hS: Well no I realise that, but I wanted to get your view on it, since its an issue that a lot of people, or rather a very vocal minority, are concerned with.
So lets focus more on the security side of things, at the moment you have introduced some new security features, alongside the old method of password authentication. The problem I can see you have as a commercial organisation is that you want to make it easy for the customer and that doesn't fit well with the idea of making transactions as secure as possible. The trouble with passwords is that now its a general problem, with so many services requiring a password that people don't know how to manage them. They either have separate passwords for everything or ......
MB: Now you have actually touched on something that is very close to my heart, which is very clear. I have two or three responsibilities, part of what I do is cat herding internally, to may sure that everybody is appropriately managing customer data, people have only got access to what they need and that we can demonstrate compliance to our various regulators, so that's bread-and-butter CISO stuff and my job there isn't any different from any other CISO in a financial space.
The other job I have is helping to protect PayPal's customers and as soon as you go into that, you fairly rapidly discover that ... and this makes a lot of sense, so think about this. The internet basically came into being about fifteen years ago, we're fairly close now to the fifteenth anniversary of the Netscape Navigator, so that was really when most people, outside of academia, started using the internet and we have gone from a few tens of thousands at most, probably under ten thousand people in the early 90's, to substantially north of a billion people using the internet at this point. Most of those people are consumers, most of them are not technically oriented, most of them have never had any education about how to protect themselves. So I spend quite a bit of my time in direct consumer outreach, trying to help people understand what they can do to protect themselves because, you can get into debates about how good our customer protection policies are and so on, but the fact is, in most cases, if a customer experiences harm because they lost control of their PayPal credentials we will reimburse them. Now the problem is – A/ they will tend to blame us for their problems, even if it was their fault because they did something stupid, so they had a bad experience of PayPal despite the fact the they made the error, and B/ we lose the money, and so that winds up being a million here and a million there and soon you're talking really serious money.
So for various reasons we are strongly motivated to help as many consumers as we can to protect themselves. Because if they use the same password everywhere and they go to some obscure website that is hardly used and is not run by anyone professional, it gets hacked and then a bad guys got a bunch of user ID and passwords. The first thing they go do is, oh I wonder if these people have got a PayPal account and if they do, guess what, I've just got a good live PayPal account to drain.
So, as I say, we are spending quite a bit of effort on consumer education around the world: how can they help protect their password, how can they protect themselves against phishing and how can they protect themselves against malware. All of those things consumers can do, very simple things that help substantially reduce their risk. As I said earlier, nothing in life is completely risk free but we can make the internet, relatively speaking, acceptably safe and just get on with your life, if you take those steps.
hS: Yes, I have to say that even as a security professional, I struggle to come to terms with all this and once you become professionally involved in security you do tend to become very paranoid, although as the saying goes – if they really are out to get you, you aren't paranoid. Thinking about it, the responsibility for their own safety does lie with the customer and the problem for you is getting them to acknowledge that, without getting upset at PayPal.
MB: Well that's why we spend so much time focussing on consumer education. Personally my experience has been that, generally, when you talk to people, the messages are fairly straight forward. Essentially for us, part of the problem was, the more we looked at it the more we discovered that words on web pages weren't necessarily the best way to help educate consumers, as well as that we really needed to think strongly about the messages, because we had for a long time, the standard top ten tips and its not that any of them were bad, its just that peoples attention span is about four items, after that their eyes glaze over and you've lost them. That's really why we try to bucket these things into those three buckets (password protection, phishing protection and malware protection). Plus some common sense things like – if it sounds too good to be true it probably is, you know my favourite example, in the real world if someone knocked on your front door and in a foreign accent said “I want to give you $5 million, but you need to give me your bank account details”, you'd slam the door in their face. I tend to believe that the same applies very well in cyberspace.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
