Bitcoin Is The New PayPal
Gregory Alan Bolcer stashed this in Digital Content
Every exchange is going to have to do its own risk management and fraud detection:
The early days of PayPal (which Eric witnessed as the company’s first senior director of marketing and later chronicled in his book The PayPal Wars) certainly suggest that fraud is going to remain a significant issue for Bitcoin. We think the PayPal experience may also provide some guidance on the types of fraud that could be in store for the Bitcoin ecosystem.
When PayPal launched in late 1999, the site was branded around “beaming money” to friends and even briefly employed Star Trek’s “Scotty” as a spokesman before pivoting to focus on e-commerce payments. The shift led to rapid growth as eBay users flocked to the service. As the site grew to 1 million users in just six months, the floodgates were also opened to a host of fraudulent activities.
Credit card chargebacks soared as buyers disputed transactions that went bad for a host of reasons, such as failure to ship or items showing up not as described. Even though third-party marketplaces like eBay were ostensibly facilitating the transactions, PayPal was left holding the bag if it couldn’t recover the funds from the seller.
Foreign organized crime rings began to leverage PayPal to cash in on stolen credit numbers obtained from the black market. They set up automated scripts that used the stolen cards to fund PayPal payments to accounts that they controlled, and then transferred the funds out of PayPal to a bank account.
Account theft surged in the early 2000s as sophisticated “phishing” attacks caught users unaware. In one early case, fraudsters registered the domain “PayPai.com” and sent around links asking PayPal users to submit their confidential information in order to resolve an account problem.
The ramifications for PayPal were severe. As the fraud rate on payment volume soared above 100 basis points, the credit card associations threatened restrictions and loss of access. PayPal’s first business model was built around the recirculation of payments within the system, meaning that initially it wasn’t equipped to deal with this kind of fraud. By the fall of 2000, the company’s monthly burn rate hit $10 million.
Salvation didn’t come overnight, and it didn’t come in the form of a silver bullet. Peter Thiel, Max Levchin, and the rest of the executive team took a multifaceted approach to tackle the problem using a mix of technological, financial and operational initiatives.
For example, Levchin and engineer David Gausebeck built one of the first commercial applications of CAPTCHA technology (dubbed the Gausebeck-Levchin test) to block automated account creation. The engineering and fraud teams built a complex analytics system named IGOR to help dedicated employees identify fraudulent behavior patterns. The product team tied withdrawal limits to account verification levels so only users “known” to us could make large withdrawals.
Cumulatively the efforts worked. Over the following year, PayPal’s fraud rates tumbled down into the 20-30 basis-point range. This improved the company’s financial performance, playing a large role in its IPO in February 2002 and acquisition by eBay later that year. As PayPal “hardened the target,” it drove fraud away to other competing payment services. By the end of 2002, Citibank, Bank One, and Yahoo had all either closed their payment services or were on their way to doing so.
We think PayPal’s experience contains several important lessons for Mt.Gox and the other Bitcoin exchanges.
Fraud can emerge on many fronts. Just as there were multiple types of “fraud” targeting PayPal, expect criminals to emerge with a variety of schemes aimed at Bitcoin services and their users.
Bitcoin services should look for multifaceted solutions, not silver bullets. Combatting fraud requires a company to leverage its technology, processes, and personnel across multiple fronts rather than just looking for a quick coding fix.
Fraudsters go after the weakest link. Regardless of the fate of Mt.Gox, don’t be surprised if other exchanges and Bitcoin services are targeted in the future. The ones that neglect security will be highly vulnerable.