By Matt Hines  |  Posted 2007-02-09

PayPal Security Chief: User Education Remains Greatest Hurdle

SAN FRANCISCO—A sleek, silver, nearly weightless gizmo that fits in your hand represents the next generation of security for customers of eBays PayPal division.

The diminutive machine is a wireless password-generation device that the company plans to begin distributing to its users beginning on Feb. 12 to help its customers further validate the authenticity of the online payment system— a product of necessity to help fight the litany of phishing attacks and fraud schemes that seek to rip-off PayPals more than 130 million registered members.

Depressing the single button on the oval handheld, which is roughly the size of a pack of gum, produces a one-time password that PayPal users will be able to enter into its Web pages to ensure they are not instead logging onto one of the legions of fake URLs created by fraudsters to steal the San Jose, Calif.-based companys customers screen names, passwords and money.

Yet, despite the pending launch of the next generation of PayPal security, Michael Barrett, the companys chief information security officer, admits the online payment leader will still be troubled by phishing and other attacks.

In addition to the fact that use of the password devices, manufactured by Mountain View, Calif.-based VeriSign, wont be mandatory, and Barrett has no expectation that all of PayPals customers will want to employ the extra step for protecting their accounts, the CISO knows that no matter how hard the company works to arm its users with such tools and educate people about the dangers of online fraud, there will still be plenty of individuals who fall for the schemes.

The biggest challenge faced by the company in the realm of security remains the very process of teaching its customers what not to do when conducting business online, Barrett said, and he knows that among the massive user base there will likely always be those who dont get the picture.

PayPal and eBay remain top phising targets. Click here to read more.

"There are so many people that reaching everyone is very difficult, and that alone may always remain the hardest part of protecting the customer," said Barrett. "The trick is that there is no silver bullet for this process, and we will need to offer a range of solutions and programs to help get the word out; its really less about firing one bullet into the air than filling it up with a lot of buckshot."

Despite his concession that there will likely always be new security challenges, especially as malware writers and online criminals continue to devise new methods for defrauding his customers, Barrett claims he is encouraged about the state of PayPals defenses, even though there is much work he still wants to get done.

Beyond arming users with the password fobs, which will be offered for no charge to PayPals business customers and at a price of $5 apiece to consumers, the security chief said that his company will seek out new ways to help stop the e-mail campaigns that phishers use to lure people to their sites. The effort will include partnering with major Webmail providers such as AOL, Google and Yahoo to help those companies filter out spam messages before they ever reach users in-boxes.

Next Page: Other security strategies.


Using anti-spam tools that include features that specifically seek out fake eBay and PayPal messages could provide a significant improvement by choking off the primary marketing tool of its adversaries, and the executive said his company can drastically reduce the number of unhappy customers calling to report that theyve been duped into handing over their credentials.

All of PayPals legitimate e-mail is already identified with unique digital signatures.

"If customers never see the phishing e-mails in the first place, its a lot harder for them to be victimized," Barrett said. "Were working with all the major e-mail vendors to help raise the status of the security problem. If they see anything with our name on it that doesnt have a signature, were telling them to drop it."

PayPal is also pursuing a wide range of other security strategies in the name of creating a defense-in-depth approach for protecting its customers. These include the use of new EV SSL (Extended Validation Secure Sockets Layer) digital certificates, which will provide users with visual cues in browsers such as Microsofts new Internet Explorer 7 to let them know when theyre on a fake site.

To fight attacks such as cross-site scripting, which have corrupted PayPals legitimate URLs in the past, Barrett said the company is working hard to make sure that its software developers avoid any vulnerabilities in writing and reviewing the millions of lines of code that make up its site.

Behind the scenes, the company is deploying real-time fraud-monitoring tools that watch out for suspicious behavior on its pages and using data-matching techniques to help identify transactions that might indicate the use of hijacked accounts.

Outside the world of technology, PayPal is working more closely than ever before with law enforcement officials, particularly in the United States, although the process remains hard because local, state and federal authorities have so much work on their plates—and thieves have deduced they are less likely to be caught if they pull off larger numbers of smaller heists that make it harder for PayPal and the police to discover them and bring charges.

While he remains somewhat frustrated by the lack of government resources dedicated to fighting online fraud, Barrett said hes hopeful that politicians and regulators will ramp up their efforts, and PayPal is working actively to advocate stronger penalties for cyber-criminals.

"Working with law enforcement has improved, but it could be better, in particular in the sense that they look at relatively high fraud loss limits before taking interest in prosecution," he said. "But this isnt a problem thats just about the U.S.; its hard to get very far into fighting things internationally before you find yourself getting into deep legal conversations over jurisdiction."

PayPal is also trying to exert pressure with legislators on Capitol Hill, where he believes progress may be in the making, despite recent setbacks.

"We thought the laptop theft at the Department of Veterans Affairs might have helped more to that end, but then they got it back, and its been sort of quiet," Barrett said. "One of the interesting things were waiting to see is if the new Congress takes up ID theft legislation; weve been waiting for that for a long time."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Rocket Fuel