PayPal Makes Drying Up Phishing Holes a Priority
Security exec details steps payment company is taking to stop e-mail scams
By Jaikumar Vijayan
February 19, 2007 12:00 PM ET Comments(1)Recommended(221)DiggTwitterShare/Email
Computerworld - With 133 million users of its online payment service worldwide, PayPal is arguably one of the most recognizable Internet brands — and one of the most frequent targets of phishing attacks as well. Michael Barrett, chief information security officer at theeBay Inc. unit, spoke with Computerworld last week about the phishing problem and PayPal’s multipronged strategy for handling it. Excerpts follow:

Why do you think PayPal is targeted so much by attackers? Actually, there are two reasons. One is we have a very large customer base by the standards of most companies — 133 million customers on a global basis. We also have a business model that makes it easy by design to move money around between those 133 million individuals. By definition, that’s going to make both us and our customers targets.



Michael BarrettWhat’s your biggest security challenge right now? The most significant issue is phishing. Phishing definitely is something we hear [about] loud and clear from our customers. They want us to take that away, and we’re working very actively on addressing that. We don’t believe it’s a problem that there is a single silver bullet for. We also think it’s an industry problem. In fact, quite a lot of what we’re trying to do is link the industry in coming up with a solution.

So, what are you doing to fight the phishers? Basically, what we’re doing is taking a broad-brush strategy. Sometimes people say — and I don’t subscribe to this belief — that spam is an uncontrollable problem. If you mean, can you catch every bit of spam and phish mail, that is probably very difficult to achieve. But can you deal with it such that you see very little spam and very little phish mail? I would submit [that] technically, we already know how to do that. I just think that by and large, we haven’t put the controls in front of the consumers.

What sort of controls do you mean? A couple of years ago, there was a lot of discussion in the industry about digitally signing e-mails on their way out of corporations like ours. And then there was a standards war, and essentially all the momentum got lost. We’ve decided that it’s time again for somebody to take a leadership position. We are, in fact, completely agnostic about what drives standards. As it stands, there are two perfectly functional ones: SPF and DomainKeys. We’re ready 100% to start signing all outbound e-mail from [eBay and PayPal] using both SPF and DomainKeys.

We [also] are working with the major ISPs and giving them permission [to delete] a piece of e-mail that claims to originate from us but is not legitimately signed by us. I think that by the end of this year, we actually will have done that with several ISPs. The other thing we’re doing is finding ways of working with the e-mail client vendors to make it much clearer when e-mail has been legitimately signed or not.

What about the strong authentication initiative PayPal announced last year? It’s just now running out in a public beta in the U.S., Australia and Germany. We want to see what our customers think about it. We’re giving the [security] tokens away for free to our [business accounts]. We’re charging a nominal $5 fee for the others. We aren’t making any money on it, but we do need to cover our shipping and handling costs. We also believe it’s important to show that these tokens have a value.

Besides the tokens, what are some of the other security measures that you’re using to try to mitigate online fraud? We already do quite a bit of fraud modeling, some of which is behavioral and some of which is IP-based. We generally don’t talk a lot about the details simply because it’s proprietary and the more we talk about it, the more information we give to our adversaries. Suffice it to say that we already have extensive security controls. Our fraud rate is four-tenths of 1%. If you go look up average numbers in the credit card industry, [they’re] a whole lot higher than that.

The last thing we do is work very closely with law enforcement on a global basis. While we have a great deal of grudging respect for the intelligence and determination of our adversaries, we ultimately want to see them in handcuffs and orange jumpsuits.