End of the line

PayPal CISO Michael Barrett explains how the online payments giant is shutting out fraudsters and why the war on phishing is winnable.

I joined PayPal about two and a half years ago. When I got here, I think it's fair to say that the company had a financial strategy that resulted in very low fraud rates online expressed as a%age. But by fixating on the financial strategy, we created something of a rod for our own back. Essentially in making our fraud models as efficient as we had, we seriously impacted the criminal's ability to make money. If you are a criminal and you're not making as much money as you want to out of phishing, what do you do? The answer is you generate more phishmail. We realized that our strategy, while it was financially effective, was generating a negative user perception, particularly among low-transacting PayPal users. Their experience of our brand was essentially the one of having phishmail in their email inbox. It generated what most PayPal employees refer to as the "cocktail party problem," which is to say you go to a cocktail party or other social event, people ask, "Whom do you work for," and you say PayPal. They always ask a question along these lines of: "When are you going to stop sending me those fake emails?" So round about summer of 2006, we realized that this was a significant issue. At that point we re-strategized how to deal with phishing and came up with a very coherent and integrated plan that we now have got substantial evidence is working quite niftily.

The first thing to remember is that there is no silver bullet. There's no single solution to phishing that you can look at and exclaim, "Oh, my goodness. Why didn't we think of that three years ago?" As far as we can tell, no such thing exists. Rather, it's the standard information security approach of devising a series of defensive layers and putting the right investments into each layer. Any given layer may only have a certain amount of impact, but taken collectively, they have a big impact on the crime.

The first point is user education. At this stage we now have substantially north of one billion users on the Internet, and probably half of them have come on in the last five years. They've had no formal education about what represents safe behavior and what doesn't. Our view is that it isn't just us but also the rest of the industry that needs to be in this for the long haul, trying to educate and make sure users understand how to protect themselves online.

The next basic hypothesis is that if a phishmail doesn't arrive in a consumer's email inbox, it's rather difficult for the criminal to victimize that particular individual. We started thinking about strategies to prevent phishmails arriving in email inboxes, and we pretty rapidly arrived at the notion that there was some good technology that had been around for a long time but had got tied up in the inevitable industry standards war. In particular, the whole concept of email signing. We're pretty pragmatic at PayPal, and so we decided that if the industry can't agree on a single protocol we'd just use what's out there. We'd rather use one, but we'll certainly handle or use two. Since around Christmas 2006, we've been digitally signing all of our outbound email using both SPF and domain keys initially, and we're now switching to Domain Keys Identified Mail (DKIM). The problem with digitally signing in its own right, is that even the geeks rarely check digital certificates, and nobody else even knows what one is. While you can be happily signing emails, it doesn't do you any good if consumers don't actually know how to look at that information.

So rather than just using signing on its own, we saw that it really made sense when delivered in the context of blocking. We started working with ISPs because there's about half a dozen of them that make up about 50% of the world's email addresses. Those are the usual suspects: Yahoo, Gmail, AOL, MSN, Hotmail and so on. Because that's a fairly constrained set, we'd be able to essentially test this whole idea of email signing and blocking with them, and if it worked, we'd continue rolling it out. We announced blocking with Yahoo several months ago and we announced blocking with Gmail more recently. The results are actually pretty unequivocal. Since we've announced the partnership, we've blocked 85 million emails from consumers' inboxes. That's 85 million people who didn't get victimized through that channel.

The next layer in the strategy is one of stronger authentication. What we've done is implemented a PayPal security key. So far, it's been rolled out in the US, Germany and Australia, but we're in the process of rolling it out globally. At this point, the classic form factor is the sort of token one where you press a button and it generates a six-digit code that is transformed every 30 seconds. You just attach the thing to your key ring and as long as you've got your keys with you, you can always access your PayPal account through it. The advantage is if you ever get your account phished and the credentials are stolen, it isn't as easy to log on without that security key, so the bad guy wouldn't be able to take your account over. In the year plus since we first deployed it, we've essentially discovered that fraud on security key protected accounts is pretty much zero. From a usability perspective, you can still get in if you don't have your security key with you, but you have to go through the secret question-and-answer process. We think that for those consumers who are really worried about security, it's an excellent tool because it gives them much more control.

We're also experimenting with different form factors. The next one out of the door is in fact not going be a physical security key at all but rather will be a couple of different approaches. One is downloadable software that you can run on a smart phone. Alternatively if you don't have a smart phone, we'll simply SMS a message to your registered cell phone with a one-time code when you want to log on.

We're always working with policy makers globally on not just funding for law enforcement for cyber crime globally, but also to harmonize legislation so that there is a very similar framework on a global basis. Because culturally it hasn't been that long since we were a startup, we're prepared to take risks on things. We'll try stuff, and if it works, great. If it doesn't, we'll try something different. While we'd love everything we did to work, there are times when you place bets, and you don't always win. I think we have more tolerance for taking those kinds of risks, and I also think we have more tolerance for actively making ourselves heard. I've spent most of my career in financial services and one of the things I've noticed is that this company is a lot less shy about getting out there and lobbying, not just for its own good but on behalf of the industry overall. We're absolutely prepared to get out there and work with the rest of the industry. This strategy is proving itself very effective. It's taken us from being in the top ten most phished brands list on a regular basis in 2006 to a position where, most of the time, we're not there. What we believe we're seeing is that our brand is being phished less. Unfortunately we don't believe these bad guys are taking up legitimate jobs and are now gainfully employed rather than simply victimizing other brands. But we believe that our strategy is what made the difference and the corollary to that is everybody else needs to adopt essentially this same broad set of strategies. If they do that, we actually can start really choking down on the crime of phishing. People have a tendency to say, "Woe is me, phishing is insolvable." We think that's just way too defeatist and that actually the problem is surmountable.

Education, technology and industry partnership will be the answer to the phishing problem. By partnership I mean standardizing these things, using industry standards, the industry coming together and agreeing on approaches. Every company doesn't have to implement everything we've done, but if every company implements a few of them, then collectively it will make a significant difference. Additionally, collaboration with law enforcement and government will have a huge impact. It's going to require a blended strategy.

21^st century education

One of the things we've discovered is just boring old text on web pages isn't necessarily the best way to educate consumers. For instance, we've tried quizzes, and they work fairly well. There's also some academic research that says cartoons work really well. We haven't deployed a cartoon on our website yet, but we might. We've also tried video, and video actually works very well for certain kinds of problems. A good example can be seen in phishing's relies on the fact that consumers don't understand how to parse a URL and don't know what a domain name is. In the tech industry, we find that problem remarkably easy, but the average consumer doesn't. It's really difficult to describe that in text but remarkably easy to show somebody on a screen. We slung together a video of that and stuck it on YouTube, and it's actually quite popular. If you're going to do consumer education, you have to think outside of the 'text on web pages' paradigm. 

Urgent problems

It might sound surprising that business process reengineering would have an impact on the fight against phishing, but it really does. We reengineered our blacklist handling processes to make sure that we got those blacklists out to the rest of the industry as quickly as we could. The bad guys were all trying to convey a sense of urgency. Going back to consumer education, that's one of the things I always highlight. If you ever see an email and it's trying to convey a sense of urgency or you yourself feel as though you need to take action right now, then it's probably a phishing email. One of the things the bad guys are trying to do is persuade you subliminally that this is urgent and you have to act now because they know that guys like me are out there trying to get those phishing sites taken down as quickly as possible. They want to get victims as quickly as they can, so this whole sense of urgency is actually one of the primary litmus tests.