PayPal security measures help stamp out fraud

PayPal's 133 million online customers are the biggest ocean phishers have to plunder. CISO Michael Barrett wants to make it safe to be in the water; and he's not going at it alone. Backed by PayPal's sophisticated fraud models and help from ISPs and browser makers, Barrett is succeeding in protecting the most-spoofed brand on the Internet.

Our view is that we're completely standards agnostic, we simply want to do something that works. Michael Barrett, CISO, PayPal

Can you quantify losses due to phishing for PayPal?
Michael Barrett: Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say: it isn't very high on that list. That's one of the issues here; there is a perception there is a huge problem, whereas the financials don't indicate that. Part of the issue is there's been a certain amount of hype about the magnitude of the problem from a financial sense. I don't at all discount the perception impact, but I don't think the financial impact is what some elements are saying it is.

How does PayPal defend against phishing?
Barrett: One of the back-end defenses we have is a lot of fraud modeling. It's very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.

How do you counter that?
Barrett:

PING: Listen to the interview PayPal CISO Michael Barrett explains how his company's sophisticated security methods protect the most-spoofed brand on the Internet. Download the MP3

There are technology solutions out there. For a couple of years the industry has been talking about email signing, but not much has happened. We had a standards bifurcation argument with one camp going with Sender Policy Framework, the other camp going with domain keys. Our view is that we're completely standards agnostic, we simply want to do something that works. At the moment, we're already 100 percent signing all PayPal outbound email with both SPF and with domain keys. The difficulty is for the average consumer, it's hard to look at an email signature in header and figure out if it's legitimate.

You've engaged ISPs as well?
Barrett: If you look at ISP coverage of customers, there are about a half-dozen ISPs that account for 50 percent of the world's email (Yahoo, AOL, MSN, gmail). We're working with them to say 'You have our full permission, if a piece of email comes in your front door and it purports to originate from us, but it isn't signed by us, just drop it.' We don't want our customers seeing it.

Once we get that implemented, it'll take some time, that covers 50 percent of our customers. The other 50 percent is more difficult, because there are hundreds of ISPs and all of them are below 1 percent of customer coverage. The strategy there is to work with tool vendors of email clients to make it much more obvious that, yes this email is legitimate and signed, that way a consumer can discriminate between legitimate email and phish mail.

What impact will the new Extended Validation certificates have on phishing?
Barrett: Those are just a form of SSL certificate, the difference being you have to go through a very thorough inspection process before the CA issues it. It took three weeks for PayPal to go through that process, digging up articles of incorporation, getting an officer of the company to sign the request and list out who is authorised to issue certificates. It's a detailed process, and it's pretty effective at ensuring only legitimate companies that have been in business for a period of time and they've got a strong paper trail can do this. It's very hard for a fly-by-night operator to get one.

We've already enabled Paypal.com to support EV certificates, users will be able to see the green glow in the address bar, see our name oscillating between us and VeriSign. IE7 has a good phishing detection system built in. It's good at catching blacklisted phishing sites and has good heuristic tools to spot likely looking phishing

How much can you share about your fraud models?
Barrett: They're internally developed. We don't talk about what they do, because honestly this is one of those areas where the more you disclose about what the models are looking for, the more you're telling the bad guy how to evade them.

They're broad-based, real-time front- and back-end inspection models. They look at a number of variables around behavioral patterns to determine whether a customer is who they say they are. There's a lot of good stuff in there. But the proof of the pudding is in the eating: our fraud rating is 41 basis points, or less than a half of 1%. That is substantially lower than any credit card company That's what proves it; those models drive fraud numbers down.

What levels of sophistication are you seeing with phishing attempts?
Barrett: Eighteen months ago, you could spot most phishing attempts--grammatical errors, sites with kludgy graphics. Clearly, they've gotten more professional since. There's way fewer errors being made that are giving away the fact that a piece of phishing mail has arrived or it's a phishing site you've arrived upon.

In terms of phishing attacks, not much is new. The basic model is the same: they convey a sense of urgency. The crime is the same as it was. We're seeing increasing levels of vertical specialisation in the criminal community. One guy focuses on a sliver of crime. That has increased.

How much responsibility should ISPs and carriers take for filtering phishing in the Internet cloud?
Barrett: That's a difficult question. The difficulty is, how do you incent someone who doesn't make more money if they address the problem or help you with a strategic goal. It's a question of how to link the problem to them so they get engaged. It is all about industry cooperation and dragging people into that communication.