PayPal security chief on Epsilon breach and more (Q&A)

CNET got a few minutes on the phone today with Michael Barrett, chief information security officer at online payment processor PayPal, and asked him his opinion on some current events in the world of security. Here are edited excerpts of the interview with the man responsible for making sure the personal and financial data of millions of PayPal customers and thousands of employees is secure.

Q: Advanced Persistent Threats (APTs) targeted at a specific organization and typically seeking to steal data have been in the news a lot lately. Has PayPal been hit by any such attacks?:
: Barrett: I do not believe we have been targeted by APT attacks. We've certainly found malware on our network though.

Is PayPal impacted by the breach at RSA that affected its SecureID authentication tokens?

Barrett: We don't use them for our customers, but we do use them internally and at this point, because we have a multilayer defense, we are not in fact reissuing those, at least not precipitously. We may do a targeted reissuance for select employees. RSA themselves have been very forthcoming about the nature of the attack but because of the law enforcement investigation, their hands are tied as to what they can divulge.

What are your thoughts on the fake digital certificates that were issued in the Comodo-related breach?
Barrett: In many ways we think it is symptomatic of weak practices on behalf of the Certificate Authority business. It wasn't Comodo themselves breached. It was an RA (registration authority) who resold (Comodo's) certificates. But there are a number of poor practices in the CA business model and what you're seeing is one of them. There is considerable evidence that the CA business has focused on revenue at the expense, in some situations, of security. The CA business has some cleaning up to do and this kind of incident is a very good example of that.

The Epsilon data breach has dominated the headlines this week. Does that indicate a problem with the outsourcing of e-mail services?
Barrett: There have been some other breaches in that industry in recent months. I don't take that as any kind of collective indictment of the industry. Rather it seems to me that all businesses have to be aware that their data has value to potential attackers. People say "it can't happen to me." But criminals are going after pretty much everybody these days. All companies that process data need to treat controls around that data with the appropriate level of seriousness. We're seeing a shift in the consciousness in companies.

We do use external vendors, but I'm not sure if I can name them. We don't use Epsilon, by the way. I will say that. One of things we do is we do due diligence on those vendors to the best extent we can to assure ourselves that those vendors are safe. Before giving any e-mail vendor the first name, last name, and e-mail address you have to make sure they are following industry best practices. And some companies are better than others.

• Who is Epsilon and why does it have my data?
• Attack on RSA used zero-day Flash exploit in Excel
• Hackers exploit chink in Web's armor

The mobile space is pretty hot right now. What trends to you see there?
Barrett: From a security perspective, mobile platforms are charming because they have fewer attacks going on. On the other hand there are all sorts of possibilities for attacks that haven't yet materialized. So it's a very interesting space. For example, there aren't many attacks on un-jailbroken iPhones so they tend to be fairly secure. Android is probably a slightly less secure platform and there have been more attacks against it. It's simply more open and Google doesn't control the apps that are available in the same kind of manner that Apple does. That particular sword has two edges. Google has taken a more open approach and I think that's a philosophical question. I'm not criticizing Google and praising Apple. One approach leads to a more open ecosystem but potentially one where there is more risk. You can't look at just the security characteristics; you have to look at the overall health of the ecosystem, like what apps are available and other things. Personally, I like the BlackBerry because I can punch-type with my thumbs.

If people are doing e-commerce on their smartphones they actually need to put a PIN in to lock it and you would be amazed at how many people don't do that. You need to lock it and back it up. Whenever new updates to apps come out we always strongly recommend to consumers that they download and install those new versions.

How does PayPal deal with subpoenas and government requests for access to data?
Barrett: Our position with law enforcement has been very straightforward. We're a company that respects the law and we work pretty vigorously with law enforcement. When they come to us with appropriate requests we cooperate. If we believed they were fishing and just wanted customer data we wouldn't (cooperate).

Is phishing still the bane of PayPal and its customers?
Barrett: I joined PayPal almost exactly five years ago and it's fair to say the company had not realized at that point the true significance of phishing. But since that time we've put in place a number of defenses against it. It probably will never go away completely as a problem, but it can be substantially minimized. We're at No. 8 on a list of most phished sites, which is better than being No. 1. I'm not satisfied with being No. 8 and I'd really like to obliterate the crime completely, but I realize that will take another five years to get to that state. A few years ago we started digitally signing all our outbound e-mail and we worked with Yahoo and Google so if they saw e-mail that purported to come from us but wasn't signed they would block it. That has been stunningly successful. Now we're trying to get the whole industry to take up that type of approach. But it will take several more years of pushing to get the rest of the industry to do that.

Any other topics you would like to discuss?
Barrett: Yes. Regulation. We believe we're now entering a period where more regulation of the Internet is likely inevitable and the question is what should that safety framework look like to make the Internet a safer place than it is today? It's likely the U.S. government will do something this year. I would like to see an increase in funding for cyber law enforcement which is surprisingly inadequate.