Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Interview: PayPal CISO Michael Barrett

PayPal's 133 million online customers are the biggest ocean for phishers to plunder. CISO Michael Barrett wants to make it safe to be in the water, and he's not going at it alone. Backed by PayPal's sophisticated fraud models and help from ISPs, Barrett is succeeding in protecting the most-spoofed brand on the Internet.

This article can also be found in the Premium Editorial Download: Information Security magazine: Nine tips to guarding your intellectual property

How does PayPal defend against phishing? One of the back-end defenses we have is a lot of fraud modeling. It's...

very advanced, and it's resulted in extremely low fraud rates compared to the rest of the financial services industry. We've gotten very good at detecting fraud on the back end, so what's [the phishers'] response? They generate more mail on the front end.

Can you quantify losses due to phishing for PayPal? Forty-one basis points is the total fraud number [on PayPal's fraud model], and we don't break out where phishing is in that overall mix. I will say, it isn't very high on that list. That's one of the issues here--there is a perception there is a huge problem, whereas the financials don't indicate that.

How much can you share about your fraud models? They're internally developed. We don't talk about what they do, because this is an area where the more you disclose about what the models are looking for, the more you're telling the bad guy how to evade them. I can say, they're broad-based, real-time front- and back-end inspection models. They look at a number of variables around behavioral patterns to determine whether a customer is who they say they are. But the proof of the pudding is in the eating: Our fraud rating is 41 basis points, or less than a half of one percent. That is substantially lower than any credit card company.

What levels of sophistication are you seeing with phishing attempts? Eighteen months ago, you could spot most phishing attempts--grammatical errors, sites with kludgy graphics. Clearly, they've gotten more professional since. There's way fewer errors being made that are giving away the fact that a piece of phishing mail has arrived or it's a phishing site you've arrived upon. In terms of phishing attacks, we're seeing increasing levels of vertical specialization in the criminal community. One guy focuses on a sliver of crime. That has increased.

How much responsibility should ISPs and carriers take for filtering phishing in the Internet cloud? That's a difficult question. The difficulty is, how do you incent someone who doesn't make more money if they address the problem or help you with a strategic goal? It's a question of how to link the problem to them so they get engaged. It is all about industry cooperation and dragging people into that communication.

Download the full interview with Michael Barrett at searchsecurity.com/ismag.


This was last published in May 2007

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.