Paypal has become known as one of the top organizations when it comes to fighting phishing, mostly because it's been a target of so many phishing scams.
In this interview, Paypal CISO Michael Barrett discusses Paypal account security and how his organization approaches the phishing problem with technologies, training and fraud modeling.
Read the full transcript from this video below: Paypal account security: CISO on ways to prevent phishing
Rob Westervelt: Hi, I'm Rob Westervelt, the News Editor of SearchSecurity.com. Today, we're going to be talking about the threat landscape with Michael Barrett. Michael Barrett is Chief Information Security Officer of PayPal. Michael, thanks for joining us.
Michael Barrett: Hi. It's good to be here.
Rob Westervelt: So Michael, how has the threat landscape changed since you first started working for PayPal four years ago?
Michael Barrett: Well, clearly things have been degrading which I don't think is any surprise to anybody. We've continued to ratchet up our own controls and, at least, as far as we can see, we've fought the bad guys to something of a draw. But unfortunately, what that tends to do is push them off onto other brands, and they still victimize the Internet ecosystem at large.
My bigger mission apart from protecting PayPal's customers is trying to help the industry to get the entire ecosystem safer than it is. In terms of your specific question, one of the difficulties in this space is actually ascertaining, well how much are customers being abused by phishing, how much are they being abused by malware, how much are they choosing poor passwords and having them guessed or having them attacked in some relatively weak site and then used everywhere else. So there's still, while you can get instrumentation on some of those aspects, it's difficult to get a comprehensive view of what the bad guys are up to in aggregate because obviously they don't tell us.
Rob Westervelt: How has PayPal adapted to those changes? Has it been difficult to stay ahead of attackers?
Michael Barrett: We need to think ahead, and the way I describe this is it's like a game of chess. You don't just move your bishop and then sit back and read a novel and wait for the other guy to make a move. You think about, OK, I'm moving this piece, what is my opponent going to do in response and what should I do in response to that? So, if you start to think about it in those terms, it then gives you a much clearer way of thinking how you make your moves in terms of blocking something that you're seeing and reacting to what the bad guys are going to do in return.
And that discipline of thinking through the move tree is actually really important and it's something that's stood us in fairly good stead because when we've made certain changes, we've been able to predict with some degree of precision what we think the criminals are going to do in response. Not necessarily when they're going to do it but what they're going to do. And by and large, those sort of internal predictions that we've made have tended to come true.
So, we do think that's a useful discipline. We think it's something that honestly everybody in the business should be doing and not just changing stuff and then waiting to see what the bad guys do because if you do that, you're always reacting and you're not being proactive.
Rob Westervelt: Establishing trust must be really important for PayPal. Can you give an example of how phishing erodes trust?
Michael Barrett: Something that I think pretty much every PayPal employee is familiar with, which is to say, we go to a cocktail party and somebody says, oh, who do you work for and we say, PayPal. And then that person says, well, when are you going to stop sending me those fake emails then, which kind of describes the problem in a nutshell. People know that they're fake but they regard the fact that they receive them as being somehow our fault. Which obviously it isn't because the Internet is an open platform.
It's very difficult for us to stop phishing emails getting into their email inbox, but actually, that is precisely one of the most successful tactics we've used in our general fight against phishing. And I've spoke about this a number of times, but suffice it to say, we have a fairly broad based approach to fighting phishing. One of the tactics that's been most successful is we have been, for several years now, since the end of 2006, signing basically a 100% of our outbound emails. And then, we've been working with ISPs like Yahoo and Google to block those emails if it purports to come from Paypal.com but is not properly signed.
That program has been extremely successful. At its peak we've been seeing those guys blocking something in the order of tens of millions of emails a month. So, that's pretty successful because that's tens of millions of emails that are not getting into consumers email inboxes, and even the junk folder is, by the way, dangerous because people will often go check in there.
So, what we're now trying to do is because Deacon [SP], the signing standard, has completely been ratified by the ITF and then ADSP which is the equivalent ISP blocking standard has now been ratified, we're now out there evangelizing to the rest of the industry and saying, hey, this worked for us. But it's not scalable if you have end senders and end receivers to kind of for each of those and go off and make pair-wise relationships.
That's why we think industry standards of an email sender being able to publish our policy and then have mailbox providers say, OK, you said you wanted it blocked if it's not signed, and it's not signed so I'm blocking it. And so, I think over time, our belief is that if that approach is used at scale in the Internet ecosystem, it will make the whole thing a lot safer. And it's a good example of what I was talking about earlier of we have to make the entire ecosystem safe, not just our little piece of it.
Rob Westervelt: Has the program helped? Can you quantify the losses due to phishing for PayPal?
Michael Barrett: That's a tricky question. So, PayPal does publish its loss numbers on a quarterly basis, and last quarter they were about a fifth of one percent. And they've been on a slow downward trajectory, but what's important to note is that that doesn't necessarily represent that the ecosystem is getting safer or our customers are being attacked less. What it represents is that PayPal is getting better at detecting and managing fraud.
And so, in some ways, as I said earlier, we're slowly fighting the bad guys to something of a draw. But the difficulty with this is simply it's actually quite difficult to ascertain how any particular customer got attacked. So, did this particular customer get phished? Do they have malware on their machine? Have they used poor passwords? And so on.
More resources on PayPal account security
Read about PayPal security and billing agreements
Learn about updates to PayPal's security features
Check out an interview with PayPal's CIO
So, we have been doing quite a bit of research around this, in particular around the correlation between customers using older browsers and PCs to newer browsers and PCs. So, we all knew, for example, on an a priori basis that if you're using a Windows 98 PC and running IE4, you were probably a lot more vulnerable than if you were using a Windows 7 PC using IE8. We now actually have some numerical data to support that. That suggests actually that you are dozens of times more vulnerable if you're using that old PC.
Nonetheless, even within that rather small type of comparison, it's still difficult to work out anything other than the general trends of there is more malware, there is nastier malware and the trends we're seeing are very much the same trends that the rest of the industry is using. So, it's really difficult to zoom in from the very broad statistics that we're seeing at the industry level into, well, what does that mean for an individual customer and how did they get attacked?
Rob Westervelt: Michael, when you first started at PayPal, I know you were involved in establishing fraud models. Can you talk a little bit about fraud models?
Michael Barrett: Managing fraud isn't as simple as just saying, OK, this transaction looks dodgy, I'm going to decline it. Because if you do that, what you do is you'll throw out a lot of transactions that are, in fact, from legitimate customers who simply happen to be transacting in slightly unusual cases. And so, the difficulty here is you have to balance the bad customer experience of rejecting, in fact, an entirely legitimate transaction with the need to discriminate against the truly criminal ones. And that's where all the subtlety lies. Anybody can manage fraud by just cranking down the number of transactions they accept. The trick is to accept as many transactions as possible and still manage fraud down.
Rob Westervelt: Thanks, Michael.
Michael Barrett: It's a pleasure.
Rob Westervelt: Thank you for joining us for this video. For more information on this subject, you can go to SearchSecurity.com.