

“We don’t know how successful email blocking will be, as we’re just working with a couple of ISPs to start turning it on, and at this point we don’t have any hard-data. Our untested hypothesis, is that as we block e-mail in those ISPs, those ISPs become relatively safer for customers. What we may find is the way to protect the entire population is to get this strategy in 50 percent of the ISPs, but in all of them.”

On the technical details of this, we discuss what kind of signatures PayPal is using, given that different standards have developed in recent years. “Of the two main signature standards [SPF and DKIM], there hasn’t one been clearly adopted by the whole industry. We’re standard neutral, so we’ll be using both,” he explains.

And if this is a success, how can it be rolled out to the pick up all the ISPs – the vast majority of which each serve tiny segments (less than one percent) of the overall internet population? As Barrett sees it, if the approach works, and could be adopted on mass, it has the potential to disrupt the eco-system that currently allows criminals such an incentive to go to work. “I think what we’re doing is taking the first tentative steps, but the long-term end-game is clearly a much bigger industry engagement,” he argues.

This is of course no easy task, but Barrett is optimistic. “That’s probably two years out realistically – we’ll know by the end of this year how successful it is for us, and then we’ll have to work with the rest of the industry.” He is clear that the getting everyone involved will require new structures to manage the infrastructure required. “Even if this might work for us, we’re just two brands and one company working with a small set of ISPs. If you say I’ve got ‘M’ companies who are sending out e-mails, and whose brands could be victimised, and I’ve got ‘N’ ISPs, then it becomes an M of N communication problem and it becomes rapidly unscalable.” So the answer it seems will be some kind of industry clearing house to help co-ordinate the infrastructure.

“Of course that doesn’t exist yet, so we’d have to create that, or work within the confines of an existing industry organization, and turn that into a clearing house,” Barrett acknowledges. “There’s an enormous amount of work still to be done on this, as we start to get through the experimental hypothesis verification stage, and start to talk about productization.”

Security keys
Aside from this e-mail blocking intitiative, PayPal is also involved in trying to introduce stronger authentication methods. A great example of this has been its launch of security key tokens. These are based on Verisign VIP technology, and essentially a customer is provided with a token that will provide a unique password each time that customer signs in. This technology isn’t new, but there are problems with user acceptance – the token has to be carried around, can get lost, and users have frankly found it a pain to use. These are issues that PayPal acknowledges, and Barrett is clear that the keys will be offered on a voluntary basis – in deed if 10 percent of the customer base sign up then PayPal will be more than happy.

“The driver behind launching the security key is to give customers who are concerned about online safety and security issues a direct way of impacting and controlling that,” Barrett suggests. “The security key offers that, so we’re very keen they have that available. Who knows, maybe our customers are more desiring of direct control of their own safety. But we’re very aware that position is not for all of our customers, probably not the majority of them.”

Obviously there is a balance between increased security, and commercial demands. Would PayPal consider rolling out this kind of solution on a more mandatory basis? “It’s very difficult to make these solutions mandatory,” Barrett argues. “Simply because there is always a set of customers who do understand the risks, and choose to accept them, as well as a larger set of customers who don’t properly understand the risk but want the most frictionless solution you can give them.”

This is the fundamental challenge for everything that PayPal is trying to achieve it seems: coming up with a technological solution that can authenticate customers with no additional friction. “You’re talking about an environment that has very wide diversity in terms of the platforms that people are using, so you’re forced to resort to things like a one time password token, which isn’t for everybody.”

As he explains though, this token is not the be-all and end-all from the authentication perspective. “We do expect to have other forms of authentication over the next couple of years, this is just one solution that happens to be the solution we’re rolling out first.” So it can be seen as a part of the experimental testing strategy that he has earlier described? Barrett accepts there is some aspect of a learning exercise, but points out it’s still a massive undertaking.

“No one has attempted rolling out tokens to a customer base that is 143 million strong globally, so we’re doing something at a scale that is genuinely breaking new ground. There is no good industry data on how this will be received, so in those terms it is experimental. And while this isn’t considered a pilot, we’ll all look back in a couple of years and write the proverbial text-book on how this all went.”

Of course, given the size of PayPal’s customer base, if 10 percent sign up, that’s around 14 million users with a token in their hand. Could this kind of adoption encourage other industry players to ‘piggy back’ on this and offer a similar service using the same token. Barrett thinks this is possible, and the potential informed PayPal’s own choice of technology.

“We deliberately went with the VeriSign VIP solution because we wanted to offer a token that could be used elsewhere.” The token can currently be used on both PayPal and e-Bay, and when the VIP feature is activated later this year it will be compatible with any instituion on the VIP network.“That’s really important, because as a consumer you don’t want to have to lug around half a dozen tokens – one of them is bad enough,” he grins. “I do think that what we’re going to see is those type of networks are going to become fairly commonplace, and over time I’d predict they’ll get wired together. There are only a couple of them being developed. Of course there’s no pressure to make that occur until you get to the point there are enough people on the network that they’re beginning to demand interoperability.”

Industry co-operation
Throughout our conversation it’s clear that Barrett has his sites set on a wider vision of internet security, one that transcends PayPal’s own specific operations, and one based on industry wide solutions. But how does the industry reach these solutions?

“That’s a really difficult question and there’s no single right answer,” he ponders. He then likens the present environment to the development of PCI. “You go through this series of stepwise improvements, and eventually you arrive at a standard such as PCI.”

For Barrett a similar iterative process will be needed to tackle issues such as e-mail blocking, better consumer education, and a general codification of appropriate online behavior. “I wish we could say there will be some grand conference when we get together and make phishing history, but it doesn’t happen like that. You can look at all these things and say they go through about those same series of steps, where individual things start to happen, and then we collectively get together and say we have to pursue these things together, and then we keep refining it, until you get it to some kind of industry level solution.”

It’s been a fascinating conversation, and as our time is drawing to a close, and Barrett is obviously eyeing his lunch, so we draw to a close on his view of whether this industry level solution is possible. “Generally I’m optimistic about the future. It’s a long process, but ultimately the industry, consumers, and government can all make a difference. We’ve just got to keep the pressure on the bad-guys.”

Consumer educationFST. Could you give me a little bit about your background.
I went to college doing Computer Science in the UK, and worked for AmEx in Brighton, and in 1998 I went over to the States. I joined Paypal early last year, but I’ve been doing information security for a long time. One of the things I did for a couple of years was President of the Liberty Alliance, which is an online identity federation standards organization.

FST. What is Paypal’s strategy going forward, and how do you see the payments infrastructure developing.
MB. This is one of those questions that I have some views, but I’m not the right person to talk to about that question, there are other people within the company who are actually in the driving seat on those strategies. I’m the guy who protects the customers and the infrastructure, my job is to make sure that all that information and transactions are as protected as we can make them, within a commercial reasonableness tests, it’s not my job to drive the business products we go to I merely enable that those products can be launched as quickly as we want to, so I’m just not the right person to answer that.