hS: What's the penetration of the security token at the moment.
MB: Its fairly low, we always expected it to be very low and this is precisely because, in most cases, consumers want to be secure and they want to be taken care of, but they don't want any more inconvenience. What people say and what they do are different, so if you talk to the average man on the street you will discover that, yes they are better than average drivers and that, yes of course they are on a diet and of course they exercise five times a week. What they actually do is a completely different thing. Most people will tell you, of course they are prepared to do something extra for improved on-line security, but the practicality of it is probably 99 per cent of them actually are not, in practice. Unless you make them, which comes back to this philosophical question of, well should we make them, or not and our general view is it actually should be a choice.
We will do our damnedest to make our system very secure at the base level of security and that as a customer you should be able to feel quite comfortable using our system at that base level. You shouldn't have to upgrade to some level of additional security, unless you actually want it because you want more direct control. The folks who tend to are the folks who often are in the security business frankly, so they are technically aware. From a psycho-graphic, demographic perspective they are often the digital literati, the early adopters of various bits of technology and they like to play with the stuff. It's a relatively small percentage, its under 1 per cent and we always knew it would be, because all of the industry data before we launched the security key was highly suggestive that it would be in that range. But you need to offer it for those people, precisely because for that segment they are very influential, they care about the level of control they have, they want that control and we would be remiss if we didn't offer it.
RS: Also it's only just been launched, so its very early days and we are still working out our plans on how we will be contacting customers and making them aware of what we are doing and say look this is your choice, these are the options available.
hS: How about you get your major vendors to indicate that you have these options available.
RS: No we wouldn't expect our sellers to do that, I don't think its really their responsibility to explain how, as a PayPal customer, you can be more secure, frankly that's our job really. Of course in the UK we have direct access to 20million customers, so we will be explaining to them exactly what they can do.
MB: Well we're certainly not going to shove it down their throats, this is a question of information and education, not mandating anything.
hS: Yes, after all you offer your service as a contract and it is the responsibility of the customer to have read your conditions and to realise that whatever they say, that's what they are signing up for. Of course a lot of people don't do this and when they have a problem, they don't refer to those conditions and think, wait a minute, I did agree to do this, it's at least partly my responsibility.
Presumably your automatic fraud detection takes into account whether or not a security key and its token have been used or not?
MB: There are limits to what I can tell you about how our fraud models work.
hS: I understand that PayPal in general uses a great deal of open source software.
MB: Yes we do, we use a mixture, whatever is best fit for the job at hand. Our web servers for example, which you could find out very easily by looking at our websites, all run Apache running on Linux, we have a very large web farm. On the other hand our critical database servers are all running on very large IBM P series boxes, running AIX, running on Oracle. This is simply because commercial database engines like Oracle can scale way higher than any of the current open source databases. That's today, in five years that might change and at that point we'll re-evaluate that decision. We are always looking at technology in terms of what's best for the job and what's best value for the money. Sometimes we'll pick what's best and sometimes we'll pick what's best value for money, depending on what the application is. You know, web servers we can just go on racking and stacking them, so the cheapest technology is the best for that purpose. Apache has got some very nice security features, many of which we have turned on.
hS: The VeriSign solution is a proprietary solution?
MB: It actually isn't, the token I showed you is based on an open standard called OATH. So it's an open standard based solution. Now they have taken that standard and built the VeriSign VIP network around it.
[pagelink The future]Next: The future[/pagelink]
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
