A few years ago, an American living in Indiana opened an account with PayPal, the U.S. company for making payments and money transfers online. A few months later, funds were drawn from the account — from Iraq, and the delivery address for the goods ordered was in Germany.
- Microsoft, Amazon eyeing Israeli cyber-security firms as potential R&D centers
- Israeli who helped catapult Twitter to fame and glory plans next move
- Startup of the week / Moving briskly through the virtual checkout
- The Israelis are coming to eBay
- Startup of the week / Pretty plastic wheelchairs for the developing world
So was the account hacked? Or maybe it was simply an American soldier scheduled for transfer to Germany. This fictional case illustrates real issues that PayPal has to sift through. The company’s battle against fraud is led by a team of 100 Israelis, mostly veterans of the Israel Defense Forces’ intelligence corps who work at the firm’s Tel Aviv development center.
“Fraud is a significant threat; there are countries in which PayPal handles more than 20% of online commerce,” says Tomer Barel, who five months ago was appointed director of risk management for PayPal worldwide. He previously headed the Tel Aviv development center since 2009.
“As a result, PayPal is a major target for fraud," Barel says. "We have almost 150 million users, so theoretically this involves a huge number of people who could become theft victims. Every day, 10 million transactions are conducted on PayPal, and the company’s loss rate is 0.2% of sales, most of which stems from fraud.”
Barel and the Israeli development center have the fascinating job of making Internet purchases simple and secure without invading users’ privacy. The increasing use of the Internet on mobile phones, the development of virtual currencies such as Bitcoin and the growing online criminality are just some of the challenges.
Kingpins recruit hackers
Organized crime has changed drastically over the past decade, Barel says. In the past, criminals would go from restaurant to restaurant demanding protection money, not to mention the occasional beating or shooting. Now organized crime can recruit people around the world; all the recruit needs is skill, an Internet connection and the ability to convince himself that what he’s doing is acceptable.
“We get into the hackers’ [online] forums and see a lot of rationalization there. The hackers view people who use violence as criminals,” Barel says.
“Organized crime recruits a lot of smart and talented people who tell themselves they’re not really stealing from individuals because [consumers] are protected and get their stolen money back. And everything is done without violence; there’s no contact. The victim is faceless, so there’s no compassion.”
It’s a model involving a minimum of friction between the criminal and the victim, Barel notes.
“Someone’s sitting in China, Britain or Moldova and tells himself: ‘I’m stealing from multinational corporations, those rich bad people. I’m a kind of Robin Hood,’” he says.
“But that money flows to organized-crime groups and funds their other activities, some of which are violent. The ability of a group to be scattered all over the world and not directly confront its victims contributes to its success.”
The Israeli team has the expertise to take data from a transaction and make an immediate decision, Barel says. The idea is to prevent fraud while limiting the inconvenience to good customers whose transactions might be a bit out of the ordinary.
A fraction of a second
Most of the time, the process is carried out automatically. The job of PayPal’s Israel center is to flag use of a PayPal account by someone other than the account holder. There are standard tools to do this, such as a user’s IP address — the number assigned to a particular computer — but there are less obvious ways.
“Activity on a computer produces a number of electronic signatures; the trick is to identify them and make links among them,” Barel says.
Whether the task is an art or a science, there isn’t much time to do it.
“We need to identify attempted fraud in real time, and that’s a matter of a fraction of a second,” Barel says. “I need to identify that a stranger is using your account. You’re not going to wait in front of your computer or mobile device for five minutes for the system to approve the transaction.”
The Israeli team also has to analyze sophisticated cases that a computer can’t recognize as fraudulent. This involves research and intelligence gathering; graduates of the Israel Defense Forces’ technology units are natural candidates.
“It’s a cat-and-mouse game. Fraudsters adapt to the model that you put in place, so we came to the conclusion that the human dimension is critical,” Barel says.
“In our research groups in Israel, there’s a large team of analysts who look at huge volumes of data, identify patterns and help the algorithm make a decision. People are still more powerful than machines in trying to foresee and identify human behavior.”
Second biggest after San Jose
Regarding that theoretical case of the American soldier in Iraq a few years ago, Barel notes that similar situations occur.
“I’m a soldier and want to send a package home to my wife. You can build an algorithm, but the question is how the computer encounters this story and understands the complex reality,” Barel says. “It’s very easy to say that if we see an American soldier accessing an account from Iraq, we won’t approve the transaction, but the aim of PayPal is to allow purchases.”
PayPal’s Israeli development center was built around its $168 million acquisition in 2008 of startup Fraud Science. It’s the company’s second largest development center after the one at corporate headquarters in San Jose, California. It was just PayPal’s second acquisition.
“From a technological point of view, it’s the largest center. In a quiet way, we’re doing the most complicated and complex things at the highest level of expertise in the world,” Barel says, adding that PayPal’s competitors in the 1990s went bankrupt due to fraud.
And when it comes to Israeli customer traffic, PayPal, is very successful.
“The service’s penetration rate is relatively high by international standards, and the Israel mobile service penetration is among the highest in the world, but we still haven’t gotten to the situation in the United States. The infrastructure here is still not strong enough; for example, when it comes to deliveries and customs,” Barel says.
“These are barriers that need to be overcome. On the other hand, Israeli consumers are by no means conservative. They are open and want to adopt new things. It’s not by chance that we’re a high-tech powerhouse. We have a curiosity that pushes people to try things.”
Turning back to PayPal’s Israeli development center, Barel notes how some of the world’s best minds seek to commit fraud. So he needs other great minds at PayPal. The worldview of the Israeli intelligence corps is very suited to the task, and Israel has a comparative advantage in the field, he notes.
PayPal has 120 employees in Israel, including the 100 who fight fraud. The other 20 comprise the business unit that strives to retain clients in Africa. When the PayPal center was established in 2009, it had a workforce of 35.
Barel says he expects the Israeli center to keep growing, and that very promising things are happening in information security and fraud prevention in Israel.
“As an Israeli, I’m very pleased that an ecosystem has been created here,” he says. “As an employer, this ecosystem provides a challenge, as well as competition for personnel. From the standpoint of the industry in Israel, it’s outstanding. Don’t forget that in 2009 we almost had a monopoly in this country.”