PayPal Security Chief: User Education Remains Greatest Hurdle

Even as the company prepares to launch a new two-factor authentication system for tech-savvy users, PayPal's chief information security officer concedes that inexperienced customers who fall for phishing schemes represent the company's most significant se

SAN FRANCISCO—A sleek, silver, nearly weightless gizmo that fits in your hand represents the next generation of security for customers of eBays PayPal division.

The diminutive machine is a wireless password-generation device that the company plans to begin distributing to its users beginning on Feb. 12 to help its customers further validate the authenticity of the online payment system— a product of necessity to help fight the litany of phishing attacks and fraud schemes that seek to rip-off PayPals more than 130 million registered members.

Depressing the single button on the oval handheld, which is roughly the size of a pack of gum, produces a one-time password that PayPal users will be able to enter into its Web pages to ensure they are not instead logging onto one of the legions of fake URLs created by fraudsters to steal the San Jose, Calif.-based companys customers screen names, passwords and money.

Yet, despite the pending launch of the next generation of PayPal security, Michael Barrett, the companys chief information security officer, admits the online payment leader will still be troubled by phishing and other attacks.

In addition to the fact that use of the password devices, manufactured by Mountain View, Calif.-based VeriSign, wont be mandatory, and Barrett has no expectation that all of PayPals customers will want to employ the extra step for protecting their accounts, the CISO knows that no matter how hard the company works to arm its users with such tools and educate people about the dangers of online fraud, there will still be plenty of individuals who fall for the schemes.

The biggest challenge faced by the company in the realm of security remains the very process of teaching its customers what not to do when conducting business online, Barrett said, and he knows that among the massive user base there will likely always be those who dont get the picture.

/zimages/1/28571.gifPayPal and eBay remain top phising targets. Click here to read more.

"There are so many people that reaching everyone is very difficult, and that alone may always remain the hardest part of protecting the customer," said Barrett. "The trick is that there is no silver bullet for this process, and we will need to offer a range of solutions and programs to help get the word out; its really less about firing one bullet into the air than filling it up with a lot of buckshot."


Despite his concession that there will likely always be new security challenges, especially as malware writers and online criminals continue to devise new methods for defrauding his customers, Barrett claims he is encouraged about the state of PayPals defenses, even though there is much work he still wants to get done.

Beyond arming users with the password fobs, which will be offered for no charge to PayPals business customers and at a price of $5 apiece to consumers, the security chief said that his company will seek out new ways to help stop the e-mail campaigns that phishers use to lure people to their sites. The effort will include partnering with major Webmail providers such as AOL, Google and Yahoo to help those companies filter out spam messages before they ever reach users in-boxes.

Next Page: Other security strategies.