MB: No its not for everybody, what we want to do is provide a range of options for consumers, they can decide how much risk they are comfortable with. The other thing I should say is that we believe there should not be a trade off between security and convenience, you should be able to have a very secure system that is also very convenient. If we compare what we have done, with what a lot of UK banks have done, their systems have been designed by paranoid's like me, but with no thought at all about what the user experience is and how easy it is to get into their accounts. Depending on the bank some of them are fairly obnoxious to get into.
hS: My own bank does use a two factor authentication, in that you have a second password from which they select three characters at random and you enter those through mouse clicks.
MB: Well I hate to tell you that PC driven keyboard replacements add nothing in terms of security. It would stop the bad guy potentially from being able to phish you, but it doesn't prevent attacks via malware, there has been malware that can capture mouse click entries for several years now. It depends what you are trying to protect against, but those kinds of things don't add much security.
Anyway, in general, we tried to design our solution so that it is both convenient and secure, as well as it gives you the level of control you want. Not only is there the fob form factor that we currently offer, but also we have rolled it out in a few more countries recently and in the process of doing so we also rolled out the SMS service. Most people will always have their mobile with them and will look after it. What you do is, you register your mobile phone on your PayPal account and once you have done that, it's a very similar experience to using the token. You enter your user name and password at the PayPal log in page, you press enter and it takes you to another page that request you enter the six digit number that is on your phone, it usually takes five to ten seconds to appear as an SMS, you enter that code on the web page and hit enter. Once you have typed it in it's automatically expired, if you don't type it in it expires after ten minutes. For various reasons we think that kind of solution is a really good one. We expect that in Europe in particular, which is much more cell phone obsessed than the States and much more SMS obsessed, that people will use that more, whereas in the States they tend to use the fob (Security Key device) more.
hS: Right, so I assume that the mobile phone SMS solution doesn't cost anything (apart from the normal mobile service providers charges).
MB: That's correct.
Another thing worth mentioning that PayPal does is, and again I think we may be slightly different from other banks in this regard, many of the banks use commercial anti-fraud detection technology and there's nothing wrong with any of that, it's actually good stuff and we use a lot of it ourselves, but we got clued in several years ago that being really good at detecting fraud was of strategic advantage to us. As well as a strategic differentiator, so we invested a lot of money in our own proprietary ant-fraud controls, which is why if you look at the rates for credit card fraud on-line and then you look at our fraud rates, we are substantially lower than the credit card rates. That's largely because the credit card companies are using off the shelf stuff and we have built a bunch of proprietary technology. Part of this is that the average PayPal user can, and should, expect that in the vast majority of cases, if a criminal tries to use their account we will detect it and go - 'oh someone's got into this account', or, 'they are trying to guess the password on that account' - so we will shut that account down. The persons going to have to get their account recovered and there is a fairly set process they can go through to get their account back. In general the idea is it's like the call from the credit card company saying, we notice that there was a charge on your card in Turkey yesterday, but you seem to have also bought a round of coffees in London yesterday, were you really in Turkey, or in London. Those kinds of systems actually work very well in protecting consumers, so that's why we believe the average consumer should feel relatively safe and secure in using PayPal, even if they don't sign up for any of the security key form factors, just because there is all that work going on behind the scenes on their behalf.
hS: Can you tell me out of the total transactions how many of those are flagged as being possible frauds?
MB: It varies of course from quarter to quarter and we publish it on our website.
RS: It's usually around 0.3 per cent.
MB: We measure in basis points, so it bumps around 30 basis points, so something of the order of 0.3 per cent. Which if you compare it with credit cards, where its typically 2 or 3 per cent, there is a big difference.
hS: Can you reveal how much money you have actually paid out in the last year to those who have been defrauded.
MB: Well I know what our total fraud losses are and you can actually work that out because we publish out percentage fraud and out total revenue, so multiply one by the other and you have your answer. I don't have a breakdown of those figures and much of that money will be where we detected fraud, but the money had already exited the system and we simply put the money back into peoples accounts, or customers charged it back on their credit card, or they complained to us and queried a transaction. In terms of any breakdowns I have no idea and even if I did, I'm sure I couldn't tell you.
(Revenues in Q3 2008 were $597 million with fraud payments running at 0.29 per cent = $1.7313 million)
[pagelink key users]Next: Security key users[/pagelink]
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
