Interview with Ex-PayPal Exec and Gem COO Ken Miller

When it comes to the world of digital payments, security has universally been a top priority. At the forefront of digital payment revolution for the last decade has been PayPal, a global payments platform with 165 million active customer accounts and processing almost 12.5 million payments per day. Using banking industry standard technology such as SSL to keep customers information safe, PayPal is an industry leader for state-of-the-art fraud prevention systems and is always developing new anti-fraud technologies.

While the idea of Bitcoin having the potential to be more secure than PayPal won’t shock many of our readers, there are key differences between bitcoin security and PayPal. In our quest to discover how much more secure bitcoin is and in what ways, we turned to Ken Miller, a former senior executive staffer at PayPal and the current COO of bitcoin security company, Gem.

Miller was one of the first PayPal employees; number 22, to be precise. He spent his first couple of years there helping build PayPal’s anti-fraud systems from scratch. Back in those days, there was seemingly always a new type of scam or fraudulent attack that Miller’s team had to solve quickly in order for PayPal to stay in business.

“We were seeing a constant barrage of diverse attacks from stolen credit card and bank account theft to merchant-side fraud and phishing attacks.”
— – Miller

Not only were the attacks frequent, but there were other risks which are not present today. At that time, e-commerce was a fairly new concept. Website certificates were new and not yet widely trusted. Tools such as peer-to-peer transactions and higher levels of website cryptography, that we enjoy today, did not even exist. In order to fight these regular attacks, Miller and his team had to build entire systems themselves.

“We also had to deal with traditional credit-like issues such as merchants who were not business savvy and the risk that comes with that (it’s more of a bankruptcy risk than fraud).“
— – Miller

Many innovative security systems that play important roles in today’s e-commerce were built by Miller and his team, “a few years into my time there we built some other cool things such as instant-ACH payments and the PayPal/eBay Buyer Protection Program, which was a huge and innovative effort that provided consumer protections to all PayPal transactions.”

As he progressed at PayPal, eventually winding up on the senior executive staff, Miller saw all kinds of scams. The most common scam he saw over the years targeted parents buying hot Christmas gifts for their children. These scammers would identify seasonal items, especially those already sold out at regular retail stores. “One year it was an Elmo doll, another year it was the Playstation 2”, shared Miller.

“These bad guys would set up fake websites claiming they had an abundance of this toy available and coerce unsuspecting parents into buying them. The bad guy would then make off with thousands of dollars and the parent, who thought they were going to be a hero, now had no toy and were out money.“
— – Miller

Holidays aside it was also common to see people trying to scam others year round. “We also used to have people try and game the system and then plead ignorant or try to get off on a technicality.” Miller explained. “One such time an eBay seller had posted an auction with a picture of the front of a Playstation box and listed the auction price for something slightly lower than what the prevailing value was of a Playstation (e.g. I think they were going for around $300 at the time, so the seller listed it for $275).”

“The auction closed and the buyer sent their money. And the seller sent an empty Playstation box, and then tried to claim that was legitimate because that was all the picture showed. All hell broke loose from there.”
— – Miller

Millers accomplishments in the area of anti-fraud put him in the limelight, and on occasion put his life in danger as well. A magazine article that featured Miller, about PayPal’s success and innovation in stopping fraudulent activity, brought some undue attention.

“Not too long after I received a broken English emailed death threat from an organized crime group in Russia letting me know they did not appreciate what we were doing, knew who I was and where I lived, and that I should back off targeting their activities or there would be some retribution and that they could ‘take you out if we wanted to’.”
— – Miller

Law enforcement got involved and measures were taken. Still, the experience left Miller on edge for some time, “needless to say it was a lot of fun starting my car for a couple weeks after that.”

The threat did not stop Miller from working in security and he later laughed it off, calling it an “interesting experience.” He stayed at PayPal for years after the incident, until he finally got involved with Bitcoin.

Transitioning from PayPal to bitcoin, equipped with all of the anti-fraud knowledge he brought with him, Miller has a unique understanding of the challenges solved with Bitcoin, and those that are yet to be solved.

“bitcoin the payment system is built on Bitcoin the technical protocol which is a technology unlike any we’ve ever seen before. It’s fast, cheap, instant, and publicly verifiable. Historical payment systems are built on top of decades old legacy platforms that are held together with twigs and duct tape, have security vulnerabilities, and are expensive to use.”
— – Miller

This understanding was instrumental in developing his new companies bitcoin wallet. Miller explained, “the bitcoin protocol allows for multi-signature transactions which is a stand-out security capability if done right. The ability to securely sign transactions using private keys and then have that half-signed transaction co-signed by a trusted, secure 3rd party is really powerful. And the beauty of bitcoin is it can be embedded now into transactions where it’s just expected (much the way https is) rather than trying to inject it later and organizations having to undo years of architecture they have built up.”

However Bitcoin exists wholly as software, and it is each company’s responsibility to provide the underlying hardware to run their products on. Choosing the right hardware for the task is especially important in the realm of security, and once again Miller brought with him knowledge of industrial standards.

Miller identified that the bitcoin world could benefit from incorporating hardware security practices adopted elsewhere, “a great example of this is Hardware Security Modules (HSMs). HSMs are hardware devices used for the generation and storage of private keys in other industries (financial services, aerospace, government), and if done right can present a strong defense to hacking attempts.”

“At Gem we are actually using these to generate and store all of Gem’s cosigning keys using FIPS-140-2-Level 3 certified machines, which means they are so secure that even if you had a rogue employee on-site where the device is who tried to break it open and steal the cards from inside, the device is designed to self-destruct.”
— – Miller

The outcome of this hybrid system is a wallet with a level of security that neither the bitcoin world, nor the legacy financial system could achieve on their own. “Adding something like HSMs to the added benefits of multi-sig and the blockchain technology itself, presents a really compelling opportunity to do security different than anything that exists in traditional financial services.”

As Miller shared his stories, it was easy to see how proud he was at his accomplishments, building everything from the ground up, doing his best to stay on top of the game, while constantly working on new ideas and systems. PayPal introduced many innovative systems that are still in use today.

“At PayPal we built things that are better for the time being, but it doesn’t have to stay that way. We were really innovative in that we were really the first entity to use both the captcha and the random small deposits into a bank account for purposes of bank account verification.”
— – Miller

Both of these tools are common across the legacy banking world and even some Bitcoin companies today, including Coinbase. Miller exclaimed, “It’s crazy to think that not that long ago something as basic as a captcha was not even used yet.”

One key thing that Bitcoin doesn’t have that PayPal enjoys is ample manpower. Miller believes that there are certain things that people can do better than protocols. To illustrate this point, Miller gave us extensive detail of how he and his team of statisticians and coders at PayPal worked together to create sophisticated modeling for their fraud prevention efforts.

His team incorporated variables such as relative transaction size, time taken to complete the sign-up process, frequency of log in, and IP address location discrepancies into their detailed models, which gave them a huge advantage against fraudsters. They were even able to infiltrate the black market with this data. “We would do some pretty creative things like monitor underground IRC channels where stolen PayPal accounts were being traded and sold and we would occasionally purchase some to direct them and try to reverse-engineer how our systems had not caught the compromise.”

The reverse engineering efforts paid off, but hinted at the underlying fact that it’s a never-ending escalation to do fraud prevention in this way, “It was a sobering yet fruitful experience.”

“We would get excited when we would see the price of stolen PayPal accounts escalating because it suggested that they were getting harder to come by and therefore worth more on the black market.”
— – Miller

Having worked extensively in security for PayPal and Bitcoin, Miller believes that the average Joe will feel that Bitcoin is truly safe, safer thana legacy bank account when a combination of two things occur equally.

Firstly, Miller believes that Bitcoin financial products need to be much more secure – to the point that monthly hacks and security breaches are the things of the past.

“To date, roughly 1 out of every 10 bitcoin has been lost or stolen and that’s alarming. But much like the early days of PayPal, that can be driven down to an acceptable, manageable level in short order, and those issues and stories would largely go away.”
— – Miller

Secondly, Miller feels confident that people will simply have to get used to seeing bitcoin used over time. There is a psychological effect of added familiarity with each usage.

“There’s also comfort that just comes along with time and perception. If a customer uses their bitcoin wallet 20 times over the course of 6 months the uneasiness they may have had at the outset will start to dissipate as they get used to the product and the security within that product.”
— – Miller

To demonstrate this point, Miller gave an analogy; “When I first got my license I’m pretty sure my Mom thought I was an awful driver that would kill myself or multiple other people within days. 6 months later her perception and comfort had changed primarily because of time and the lack of incidents. A new payment system where individuals money is involved will work the same way. Make it as safe or safer than their existing options, and then get them used to it using it without incident and it starts to take a small amount of their thought space.”

While both bitcoin and PayPal strive for maximum security, there are differences and Miller believes that bitcoin can become the most secure payment system of all given more time and development.

“Eventually bitcoin has the potential to be much more secure than any existing financial services system including PayPal.”
— – Miller

But apparently, some successes are being seen already, especially with wallets like his own Gem wallet. When asked point blank, between a PayPal account and a Gem Wallet, which he would personally rather keep $1000 worth of savings in today, Miller replied: “Easy. Gem.”