"Withe-crime, there's no silver bullet,"
says Garreth Griffith, head of UK risk management at online payment
processor PayPal. "A specific initiative can have a huge impact,
but it also has to be married with other initiatives along a
spectrum. You can't just focus on educating users or working with
law enforcement - you've got to go for a multi-pronged approach as
you're constantly fighting a war against the fraud
guys."
The biggest problem for financial services organisations in this
context is the unauthorised use of customers' financial details and
the two main threats are
phishing e-mails and the theft of credit or debit cards -
although the latter problem has eased since the arrival of
chip and pin.
Griffith says it is "relatively easy" to "build walls around the
fortress to keep people out and all of the major financial services
organisations are good at that", but users remain the weakest
link.
"If you keep banging a hammer at the PayPal house and you can't
dent it, but you see people walk in the front door each day, the
easiest thing is to pretend to be them. So you get their bank
details, pretend to be them and walk straight in," he says.
And one of the easiest ways of doing this is
phishing - not least because it is easy and cheap to do,
particularly since the arrival of
botnets, which can be used to undertake mass but anonymous
e-mail distribution from third-party computers, making it more
difficult to track the perpetrators. The response rate from such
activity is only between 1.5% and 5%, but "if you're talking about
millions of e-mails, that's a good return", says Griffith.
Phishing target
As a result, PayPal, which has long held the unwanted title of
the web's most frequently spoofed phishing target, has in recent
years introduced a raft of schemes to combat this threat.
These range from end-user education programmes, including videos
on YouTube to help consumers spot common phishing e-mails, to a
deal between the company, online auction site parent eBay and Yahoo
to block any e-mail messages passing between their systems that do
not include special electronic signatures.
To combat the phishing and the card-theft threats, PayPal has
also introduced internally a machine learning-based system to
"cover our own base and ensure our fortress is intact, has thick
walls and is well guarded". The system automatically undertakes a
sophisticated form of real-time data mining to create a risk
profile of each customer and can "learn" from the past using
special algorithms.
"If a customer registers on our site, we capture some data and
can also tack some on from behind the scenes," says Griffith. "So
we have a profile of them that we can run through historical risk
models and see what that profile is, based on 10 years of
experience."
Risk profiles
Each profile can also be updated in real time should a given
scenario change, however. "The bad guys can learn risk profiles, so
if something unusual takes place, the information has to be fed
back into the system," says Griffith. "The technology itself takes
the criteria and reruns it in real time to update the risk model,
so it's very smart stuff."
From the score each customer is allotted based on this profile,
PayPal can then take various actions, including providing full
service access, limiting activity or requesting further
verification of identity.
The system, which took three years to build, is based on an NCR
Teradata 32-node 5400 data warehouse and holds about 50Tb of data.
According to Clay Stanley, PayPal's senior director of information
management and delivery, who spoke at Teradata's annual user
conference in Las Vegas last year, the warehouse holds all of
PayPal's payment and transaction data and generated a return on
investment purely from the money saved by risk-scoring card
transactions more accurately.
And it is into this risk-scoring area that PayPal's January
acquisition of Israeli company
Fraud Sciences for $169 million fits in. Now working
exclusively for PayPal, Fraud Sciences has developed complementary
technology that helps provide a more in-depth view of potential
customers' "past behaviour on the internet and what they've been
doing in order to get a better idea of who these people are". This
information is then fed into the overall risk profile - again in
real time - to try to build up a broader picture of each
individual.
Sheer anonymity
This is necessary, says Griffith, because one of the problems
posed by the internet is its sheer anonymity. "It creates huge
challenges for people like me who have to try to get to know who
you are and if you really are who you say you are," he adds.
And the company spends "millions" on trying to deal with this.
Although only 0.25% of all transactions in the financial services
industry result in losses, the fact that billions of dollars are
being processed each year means "it makes a big difference to us,
not only in terms of losing money, but also in terms of losing
customers as a result of a bad experience". says Griffith. "So
there's the immediate financial loss of the situation to think
about, but there's also the longer-term one - and reputational loss
is the more insidious of the two."
The reason why PayPal bought Fraud Sciences rather than develop
its own technology concerns the Israeli firm's specialist
expertise. "In terms of making up a risk-profile score, we're
pretty good at that already and we've also got pretty good
detection people and technology in place," says Griffith. "But
Fraud Sciences do back-end behavioural detection work and that's a
very different area. So we looked around the market and decided
this was a good way to get better at it quickly."
The Teradata-based system, meanwhile, is also used to create a
risk profile of the more than 1,000 merchants around the world with
which PayPal works. These include high-profile brands such as
Harrods and Tom Baker, but mainly are small-to-medium enterprises
(SMEs) that cannot afford to build online payment engines
themselves.
Biggest customer
Such organisations now generate about the same level of revenue
for PayPal as eBay, which has traditionally been its biggest
customer, says Griffith, but the SME community is now viewed as the
company's "key engine for growth".
But there are risks in this approach, too, one of them being
merchant fraud, which includes customers paying for goods and never
receiving them. As a result, PayPal also creates a risk profile of
all its merchants before undertaking due diligence on them and
going through often manual verification processes - as well as
underwriting and vetting procedures for larger retailers.
"We call them on the phone and ask questions and also do things
like check statements behind the scenes," says Griffith. "Some
things we want to do manually, even though it slows the process
down, because there's definitely an element of intuition to it.
People can see something dodgy that a machine might miss and if
they phone someone, they can often detect something in their tone
of voice, or whatever, that a machine can't do yet."
After the detection and prevention phases comes the resolution
stage, which is where Griffith and his UK-based team of four
risk-management co-ordinators really come into play. Until October
last year, Griffith had worked as head of trust and safety at
PayPal's parent company, eBay, for five years. He moved to the UK
to localise a function that had previously been undertaken
primarily by "the mother ship" in San Jose, California. The UK is
the company's biggest market outside the US.
Big initiatives
The California-based risk-management team is about 200 strong
and, although they still devise most of "the big initiatives and
protections", the danger of having a one-size-fits-all approach is
that it "can make you become insular, which means you miss the
bigger picture", says Griffith.
So the goal now is to have more "local expertise and
understanding" in the team in order "to implement and execute
against those initiatives" and to take a "more front-foot
approach", he adds.
In practice, this means the role of the UK group is to forge
close working relationships with local customers, industry,
government (on policy) and law-enforcement bodies (on "finding the
bad guy and putting him away").
This last tactic serves a dual purpose. Not only is justice done
and fraudsters prevented from continuing their activities, but it
also "sends a strong message that this is not an easy way to make
money and there's significant risk involved", says Griffith.
To this end, the UK team can tap into global resources such as
fraud investigators, including lawyers, former Scotland Yard
officers, FBI agents and federal prosecutors. These investigators
travel regularly to e-crime hotspots such as Nigeria, Russia and
China to pick up intelligence, and support local police when making
raids.
Suspect behaviour
The police are trained in how to use and identify suspect
behaviour within PayPal's systems and work with the firm to
establish legal ways in which information can be provided in order
to help their investigations. Griffith himself meets senior police
personnel to discuss how to collaborate and influence the
government over such contentious issues as whether e-crime resource
allocation should change.
So what will the next big online threat be? Griffith suggests it
is the coming-together of social networking and user-generated and
controlled content with both malware and the botnets that
distribute it.
"It's too easy to go to a website, perhaps as a result of
clicking on a phishing e-mail attachment, and download a bad file
such as a Trojan that takes over your machine and gives the bad
guys access to your FaceBook, YouTube and PayPal accounts," he
says.
The same applies to users uploading pictures to social
networking sites which may have been infected. But the situation
here is even more insidious, because when friends and family
download the images, their machines become infected, too, by what
is known as "drive-by malware".
"Our overall strategy to deal with this will remain the same,
but what we will change is the type of user education and messaging
and the kinds of partnership that we develop," says Griffith. "It's
about having a multi-protection approach and that's important
because we're already starting to see this incredibly powerful new
effect take place. It's growing fast - but it's very
dangerous."