Home > Information Security Magazine > Columns > Ping
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Ping
by Michael S. Mimoso
Issue: May 2007
printer-friendly
licensing & reprints

PayPal's 133 million online customers are the biggest ocean for phishers to plunder. CISO Michael Barrett wants to make it safe to be in the water, and he's not going at it alone. Backed by PayPal's sophisticated fraud models and help from ISPs, Barrett is succeeding in protecting the most-spoofed brand on the Internet. Michael Barrett


How does PayPal defend against phishing? One of the back-end defenses we have is a lot of fraud modeling. It's very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good at detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.

Can you quantify losses due to phishing for PayPal? Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say, it isn't very high on that list. That's one of the issues here--there is a perception there is a huge problem, whereas the financials don't indicate that.

How much can you share about your fraud models? They're internally developed. We don't talk about what they do, because this is an area where the more you disclose about what the models are looking for, the more you're telling the bad guy how to evade them. I can say, they're broad-based, real-time front- and back-end inspection models. They look at a number of variables around behavioral patterns to determine whether a customer is who they say they are. But the proof of the pudding is in the eating: Our fraud rating is 41 basis points, or less than a half of one percent. That is substantially lower than any credit card company.

What levels of sophistication are you seeing with phishing attempts? Eighteen months ago, you could spot most phishing attempts--grammatical errors, sites with kludgy graphics. Clearly, they've gotten more professional since. There's way fewer errors being made that are giving away the fact that a piece of phishing mail has arrived or it's a phishing site you've arrived upon. In terms of phishing attacks, we're seeing increasing levels of vertical specialization in the criminal community. One guy focuses on a sliver of crime. That has increased.

How much responsibility should ISPs and carriers take for filtering phishing in the Internet cloud? That's a difficult question. The difficulty is, how do you incent someone who doesn't make more money if they address the problem or help you with a strategic goal? It's a question of how to link the problem to them so they get engaged. It is all about industry cooperation and dragging people into that communication.


Download the full interview with Michael Barrett at searchsecurity.com/ismag.





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts