PayPal employees in Tel Aviv, mostly veterans of the army intelligence corps, team up with algorithms to decide whether your transaction should go through.
A few years ago, an American living in Indiana opened an account with PayPal, the U.S. Company for making payments and money transfers online. A few months later, funds were drawn from the account — from Iraq, and the delivery address for the goods ordered was in Germany.
So was the account hacked? Or maybe it was simply an American soldier scheduled for transfer to Germany. This fictional case illustrates real issues that PayPal has to sift through. The company’s battle against fraud is led by a team of 100 Israelis, mostly veterans of the Israel Defense Forces’ intelligence corps who work at the firm’s Tel Aviv development center.
“Fraud is a significant threat; there are countries in which PayPal handles more than 20% of online commerce,” says Tomer Barel, who five months ago was appointed director of risk management for PayPal worldwide. He previously headed the Tel Aviv development center since 2009.
“As a result, PayPal is a major target for fraud," Barel says. "We have almost 150 million users, so theoretically this involves a huge number of people who could become theft victims. Every day, 10 million transactions are conducted on PayPal, and the company’s loss rate is 0.2% of sales, most of which stems from fraud.”
Barel and the Israeli development center have the fascinating job of making Internet purchases simple and secure without invading users’ privacy. The increasing use of the Internet on mobile phones, the development of virtual currencies such as Bit coin and the growing online criminality are just some of the challenges.
Kingpins recruit hackers
Organized crime has changed drastically over the past decade, Barel says. In the past, criminals would go from restaurant to restaurant demanding protection money, not to mention the occasional beating or shooting. Now organized crime can recruit people around the world; all the recruit needs is skill, an Internet connection and the ability to convince him that what he’s doing is acceptable.
“We get into the hackers’ [online] forums and see a lot of rationalization there. The hackers view people who use violence as criminals,” Barel says.
“Organized crime recruits a lot of smart and talented people who tell themselves they’re not really stealing from individuals because [consumers] are protected and get their stolen money back. And everything is done without violence; there’s no contact. The victim is faceless, so there’s no compassion.”
It’s a model involving a minimum of friction between the criminal and the victim, Barel notes.
“Someone’s sitting in China, Britain or Moldova and tells himself: ‘I’m stealing from multinational corporations, those rich bad people. I’m a kind of Robin Hood,’” he says.
“But that money flows to organized-crime groups and funds their other activities, some of which are violent. The ability of a group to be scattered all over the world and not directly confront its victims contributes to its success.”
The Israeli team has the expertise to take data from a transaction and make an immediate decision, Barel says. The idea is to prevent fraud while limiting the inconvenience to good customers whose transactions might be a bit out of the ordinary.
A fraction of a second
Most of the time, the process is carried out automatically. The job of PayPal’s Israel center is to flag use of a PayPal account by someone other than the account holder. There are standard tools to do this, such as a user’s IP address — the number assigned to a particular computer — but there are less obvious ways.
“Activity on a computer produces a number of electronic signatures; the trick is to identify them and make links among them,” Barel says.
Whether the task is an art or a science, there isn’t much time to do it.
“We need to identify attempted fraud in real time, and that’s a matter of a fraction of a second,” Barel says. “I need to identify that a stranger is using your account. You’re not going to wait in front of your computer or mobile device for five minutes for the system to approve the transaction.”
The Israeli team also has to analyze sophisticated cases that a computer can’t recognize as fraudulent. This involves research and intelligence gathering; graduates of the Israel Defense Forces’ technology units are natural candidates.
“It’s a cat-and-mouse game. Fraudsters adapt to the model that you put in place, so we came to the conclusion that the human dimension is critical,” Barel says.
“In our research groups in Israel, there’s a large team of analysts who look at huge volumes of data, identify patterns and help the algorithm make a decision. People are still more powerful than machines in trying to foresee and identify human behavior.”