Rick Orloff, eBay’s Chief Information Security Officer, Talks Shop

By: Sebastian Rupley and Adam Kohler

Rick Orloff, eBay’s Chief Information Security Officer, has an extensive — and unusual — background in security. He spent years working as a private investigator. He can pick a lock in under a minute. And, he helped Apple Computer advance its security initiatives before making his move to eBay.

On June 16, The Associated Press ran a Q&A with Orloff, in which he discussed the state of information security.

Orloff also sat down for an in-depth interview at eBay on trends in security, in which he discusses his guiding principles for protecting the eBay platform and the company’s customers. Here are his thoughts.

6538 743172How have security practices in ecommerce changed over the last one to three years?

At one point, businesses looked at ecommerce as a nice item to check off on their to-do lists. Today, I believe businesses look at ecommerce as essential for staying competitive. Today it’s difficult to find a brick-and-mortar business that doesn’t have an ecommerce presence.

What do you see on the horizon for security related to ecommerce in the near future?

The big security trend right now is about securing customer data. It used to be that customers in ecommerce transactions were most interested in services, and prices for items they were interested in. Today, I believe customers are much more savvy, and they want to make sure that their transactions are secure. Not just a great price, but also a secure transaction from search, to checkout, to delivery.

What are your three main priorities for your team at eBay, and what do most people probably not realize about the challenge of securing an ecommerce platform?

Our main priorities are securing infrastructure, securing services and securing customer data. These are the three most important things that we do.

What many folks probably don’t realize is that ecommerce platforms are vigilant in terms of responding to new threat vectors and risks. You’ve got to be able to identify risks and mitigate them as quickly as you possibly can.

How have you seen consumer behavior change when it comes to security and trust related to shopping online?

It used to be that nobody wanted to enter credit card information online. Now, the pendulum has swung the other way, and people often prefer to have online transactions. However, in the last year or so, consumers have been placing much more emphasis on making sure that their transactions happen securely.

Today, if an ecommerce site asks for a name, address, or date of birth, there are a lot more eyebrows being raised. Having name recognition like eBay means a lot and customers trust that we are protecting their information.   Consumers are much more sensitive to security.

Are people’s own mistakes still a big problem in maintaining security?

I believe it is a huge mistake to blame the victim. Behaviors are important, sure. You can spend $1,000 on a lock for your front door, but if you don’t lock the door when you leave, you wasted your money.

But it is still incumbent on platform and service providers to do the best they can to secure customer data.

What are some tips you would give to consumers who are looking to have safe shopping experience online?

Most consumers are not sufficiently aware that the passwords for their email accounts are as important as the passwords for their bank accounts. If hackers have access to your email account, they can go to your bank and request a password reset. While in your email, they can intercept the password-reset message from the bank and take control of the bank account.  If they are inside your email account, they can use the same technique to access information of many types, whether it’s credentials for your Facebook account or a bank account.

My advice is to make passwords for email accounts and financial accounts unique and do not reuse them. And, never sign into your email or bank account from a borrowed computer or cyber café.

Also, consumers should treat their smartphones just like they treat wallets. There is a lot of information in a smartphone, including passwords and credentials. Consumers who lose their phones should have a plan for how to lock the phones remotely. The lost phone should be treated like a lost wallet.

How would you characterize the evolution of eBay’s security efforts over the past two years?

eBay has focused over the past couple of years on having a secure environment and focusing on the customer experience. We are increasing our security focus on our entire services stack, ranging from infrastructure, to software services to applications. We are really focused on making sure that every part of the stack is secure from the design stage and beyond.

All corporations are being attacked thousands of times an hour, and sometimes thousands of times a minute. Many attacks against corporations in the past 12 months have been widely publicized and the public is well aware.

What is different now is that hackers aren’t just going after low hanging fruit. They are targeting large amounts of data, and that calls for vigilant efforts to keep data secure.