Q&A: PayPal fights back against phishing
CISO Michael Barrett says his company is a top target
Computerworld - With 133 million consumers worldwide, PayPal is arguably one of the most recognizable Internet brands -- and one of the most frequently phished as well. With that in mind, PayPal's chief information security officer, Michael Barrett, talked about the problem and his company's multipronged strategy for handling it. Excerpts from the interview follow:
How does it feel to be CISO of what is perhaps one of the most targeted companies on the Internet? I guess it's the old, 'You've got to be careful what you wish for' thing. Actually, it's been fun. I have enjoyed working here. It's a job you can really sink your teeth into. It's a great culture, it is very entrepreneurial, it's relatively easy to make decisions and get funded and to make an impact.
PayPal's chief information security officer, Michael Barrett
What's your biggest security challenge? Essentially, the most significant issue is phishing. It is not so much a financial issue because we make our customers whole. If a consumer ever does get victimized by phishing, we 100% reimburse them. But clearly it causes a perception problem. Phishing definitely is something we hear [about] loud and clear from our customers. They want us to take that away, and we are actually working very actively on addressing that. We don't believe it's a problem that there is a single silver bullet for. We also think it is an industry problem. In fact, quite a lot of what we are trying to do is link the industry in coming up with a solution. But we do want to make a significant dent. Of all of the things that we worry about, this is pretty much top of mind for the company.
So what is PayPal doing in this regard? Basically, what we are doing is taking a broad brush strategy. It has a number of elements. Essentially, it is incredibly simple and yet incredibly hard to argue against. If consumers don't receive phish mail in their e-mail inbox, it's kind of tough to victimize them. Sometimes people say, and I don't subscribe to the belief, that spam is an uncontrollable problem. If you mean can you catch every bit of spam and phish mail -- that is probably very difficult to achieve. But can you deal with it such that you see very little spam and very little phish mail? I would submit [that] technically we already know how to do that. I am actually a great poster child for that because I have had a personal e-mail address since 1996 but I see effectively no spam when I have my spam control filter turned on. But I see hundreds of spam mails a day when I turn my spam filters off. So I don't believe that we can't solve the problem; I just think by and large we haven't put the controls in front of the consumers.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!