July 16, 2001

Busting the Web Bandits

Online fraud was threatening to drive an Internet start-up out of business. Then PayPal decided to stay and fight back.

By Brad Stone

According to an indictment handed down last month by a federal grand jury, Alexey Ivanov, 20, and Vassili Gorchkov, 25, are two extremely audacious hackers. Operating out of Chelyabinski, Russia, the pair allegedly broke into the computer systems of U.S. banks and e-commerce sites in 10 states, stole tens of thousands of credit-card numbers and then told those same firms they wouldn't stop their reign of cyberterror unless they were hired as security consultants. FBI agents, posing as execs of a phony company, pretended to take the Russians up on their offer, brought them to the States for job interviews, then slapped on the handcuffs.

When the case goes to trial this September in federal court in Seattle (the duo have pleaded not guilty), prosecutors will get help from computer logs and testimony provided by the antifraud team at PayPal. The 21-month-old Palo Alto, Calif. -based Internet start-up is an online payment site--it lets users send money from a credit card or bank account over e-mail to other Net users, such as sellers on auction sites like eBay. Unfortunately, fraudsters take to this kind of system just as they favor remote islands with unregulated banks. Instead of the typical practice of using the stolen cards to buy and sell expensive equipment like computers, they can open up accounts linked to the swiped cards, send themselves or accomplices money and withdraw it as cash (PayPal told prosecutors the two Russians got $100,000 using this method before the bust).

Last year other payment sites like BankOne's eMoney Mail, PayMe and PayPlace were vastly curtailed or closed al-together in the face of widespread abuse. PayPal has opted to stay and fight. Its 75-member antifraud team now regularly works with law enforcement, and has designed an internal software program that sniffs the 180,000 transactions made every day, looking for abuse. "We came to realize that we would either defeat fraud or fraud would defeat us," says chief technology officer Max Levchin.

PayPal reached this conclusion early last year. While the company amassed an impressive 6 million users within 14 months, more than 1 percent of all transactions were getting rejected from credit-card companies (in offline stores, only .07 percent of trans-actions are fraudulent). Levchin and CEO Peter Thiel made several quick fixes. They reduced the maximum payment users could make from $500 to $250. For users who asked to wire funds to and from their bank accounts, PayPal designed a verification test: it deposits several cents into a user's bank account, and won't activate his membership unless he can report back the exact amount. Meanwhile, PayPal began placing holds on all accounts that looked suspicious and investigating them one by one. That quickly resulted in a giant backlog of cases, a flood of customer complaints and, ultimately, a reprimand from the Silicon Valley Better Business Bureau.

Enter John Kothanek, a 36-year-old, 250-pound former Marine Corps investigator who heard about PayPal's antifraud efforts from a friend at eBay. Sniffing through PayPal's transactions to find crooked activity sounded like becoming "the first sheriff to go after Jesse James," he says. After joining Pay-Pal's growing antifraud team, Kothanek began making suggestions for a program that would look for suspicious transactions and distinguish them from legitimate ones. They named the resulting software "Igor," after a Russian mobster who plagued the system last year. Igor sifts through the PayPal database looking for certain patterns, such as payments to an account that are consistently close to the maximum limit, or for ZIP codes that don't match the area code on an account. There are other red flags, but the Igor team guards them zealously, lest the bad guys learn how to elude them. "They are analyzing us as much as we're analyzing them. It's just that we're better," says Kothanek.

Today PayPal reports that fraud rates are down to half of 1 percent. The team also works regularly with the FBI, postal inspectors and local police nationwide; execs say they've helped bust organized-crime rings in Chicago, Houston and Nigeria. In one case last Christmas, an account receiving an unusually high number of $350 payments triggered Igor's alarm bells. Kothanek and crew traced the account to the owner of an Orange County, Calif.-based Web site called Gametek that was offering PlayStation 2s--right in the midst of the PS2 shortage. PayPal put a hold on the account and is now working with local and federal authorities to build a case against the suspect, who allegedly sold 3,000 units and delivered none. Perhaps PayPal isn't such a great site to victimize after all.

Copyright © 2001 Newsweek, Inc. All Rights Reserved.