PayPal launches multi-pronged attack on e-crime

"With e-crime, there's no silver bullet," says Garreth Griffith, head of UK risk management at online payment processor PayPal. "A specific initiative can have a huge impact, but it also has to be married with other initiatives along a spectrum. You can't just focus on educating users or working with law enforcement - you've got to go for a multi-pronged approach as you're constantly fighting a war against the fraud guys."

"With e-crime, there's no silver bullet," says Garreth Griffith, head of UK risk management at online payment processor PayPal. "A specific initiative can have a huge impact, but it also has to be married with other initiatives along a spectrum. You can't just focus on educating users or working with law enforcement - you've got to go for a multi-pronged approach as you're constantly fighting a war against the fraud guys."

The biggest problem for financial services organisations in this context is the unauthorised use of customers' financial details and the two main threats are phishing e-mails and the theft of credit or debit cards - although the latter problem has eased since the arrival of chip and pin.

Griffith says it is "relatively easy" to "build walls around the fortress to keep people out and all of the major financial services organisations are good at that", but users remain the weakest link.

"If you keep banging a hammer at the PayPal house and you can't dent it, but you see people walk in the front door each day, the easiest thing is to pretend to be them. So you get their bank details, pretend to be them and walk straight in," he says.

And one of the easiest ways of doing this is phishing - not least because it is easy and cheap to do, particularly since the arrival of botnets, which can be used to undertake mass but anonymous e-mail distribution from third-party computers, making it more difficult to track the perpetrators. The response rate from such activity is only between 1.5% and 5%, but "if you're talking about millions of e-mails, that's a good return", says Griffith.

Phishing target

As a result, PayPal, which has long held the unwanted title of the web's most frequently spoofed phishing target, has in recent years introduced a raft of schemes to combat this threat.

These range from end-user education programmes, including videos on YouTube to help consumers spot common phishing e-mails, to a deal between the company, online auction site parent eBay and Yahoo to block any e-mail messages passing between their systems that do not include special electronic signatures.

To combat the phishing and the card-theft threats, PayPal has also introduced internally a machine learning-based system to "cover our own base and ensure our fortress is intact, has thick walls and is well guarded". The system automatically undertakes a sophisticated form of real-time data mining to create a risk profile of each customer and can "learn" from the past using special algorithms.

"If a customer registers on our site, we capture some data and can also tack some on from behind the scenes," says Griffith. "So we have a profile of them that we can run through historical risk models and see what that profile is, based on 10 years of experience."

Risk profiles

Each profile can also be updated in real time should a given scenario change, however. "The bad guys can learn risk profiles, so if something unusual takes place, the information has to be fed back into the system," says Griffith. "The technology itself takes the criteria and reruns it in real time to update the risk model, so it's very smart stuff."

From the score each customer is allotted based on this profile, PayPal can then take various actions, including providing full service access, limiting activity or requesting further verification of identity.

The system, which took three years to build, is based on an NCR Teradata 32-node 5400 data warehouse and holds about 50Tb of data. According to Clay Stanley, PayPal's senior director of information management and delivery, who spoke at Teradata's annual user conference in Las Vegas last year, the warehouse holds all of PayPal's payment and transaction data and generated a return on investment purely from the money saved by risk-scoring card transactions more accurately.

And it is into this risk-scoring area that PayPal's January acquisition of Israeli company Fraud Sciences for $169 million fits in. Now working exclusively for PayPal, Fraud Sciences has developed complementary technology that helps provide a more in-depth view of potential customers' "past behaviour on the internet and what they've been doing in order to get a better idea of who these people are". This information is then fed into the overall risk profile - again in real time - to try to build up a broader picture of each individual.

Sheer anonymity

This is necessary, says Griffith, because one of the problems posed by the internet is its sheer anonymity. "It creates huge challenges for people like me who have to try to get to know who you are and if you really are who you say you are," he adds.

And the company spends "millions" on trying to deal with this. Although only 0.25% of all transactions in the financial services industry result in losses, the fact that billions of dollars are being processed each year means "it makes a big difference to us, not only in terms of losing money, but also in terms of losing customers as a result of a bad experience". says Griffith. "So there's the immediate financial loss of the situation to think about, but there's also the longer-term one - and reputational loss is the more insidious of the two."

The reason why PayPal bought Fraud Sciences rather than develop its own technology concerns the Israeli firm's specialist expertise. "In terms of making up a risk-profile score, we're pretty good at that already and we've also got pretty good detection people and technology in place," says Griffith. "But Fraud Sciences do back-end behavioural detection work and that's a very different area. So we looked around the market and decided this was a good way to get better at it quickly."

The Teradata-based system, meanwhile, is also used to create a risk profile of the more than 1,000 merchants around the world with which PayPal works. These include high-profile brands such as Harrods and Tom Baker, but mainly are small-to-medium enterprises (SMEs) that cannot afford to build online payment engines themselves.

Biggest customer

Such organisations now generate about the same level of revenue for PayPal as eBay, which has traditionally been its biggest customer, says Griffith, but the SME community is now viewed as the company's "key engine for growth".

But there are risks in this approach, too, one of them being merchant fraud, which includes customers paying for goods and never receiving them. As a result, PayPal also creates a risk profile of all its merchants before undertaking due diligence on them and going through often manual verification processes - as well as underwriting and vetting procedures for larger retailers.

"We call them on the phone and ask questions and also do things like check statements behind the scenes," says Griffith. "Some things we want to do manually, even though it slows the process down, because there's definitely an element of intuition to it. People can see something dodgy that a machine might miss and if they phone someone, they can often detect something in their tone of voice, or whatever, that a machine can't do yet."

After the detection and prevention phases comes the resolution stage, which is where Griffith and his UK-based team of four risk-management co-ordinators really come into play. Until October last year, Griffith had worked as head of trust and safety at PayPal's parent company, eBay, for five years. He moved to the UK to localise a function that had previously been undertaken primarily by "the mother ship" in San Jose, California. The UK is the company's biggest market outside the US.

Big initiatives

The California-based risk-management team is about 200 strong and, although they still devise most of "the big initiatives and protections", the danger of having a one-size-fits-all approach is that it "can make you become insular, which means you miss the bigger picture", says Griffith.

So the goal now is to have more "local expertise and understanding" in the team in order "to implement and execute against those initiatives" and to take a "more front-foot approach", he adds.

In practice, this means the role of the UK group is to forge close working relationships with local customers, industry, government (on policy) and law-enforcement bodies (on "finding the bad guy and putting him away").

This last tactic serves a dual purpose. Not only is justice done and fraudsters prevented from continuing their activities, but it also "sends a strong message that this is not an easy way to make money and there's significant risk involved", says Griffith.

To this end, the UK team can tap into global resources such as fraud investigators, including lawyers, former Scotland Yard officers, FBI agents and federal prosecutors. These investigators travel regularly to e-crime hotspots such as Nigeria, Russia and China to pick up intelligence, and support local police when making raids.

Suspect behaviour

The police are trained in how to use and identify suspect behaviour within PayPal's systems and work with the firm to establish legal ways in which information can be provided in order to help their investigations. Griffith himself meets senior police personnel to discuss how to collaborate and influence the government over such contentious issues as whether e-crime resource allocation should change.

So what will the next big online threat be? Griffith suggests it is the coming-together of social networking and user-generated and controlled content with both malware and the botnets that distribute it.

"It's too easy to go to a website, perhaps as a result of clicking on a phishing e-mail attachment, and download a bad file such as a Trojan that takes over your machine and gives the bad guys access to your FaceBook, YouTube and PayPal accounts," he says.

The same applies to users uploading pictures to social networking sites which may have been infected. But the situation here is even more insidious, because when friends and family download the images, their machines become infected, too, by what is known as "drive-by malware".

"Our overall strategy to deal with this will remain the same, but what we will change is the type of user education and messaging and the kinds of partnership that we develop," says Griffith. "It's about having a multi-protection approach and that's important because we're already starting to see this incredibly powerful new effect take place. It's growing fast - but it's very dangerous."

Read more on Hackers and cybercrime prevention