PayPal ropes in the Bounty Hunter

By Soumik Ghosh Oct 27th 2015
PayPal ropes in the Bounty Hunter

PayPal lures the masses to locate chinks in its armor after a recent cross-site scripting bug exposed a critical vulnerability in its website.  

Security is the be-all and end-all for a payment processor the size of PayPal, and it’s imperative for the company to stay on top of its game.

The recent cross-site scripting (XSS) error in PayPal’s website revealed a potential payment pilfering risk that could jeopardize its customers’ payment details. The glitch was discovered by Egyptian researcher, Ebrahim Hegazy. PayPal patched the problem, of course, and eliminated the risk.

“The XXS vulnerability is a thing of the past, and it has now been fixed and live in the site,” said Sri Shivananda, Vice President, Global Platform and Infrastructure, PayPal.

Processing 12 million transactions per day – A number that can spike to 15 million on peak days, PayPal has now adopted a novel approach in spotting bugs and vulnerabilities in its website. In addition to a dedicated team of 2000 anti-fraud specialists maintaining perimeter security, the company monitors every account and transaction 24/7 to prevent fraud, email phishing and identity theft.

The payment processor has also ensured that all communication between servers is over SSL. But then again, anything short of this could raise red flags for the user.

PayPal has now roped in bounty hunters – Security researchers who get paid for detecting bugs and vulnerabilities in its website. “There are a lot of security researchers, there are a lot of other people out there who are experts on security. We have a very successful bug bounty program, where researchers will find vulnerability on our sites that we’ve missed,” explains Shivananda.

So, what’s in it for me?

Bug spotters are rewarded with the chance to be hailed as a hero, and be featured on the ‘Wall of Fame’. For the practical sort, there’s money – Quite a lot, actually.

PayPal pays an amount of $10,000 (about Rs 6.5 Lakh) for spotting a remote code execution. An authentication bypass vulnerability could earn $3000, while a cross-site scripting error would fetch $750.

The involvement of the community to enhance security is an approach that has been incorporated by many companies around the globe, including Facebook and eBay.

The way the bug bounty program works is that a security researcher can come and submit a security bug on the PayPal portal. Once that is done, the company’s security professionals on the inside will actually test that vulnerability, understand whether it’s really an issue, start to understand the fixes, and communicate to the researcher saying “Yes, what you’ve submitted is a genuine issue. Thank you for that. We’re processing it, and as we process it, we’ll come back to you,” said Shivananda. On successful closure, PayPal provides compensation to the security researcher.

The only liabilities PayPal deems out-of-scope are vulnerabilities dependent upon social engineering techniques and brute forcing.

Keeping losses down to a third of one percent. Here’s how

To serve customers in 200 markets, and in more than 100 currencies, innovation is the name of the game for the payment processing behemoth. But at the same time, a lot of innovation in the heart of what PayPal is all about, is its fraud ecosystem.

The company does a lot of work in studying the transaction, studying the account itself, and making sure that the transactions that happen on PayPal are not fraudulent. In fact, it has achieved one of the lowest loss rates in the industry, which is one-third of one percent.

This has been achieved through a lot of work in machine learning, data science, a lot of taking data from all across the world and applying it to these models. And some irreplaceable human judgment to top it.

The combination of these techniques on the vast amount of data helps PayPal get to a place where it can pretty much guarantee that all transactions are safe.

“A loss rate of one-third of one percent is something we can brag about in the industry,” beams Shivananda. And why not.

LATEST case study