At PayPal, fending off phishers--and Google

CTO Scott Thompson talks about ways to shoo e-mail scams and to keep tabs on the Checkout competition.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
9 min read
If you have an e-mail account, chances are you're used to seeing messages that purport to come from PayPal but which are actually spam from attackers trying to get you to click on a link to a malicious Web site and give up your password or other sensitive information.

Phishing attacks are commonplace. PayPal advises people not to click on suspicious-looking links, but given the scope of the problem, more needs to be done to protect people.

PayPal Chief Technology Officer Scott Thompson talked to CNET News.com about new security measures in browsers and at Internet service providers' e-mail gateways that should help people differentiate legitimate PayPal e-mail from spam. He also discussed how eBay's PayPal business unit is going mainstream and global and how executives are not worried about competition from Google and its Checkout online payment service.

Q: PayPal and eBay continue to be popular targets for phishers. What are you doing to protect customers, and how can this problem be solved?
Thompson: Most other online relationships are with your bank or with a brokerage firm or very rarely do you start with your e-mail address as your account identifier. We start with an e-mail address because that is the quickest way online to identify somebody, and that is also the quickest way to allow people to send money to each other. But it's very easy if you are a phisher or fraudster to guess your e-mail address and to send you something that might look like it's from PayPal or eBay. By the way, if (spammers) were to send you something, they are likely to be successful because we have over a 133 million account holders today.

In the DNA of PayPal there has always been this extremely high consciousness for security and for privacy.

PayPal sends out about 6 billion e-mails a year. Earlier this year, we took the effort to put a digital signature that authenticates PayPal as the sender of all these e-mails, so when it goes out to ISPs, we have digitally authenticated that e-mail as being us. With Internet Explorer 7 one of the really neat things that is going to happen is the digital signature that we provide to Microsoft in that browser will actually turn the top line of the URL green. If it is not signed by us, if somebody is trying to imitate us, it will turn red. We also are working with ISPs around the world today, starting with all the big ones. If a PayPal e-mail doesn't have our digital signature on it, (the system) prevents it from ever arriving in your in-box. This will change the game rather dramatically in the whole spoof-phishing area.

When will we start seeing the benefits from that?
Thompson: If you have IE 7 today, you will see the URL line turn green. The same thing is true with Firefox. The other thing that is coming is we are working with ISPs and browser providers to determine all the bad sites around the world where this activity is coming from.

Can you tell me about the password-generating key fob? How is that rollout going?
Thompson: The uptake on that has been surprising. You never know when you launch something like that what the average customer might do. We have exceeded our estimates of what the uptake was going to be. Almost immediately after receiving the fobs, more than 50 percent of all the people who received the security device activated it immediately.

How many does that represent?
Thompson: Well, I don't know that I can give you the number, but we are (offering) them today in Australia, Germany and the United States. But we are not aggressively advertising it yet to all of the people who visit our payment site. And my sense is, when we do aggressively advertise it and market it to that same customer base, we are going to have an even further uptake.

So, would you say security is PayPal's biggest challenge, and if not, what is?
Thompson: I think this company even long before I arrived was grounded in security and was absolutely grounded in privacy. The standard that we have for ourselves far exceeds anything I have ever seen in any organization I have been in. Here's a good example. Every piece of customer information that we store on your behalf for any of the 133 million customers is completely and fully encrypted inside of our network and in all the computers we have here at PayPal. That is an investment that I would argue I have never heard of a bank making, never heard of a payment system company making it. People don't do that because it is extremely expensive. So, I think in the DNA of PayPal there has always been this extremely high consciousness for security and for privacy, and that continues even today, seven years after the company was founded. That is one of those great strategic advantages that we have over all the other competition that plays in the payment space.

Can you comment on the competition you might be seeing from Google Checkout? Have you seen any loss of market share or revenue?
Thompson: Sure. The first thing I would say is payments are really hard to deal with. It's a business that is built around precision. There is no margin for error in anything associated with payments, and that's the relationship we have with both buyers and sellers on the eBay site and our customers and merchants on eBay. Beyond that I fully expect that because payments is such a big business, that all the competitors that we know of today are going to be there tomorrow, and there is probably going to be a whole lot more that people are dreaming of right now in start-ups in Silicon Valley and elsewhere.

So there is always going to be competition, and I actually love good competition. It raises your game to a higher level when you have good competition. So as it relates to Google Checkout, where as you would expect we are very aware of what they are doing, we don't think they are in a payment system business. We think they are specifically in a check-out business, and there is quite a bit difference between checkouts and payments. I would argue that we have such a lead in the business of global payments that if somebody wants to chase after us a little bit, I think they are going to realize it's hard to do, and I think they will fully appreciate and understand the head-start we have. Nobody here is overly confident, but I think what we need to do is have a strategy and focus on that and not on any competition.

How big do you see the market for micropayments? It seems like you would have the infrastructure to do that more broadly. Are you seeing content owners like music or print publishers going in that direction?
Thompson: Micropayments is a remarkably big opportunity. I said doing payments is hard. Well, micropayments is extremely hard, and that is why nobody has cracked the code on it yet. It's just very, very tough to do. You probably recall 10 to 12 years ago the phone companies thought micropayments (would be a way to) extend their billing reach further into their customer set. But every phone company that tried that has realized that this is a whole lot harder than they thought, and they all backed off those initiatives. So, I think somebody at some point will come up with a real cute idea on this, and it will be one that changes the game. I think that's one where you stay tuned. It probably plays out two or three years from today.

Is PayPal planning to move into online banking services?
Thompson: If you are PayPal, you can never say never. But I can tell you, we don't do online banking today. In the near term, we don't intend to do online banking. We have a rate payments business. We have tremendous future growth opportunities in the payment business that we are in. We are completely focused on that online payments business, and we view something like online banking as an adjacency that may be of interest some number of years from today. But now we are solely focused on online payments, and we don't want to be distracted.

How is adoption of PayPal among mainstream users going? Some people have complained that the initial sign-up process can be a little bit difficult.
Thompson: One of the things that we are focused on genuinely is the complete end-to-end user experience that you might have with PayPal, and we are pouring a lot of investment dollars into making absolutely certain you know what we stand for, you know what this brand is, and you have the sense of why you would use it. And then every element of interacting with us after that, we want to make it as easy and as convenient to you in your life as possible.

We are pouring a lot of investment dollars into making absolutely certain you know what we stand for, you know what this brand is, and you have the sense of why you would use it.

In every survey I have ever read, the answer for why people don't shop online is that they are worried about giving their financial information and personal information to somebody they don't know. That has been the same answer for the last 10 years. Our challenge is to make certain that all of our current customers and all future ones we attract completely understand our value proposition, and that is that when you use PayPal we don't share your personal or financial information. We will never give elements of your credit card to a merchant. We could do a better job explaining it and marketing it. But at the end of the day, if you are in that two-thirds majority who say, "I am worried about (security)," you will eventually find your way to PayPal, because you will understand the benefits our operating model has.

PayPal has a strong record of alumni going off to start successful companies or at least fund them, like YouTube, Yelp and LinkedIn. Why do you think that is?
Thompson: We don't look for a lot of fanfare on this subject, but the entrance criteria to work in engineering and to work in product development in PayPal, that bar is set extremely high. In order to get a job offer from us you have to be a very talented engineer and you have to prove it to us through a number of hurdles that are in the interview process. We do testing; we do problem solving; we do lots of things to make certain that you are in the top 5 percent of engineers around the world, and we have done this for years now. This becomes a very self-reinforcing culture that we have. So it is very easy to understand why when they leave so many of these people become successes yet again--because these are truly the best and brightest people in this industry.

Is there anything else that you would like to discuss?
Thompson: I think we are literally in the very, very early stages of this business and very early stages of the growth of this business. That might be hard for people to believe because we are already very big. We operate in 103 countries, and we are approaching $40 billion of payment volume. One thing I am 110 percent certain of is that five years from today we are going to be a much, much bigger company than we are today, and the reason for that is that our product, our operating model of value proposition is very special. It is unique, and it plays everywhere. It plays in Spain; it plays in Italy; it plays in Korea, it will play in Japan, we just launched the localized site in Japan; and it plays in the United States.

Every place there is electronic payment our business model is perfectly suited for. We are a 7-year-old start-up with 6,000 people, and the best is yet to come from PayPal.