Trading punches: with Dave Cullinane, CISO, eBay

Dave Cullinane, CISO at the online auction giant, reveals how the company is rolling with the fraudsters’ punches and launching security counterattacks of its own. By Leslie Knudson

‘I found it on eBay’ goes the refrain. Today you can find anything and everything on the site – from prison keys to an imaginary friend to the famed flaming orange 1969 Dodge ‘General Lee’ Charger made famous in the Dukes of Hazard TV show. And, as the global e-commerce powerhouse keeps moving into higher-value auctions (it’s estimated that a car is sold every minute on eBay), the dollar sign keeps moving up. eBay garnered more than $52 billion in gross merchandise volume in 2006, and recently posted positive earnings in late April with a 52 percent rise in profits and total revenue up 27 percent – thanks to user experience improvements, its robust subsidiary PayPal, and new partnerships, including a deal with Yahoo! to sell advertising on its site.

Indeed, with eBay commanding a comfortable 94 percent of the online auction market, the biggest threat to further profitability is not competition but rather the phishers and scammers trying to get a piece of the action. In the case of the Dukes of Hazard Dodge Charger, for instance, the winning bid of $9.9 million – which would have made it the most expensive item ever sold on eBay – was recently revealed to be fraudulent, with the ‘winner’ claiming his account had been hacked and the bid placed in his name without his knowledge. With trust being a key component of the basic eBay model, security is always at the forefront and earlier this year CEO Meg Whitman hailed it as the top priority for 2007.

eBay started off the fight against phishing in 2007 with a fresh CISO at the helm of eBay Marketplaces, former CISO of Washington Mutual, Dave Cullinane. The company brought Cullinane on board to help move their security efforts into more of a predictive pattern. “There are about 2000 people here involved in security so there’s a lot of work going on,” Cullinane explains. “We’re very good at dealing with what’s happening to us but we’re trying to get further out in front to figure out what’s going to happen next and put protections in place before it happens.”

Cullinane’s goal to move eBay into a predictive mode in order to get in front of fraud trends before they happen has become increasingly necessary. Between counterfeit goods, hijacked accounts and even a rumored Romanian phisher named ‘Vladuz’ who has taken a liking to hacking eBay, security threats at eBay are constant and go across the board. Into its 12th year, eBay has blossomed into a thriving online population of 233 million registered users globally, a figure that would make it the world’s fifth largest country. It’s an obvious target for fraud.

Security threats at eBay

Fraudsters go wherever the money is, whether it be banks or the largest e-commerce environment, and with more than $1839 worth of goods being traded on the site every second eBay gets its fair share of hits. Cullinane estimates the online auction site sees more than four million attacks of various types per year, yet the number of attacks isn’t what’s worrying the folks at eBay. “Probably the biggest threat today is the growing sophistication of these attacks,” he says.

The most alarming part is the rate of change at which new sophisticated methods of attack are being employed. One example was the emergence of man-in-the-middle attacks. “We knew a year or so ago that man-in-the-middle attacks were going to become a problem – attacks that would basically replay your credentials and login – but we were expecting to see them actually being used in late 2007 or early 2008,” Cullinane admits. Instead, the first of the man-in-the-middle attacks occurred way ahead of schedule: in August of 2006 against Citi Financial. Part of the reason for its early arrival is that fraud developments have been accelerated by external resources. “It’s getting to the point now where there are actually kits you can download off the internet to do that type of attack,” Cullinane states. “It looks like there’s funding being provided by organized crime to help develop these types of technologies to steal money.”

Along with man-in-the-middle attacks, eBay is also keeping denial-of-service attacks on their radar – attacks that can impede site performance or take sites down altogether. While Cullinane notes that eBay sees over a million of those attacks a year, only one has gotten through in the past two and a half years, causing only minor degradation of their homepage performance.

Another hot security issue is the dirty desktop – when computers have been breached by crimeware – and Cullinane estimates that the amount of crimeware generated each month is in the thousands. “Most of the anti-virus vendors aren’t able to keep up with it simply because of the sheer volume, so we’re having to operate on the assumption that most of the computers that we’re talking to have potentially been compromised. We’re putting protections in place so that regardless of whether there might be a piece of crimeware on your PC, we can ensure that your communications and your transactions with us will be secure.”

While the threats continue to evolve, the need to be ahead of the game is clear and eBay is already making headway in its predictive model efforts – with a solution in place for man-in-the-middle attacks and with a technology solution that will solve 90+ percent of dirty desktop issues already having been identified. Even so, there’s no room for complacency. “Fraud has been going on for decades but the fraudsters have moved to the internet environment now and started to try to figure out ways to perpetrate their frauds electronically,” Cullinane says. “Their level of sophistication is improving and ours needs to catch up.”

The best fraud weapon

Collaboration has proven to be one of the greatest weapons in the fight against fraud. eBay led the way early on as it served as a model for the banking industry in its response to phishing, and has since been highly involved in collaboration with other industry groups. “We are one of the major contributors to the Anti-Phishing Work Group (APWG),” Cullinane notes. “APWG is a forum that was created under strict nondisclosure to allow the banks and everyone to come together and talk about what is happening, what are the most effective security controls, and what are the things we need to put into place.”

eBay still remains one of the leaders of the APWG, and is also an active participant in the FS-ISAC on the PayPal side and the IT ISAC on the eBay side – which were created for critical infrastructure protection under federal requirements. On top of that, eBay is involved with I4, the International Information Integrity Institute, which represents a group of the Global 200 CISOs that regularly meets to discuss issues, best practices and other things. Participation in groups like I-Defense has also helped eBay obtain information about what’s happening in the underground environment.

Besides its affiliation with information and security-related organizations, eBay is also currently involved in technology development work with vendors and universities. “We’re partnering very closely with major vendors in the security industry to identify things that we can work on together that will help address our problems and be extensible to other organizations that are growing to be electronic commerce environments,” Cullinane says. “We’re also working with R&D organizations like Stanford, MIT and Carnegie Mellon to look for new things that we can be doing in terms of more innovative and effective ways to deal with some of the issues.”

Exploring new technology offered by vendors is a critical component in eBay’s pursuit to reach a predictive mode of operating. “We’re really looking at some of the new technologies out there – we call them SEEDS – things that are emerging as technologies that we can use to build a solution for us and potentially be a more robust solution down the road for others to use as well,” Cullinane states.

Through its technology-seeking endeavors, eBay has invested in key partnerships with leading technology and media companies like Microsoft and Yahoo! It has already been in collaboration with Microsoft to build a new version of Internet Explorer that will have more features and capabilities designed specifically to help protect those doing business on eBay. A digital signature provided to Microsoft will turn the top line of the URL green so eBay users will know it’s a legitimate eBay site.

The new partnership with Yahoo! has also proven fruitful for both sides. “Our relationship with Yahoo! has been extremely helpful in preventing and stopping phishing and fraudsters,” Cullinane says. “We work closely with Yahoo! to share information so that they can authenticate legitimate e-mails from us to prevent phishing e-mails from ever reaching their intended targets through Yahoo! mail.”

eBay site improvements

Aside from its collaborative efforts, eBay is also heavily involved in its own work to combat fraud and is developing tools on its own in addition to leveraging vendor technologies. “I’d say our anti-virus technology is industry-leading and beyond the capability of what most of our vendors are offering today, so we’re doing some very sophisticated things on our own,” Cullinane says.

The company is already doing more extensive distribution of the PayPal security key to protect eBay users as well, and on the eBay Marketplaces side, it is developing a number of other security features on top of its eBay toolbar that can be downloaded to help detect a fraudulent site.

Much of the technology efforts are aimed specifically to protect eBay users from phishers. Besides standard authentication and software, a number of techniques are being employed to help improve customer discretion. “We built a security center on PayPal and we’re redoing the one on the eBay Marketplaces site to provide a much more robust educational experience for our customers,” Cullinane says. “We’re also looking at providing some of the solutions available today from security vendors to help the user community better secure their personal computers. We’ll be doing some fairly major renovations and upgrades to the eBay site similar to what PayPal just put out.”

Another current strategy is ramping up the ratings feedback to provide a better indication of how secure it is to do business with a particular individual user. “We’re evaluating adding a security component to the Feedback score that’s already on our website to indicate what security measures a seller may have in place,” Cullinane says.

eBay will also be leveraging its collaboration with PayPal and Skype to enable even more secure transactions in the near future. eBay will be incorporating Skype technology to help validate transactions and combat the sales of counterfeit goods by implementing video capability that lets eBay users link to video within auction descriptions that they’ve uploaded on YouTube or other video sites available from Google, MySpace, Microsoft or AOL. “We’re looking at taking advantage of the Skype technology to allow more personalized interactions,” Cullinane explains. “If you’re trying to buy something from someone who’s offering to sell you a Ming vase, you could actually use the Skype Desktop to be able to do a video session with the person you’re buying from to show you that it actually is a Ming vase with the appropriate markings on the bottom.”

On top of all these developments, Cullinane hints at some more promising changes that will be incorporated into the site this year. “We’re always innovating and doing new things, and you’re going to see some pretty interesting stuff this year. We’re adding other things that improve not only the customer experience and the ability to buy and sell but the ability to do it securely.”

While eBay is definitely diligent in its security efforts, Cullinane is amongst the first to acknowledge that it comes with the territory of serving as the world’s online marketplace. For now it’s a Catch-22 as the more popular the site becomes, the more it becomes a favorite fraud target – making it an ongoing battle to beat fraudsters at their own game. “The threat model is changing all the time, so we need to be changing, too, and that’s why we’re working so aggressively to stay out in front of the problem,” Cullinane says.

233 million
Number of users registered on eBay worldwide

$1839
Value of goods being traded on eBay every second