• At PayPal, we regard fighting cybercrime as a strategic business priority and we invest heavily in trying to keep our sites and services as safe and secure as possible.  PayPal's philosophy on cybersecurity has a heavy focus on customer data protection.  Everything we do around security is living up to our commitment as the, "secure way to pay and be paid." It is important to approach security across the industry, ensuring that providers keep their systems secure by analyzing data in real-time to understand behavior alongside static data to help verify identity and protect consumers who sometimes aren't equipped to protect themselves.
  • PayPal has been a pioneer of tokenization technology, which helps protect customers' data during transactions. Tokenization substitutes a person's sensitive financial information with a series of non-sensitive numbers that confirm to the merchant a payment is authentic, helping to minimize the impact of data breaches.
  • A customer's data can be exposed in numerous ways, which is why we look at security broadly.  Passwords are an area where customers are most vulnerable. PayPal is exploring new methods of authentication that use techniques like biometrics and data analytics.
  • As a global company, PayPal believes in international standards for security, detection and prevention as well as greater information sharing between companies and with governments.  These procedures are crucial in catching bad actors, securing systems, and maintaining the trust of consumers.
  • Policymakers should establish coordinated frameworks of international information sharing, combatting cybercrime by securing systems, educating companies on new technology/techniques and strengthening behavioral analysis to stop bad actors.  Policymakers should also encourage innovation in new forms of authentication, replacing passwords in favor of more reliable biometrics and data analytics.
  • In 2016, PayPal partnered with the White House and the National Cyber Security Alliance as part of President Obama's Cybersecurity National Action Plan (CNAP).  The partnership aims to promote greater public understanding of multi-factor authentication and how they can practice safe and secure habits online. [link]
    • PayPal sponsored the Lock Down Your Login campaign (a pillar of the CNAP), to increase consumer awareness of their role in cybersecurity and particularly authentication. [link]
  • PayPal is a founding member of the Fast IDentity Online (FIDO) Alliance whose mission is to find new methods of authentication that move away from passwords, towards biometrics (fingerprint, etc.).  OneTouch payments is leading better data-driven authentication through device recognition.
  • PayPal established a bug bounty program in 2012 to encourage the security community to report vulnerabilities, partner to patch them and in turn receive a reward.  The program now boasts 1,500 members with $2 million payments made [link].
  • In 2014, the Domestic-based Message Authentication, Reporting & Conformance (DMARC) technology that PayPal pioneered, blocked more than 180-million malicious emails from being delivered to customers and shared 115,000 phishing URLs with other companies [link].
  • The Facebook Threat Exchange helps to further improve the speed and effectiveness of cross-organization collaboration. PayPal joined in July 2015 and has reported hundreds of IP addresses to the program.
  • PayPal engages/partners with law enforcement proactively and reactively to both help stop cybercrime while also catching the bad actors that have committed crimes and are under investigation.
    • PayPal created a Law Enforcement portal that allows members of organizations around the world to submit case requests, subject to the legal process.
      • We have proactively reached out to law enforcement to make them aware of this system and encourage them to reach out to us with any questions or concerns.
    • On the proactive side, PayPal establishes regular training with law enforcement organizations and educate agents on PayPal's systems and the types of crimes that we encounter while also learning from them about the broader ecosystem and the latest trends and movements in global cybercrime.
  • From an internal standpoint, we collaborate with various teams across the company (compliance, legal, risk, infosec, etc.) to better identify potential bad actors and make recommendations to agencies.
  • According to Symantec, more than 429 million identities were exposed in 2015.  Breach Level Index reported 1,540 data breaches in 2014 (nearly 50% increase from 2013).
  • Price Waterhouse Cooper reports that detected incidents of cybercrime increased by 38% from 2014 to 2015 [link].
  • 2016 National FinTech Cyber Security Summit cited the need for more information to use and share as well as the need to look back at past attacks for greater insight on prevention.
  • In 2007, Microsoft Research concluded average users access 25 sites with around 7 passwords in total that were reused across three sites on average.  CSID survey in 2012 found 61% of users reuse passwords across multiple sites.