EP 206 – Phoram Mehta – Senior Director, APAC Chief Information Security Officer at PayPal – Security Has to Be a Part of the Entire Experience

• Studying engineering and going to the United States for graduate school
• Loving puzzles and solving complex problems
• The nature of online security and the adversary on the other side
• The power of a community when working in cybersecurity
• An Asian perspective
• Mobile phones and devices brining a lot of first time users onto the internet
• The growth of gaming in Asia and the impact on cybersecurity
• Why partnerships are so important

1. Programming Was My Nature
2. It’s a Real-life Competition Going On
3. The Competition Is Always Improving
4. Striking the Right Balance
5. Preserving the Trust

Read the best-effort transcript below (This technology is still not as good as they say it is…):

Michael Waitze 0:21
Hi, this is Michael Waitze. And welcome back to the Asia Tech Podcast. Today we are joined by Phoram Mehta, the Chief Information Security Officer for Asia Pacific for PayPal, I think I nailed that. Phoram. Thank you so much for coming on the show. How are you doing?

Phoram Mehta 0:37
You did Michael. Good morning to you. Thanks for having me here.

Michael Waitze 0:40
It is my pleasure to have this discussion. It’s really my pleasure. Before we get into the main part of the conversation, let’s give our listeners a little bit of your background or maybe a lot of your background actually, for context.

Phoram Mehta 0:52
Sure. As you mentioned, my name is foreign betta. I look after information security for PayPal for our Asia Pacific region. I’m originally from India, I did Computer Science Engineering, when the United States for grad school story may sound very familiar, then stuck around for 14 years Oh, joined PayPal, in the Bay Area after doing a bunch of different gigs. One of the things that you mentioned, you know why security, so in 2000, right after the.com bust, when I was still in grad school, I I’ve always been involved in puzzles, and which is why I, you know, did computer science and programming was my major. And I came across a course in cryptography. In for the first time it looked like, on one hand, there was, you know, the puzzle of trying to hide something from people in all kinds of ciphers from Caesar, you know, how do you just use steganography, and hide things and pictures and all that that’s incredibly fun for, you know, kids, what I really got fascinated by the aspect of security, especially in cryptography was the cryptanalyst analysis, which is, as opposed to a normal puzzle. insecurity, there is always an adversary, there is a competitor on the other side, that is equally, you know, trying hard equally to beat you, right. So it’s a real life competition going on, rather than a simple puzzle that you have to solve. From my perspective, like, from an engineering field perspective, it’s a little bit different than a lot of other engineering, where, you know, where there are the most that any other engineering has to deal with is, how does one chemical react with another but it always does the same way, or how different types of you know, while climate change is real, and there is a lot of different aspects to it. But you kind of understand stress and tension and wind and all of that and take that into consideration when you’re building bridges and others. In cyber, though, the adversary is always getting smarter, they have the same technology advancements at their disposal that you do, and there is always you know, this this game off, kind of cat and mouse is the on where who gets one up. And you know, the war never ends, right? Because one side wins one battle, and then the other person takes some more time to try and go back and update some of their arsenal or the kid that they have to come back and look at, hey, can I now win the next battle, and so on and so forth. So that’s what fascinated me. And I’m happy to say that 22 years later, I’m kind of still doing it.

Michael Waitze 4:00
Well, it doesn’t get boring. It doesn’t I mean, this is what’s so interesting, right is that, and it’s a great way to put this into context is that if I’m an engineer, and I want to build a bridge, or I want to build a building, I can actually solve that problem. Exactly. Right. And once the building is built, and even in Japan, right, you can say, well, it’s a little bit more complex, because they sit on a massive fault line, right. So now you have to solve for what happens with movement and to and again, you know, I was on the 48th floor of Roppongi Hills during very large earthquakes. And we never worried about the building falling down because we felt like That was solved.

Phoram Mehta 4:38
Right? Yeah, absolutely. And I don’t want your listeners to kind of get an impression that Cyrus somehow is harder or all different if you want it right, exactly.

Michael Waitze 4:50
You also use this word, I believe incentive and there’s an there’s no incentive for the building itself or the bridge itself, to make things any more complex. Presented already is but on the other side, the adversary is always incentivized to say, I can make money or cause havoc or do something bad or do something good for me. If I can change my tactics in my strategy, is that fair?

Phoram Mehta 5:15
Yeah, as you could expect, right? When a bridge is going on, there isn’t somebody who’s saying, I don’t care whether that bridge stands there. I just don’t want anybody to use that bridge. Right. So in cyber, you have these type of attacks, where all they want to do is denial of service. Yep. I just don’t want anybody to use this. So you know, it’s a type of different type of an attack. But we’ll talk about that incredibly fortunate privileged, honored to be in this profession, working in lots of different ways, and looking at how digitize nation has happened over the last couple of decades. And it’s happening right now in this part of the world. It’s super exciting to be part of the industry. And do you

Michael Waitze 6:00
So you spent 14 years in the United States? Can I ask you where you went to grad school again, just out of my own curiosity? Sure.

Phoram Mehta 6:07
I went to University of Missouri at Kansas City, that is

Michael Waitze 6:10
super cool. There’s nothing like coming from India and going to Kansas City. That is,

Phoram Mehta 6:16
yeah, great, in a lot of ways that actually, I think it was better than I was in Midwest and introduced to a culture that is so much more, I think hospitable and nice and accommodating. I took a couple of trips during grad school to New York and DC for a couple of conferences. And as like, in a lot of ways, it’s like Bombay, which is where I’m originally from Mumbai now, but it was so hard. And so you know, it’s not for everybody. So if I were, if I had started in these types of cities that are very, very transactional business focus, I wouldn’t have had time to kind of get to know the culture, get to play softball games, and be part of some communities and other things. Because that’s another thing that is, again, security has taught me is no one company one, no one individual, no one country is able to deal with these adversaries just on their own, you have to have a community and ecosystem that you you can trust on that you can share notes with and come in. That’s also incredibly helpful when I moved from, from us to Singapore, how I already had this community that I could rely on because of the connections and contributions and the kind of challenges and opportunities I had to participate in the while I was in the US. Yeah, and

Michael Waitze 7:37
I want to make this point to that. If you move from Mumbai, to New York, or moved from Mumbai, to San Francisco, or to Los Angeles or towards Chicago, you’re just getting an every city is different has their own personality, but you’re just getting another big city experience, right. And if you move to Kansas City, it’s got city in the name, but let’s say like, it’s a bit of a misnomer, right. And if you’re in Missouri, you’re in Kansas, and people don’t know this, but Kansas City is actually split between two states, right? So it’s kind of a neat place anyway. But you get a really different experience. Right? And you can still learn killer computer science and computer programming, but get all the benefits of having that community around you. Anyway. You mentioned this idea that the community matters, and that in no one specific place, can it be solved? Is it different? Now that you’re in Singapore now that you’re in Asia? Right? Is it? Do we look at this differently in Asia and other different things going on in Asia that drives the type of issues and problems that you have to solve in cybersecurity? That makes sense?

Phoram Mehta 8:44
It does. I mean, I think it is different in the sense that Asia is, especially Southeast Asia, I think, has leapfrogged a lot of, you know, the incremental innovations that were happening in the West, if you only look at gaming. Okay, you know, before people started, were primarily using consoles. And as internet and smartphones became prevalent in this region, I think gaming has been, or Southeast Asians have taken to gaming, like like nothing else. I mean, just during the pandemic, especially the amount of growth there, you’ve seen more than 200% growth for just people 60 years or older. Just incredible, isn’t it? Like people really thought that gaming was a place where they could do that. And Southeast Asia, again, with their mobile phones with internet connectivity, looked at it as an escape as a way to connect with the community as a way to, you know, kind of stay engaged and pick up some stuff or leverage this new tool that they got got their hands on. So in that sense, I think from a cybersecurity perspective, it’s incredibly important Now that we have so much innovation happening, so many new first timers coming on online and leveraging or using applications like gaming, making transactions on it, to protect them to maintain that trust, so that their experience, whether they engage in a normal e commerce transactions and in app purchase in a game, or pay fees or other things, is always done in a way that, you know, preserves the trust that they would have in the overall Internet ecosystem as we kind of talk about it.

Michael Waitze 10:33
Yeah. And I want to make a point here too, right. So my father, and my mom, actually, but my dad will be 83 years old this year. Wow. Yeah. But his first, you don’t know how old I am. I’m almost 90 myself. But his his first interaction with you know, technology and computers was with an IBM and I remember, back when I was in college, I think it was my dad was trying to install OS two. So this really dates his experience. But that means that his first experience with the internet as well, was probably AOL. In other words, sitting in front of a 24 inch monitor with an IBM keyboard and trying to figure out how to interact on the internet. And I think the world takes it for granted that that’s everybody’s first introduction to being online. Now, we know that in Asia as a whole, whether it’s in China, or in India, or in Southeast Asia, Singapore included that most people particularly in their 80s, or even above their 60s, their first interaction is on a mobile phone. Which means that it’s always with them. But it also means that everything they do from as you mentioned, ecommerce, to gaming to everything that they do, and every transaction that you do is probably online. Is that fair,

Phoram Mehta 11:45
is that and on mobile, or mobile definitely, in this part of the world has been that tool that brought so many first timers online, so many allowed them to connect with the rest of the world provided so many opportunities in every facet, like if you look at, you know, game manufacturing, development, and other professions that are coming out of games, like, you know, besides developing the games themselves, now there are these markets where people are creating, what they call it digital goods, or virtual goods like skins, and cosmetics. And, you know, we’re reading some report, it’s incredible that Viman more than men are making these purchases for in app purchases inside games or microtransactions. Because they they get these personalized experience of you know, buying different kinds of color of hair for their characters, different costumes, different things. So, where mobile helps is that experience? As you mentioned, it’s always handy. I mean, India, for example, right? On an average, they spend more than four hours on their on gaming’s especially frickley eSports, but still four hours of gaming on average between demographics of 18 to 25. But that’s incredible opportunity for the gaming industry to look at Asia, you know, as the fastest growing market, and then see how, as they improve the quality of the games as they work on the experience that these new customers are getting on the games, can they preserve their trust, by making sure that any transactions that they happen, any information that is revealed or shared, so that the experience can be improved, is protected all the time, it’s done in a more secure manner?

Michael Waitze 13:45
Right. So let’s make another analogy. Because the the one thing I think, and again, tell me where I’m wrong here, but the one thing that differentiates your mobile phone and your mobile experience is that not only is it always with you, but it’s always on, when you’re done doing a transaction on your phone, you don’t turn it off when you go to bed at night, you don’t turn it off, it’s always on. Right. And it’s complex. So a lot of people don’t even understand all the functionality with it. Whereas, let’s get back to the desktop computer. A lot of people just turn them off when they go to bed. So it’s not even it’s not even a target sorry, go ahead.

Phoram Mehta 14:22
No, they do. So it is true right mobile is always on there is always something going on whether you are you know, actively explicitly part of it or not. But PCs and laptops are also incredibly important because mobile form factor Yeah, still today I mean, so mobiles clearly in this part of the world, the number one form factor in which gaming happens, but close second is laptop and PCs before even consoles I mean consoles, as you can imagine, right because they are single purpose. The access in developing world is limited to the affluent, where they read Really want to buy a PS five, and then the switch and others and they’re buying it only for gaming as opposed to a laptop PC, which is used for education for a lot of other things, everything a communication, collaboration, other things. And mobile, as you mentioned, it’s for everything right lives of people is based on phone. So consoles are very, very controlled environment, they’re, again, single purpose, there isn’t a lot of data from a consumer perspective of the games, where, you know, you have a lot of attacks going on. But when you think of PC based games, like it’s, again, fascinating what Cloud has done, it has allowed people to just create something, give a login start, you know, customers subscribe to something. And if it’s a good game, people come to it. And that’s why the attacks like we spoke about the distributed denial of service, or credential stuffing, and others are attackers going after them, because a lot of new customers are coming, a lot of new transaction are happening. And these are all open on the internet. And so you know, you can come in and try to attack the sides from for different types of reasons, whether it is for IP, or for data or for money, and then exploit these first time kind of gamers or users of internet.

Michael Waitze 16:20
But when the surface changes to something that’s as ubiquitous as a mobile device, whether you’re right, it’s a laptop that’s connected to the internet, over Wi Fi, or a tablet or a phone, and particularly if it’s a gaming experience, or someplace where a payment is taking place, all of this IP data, and other information is out there. And if you leave it on and just put it down and go back to drinking your coffee or chatting with your friend, it’s just there and open. How does that change? I mean, it’s such a big question. But from your perspective, right? In this security, cybersecurity business, how does that change the complexity for the types of things that you need to deal with? But also, how does it change the customer experience? Right? Because when I’m gaming or doing anything, frankly, on the internet, I don’t want the security part of it to get in my way. That makes sense.

Phoram Mehta 17:09
Absolutely. Yeah, I mean, for a game or any extract like that they are not making for as part of their gaming experience is too much friction, right. And that’s why payments, registration, all of them has have to be extremely, extremely simple, as implicit as possible, without causing fraud. One aspect and I’ll get back to it. But one incredible aspect about gaming, this, you know, as personal as that experience is gamers love community, they love to talk about their experience, which is a thing, right? I mean, exactly right. And you have discord and all kinds of gaming groups and in whether it is to discuss, you know, tricks and tips and cheat sheets and other things, or it is to complain about the bad experience that they’re having. Again, you know, for anything that happens. And that’s why it’s incredibly important for companies like ours, to partner with game manufacturers, game hosting providers, and ensure that their payment experience their expectations of trust with their data, constantly stays there. I’ll give you one simple example of why gaming is, like, you know, the complexity of attacks that you mentioned, I mean, we’ve been again, you know, not a single day goes by that we don’t hear about a different type of malware attack, ransomware attack breach, but something very, very unique to gaming is this. There are these two types of attacks been attacks and the card testing. Now, I’ll start with card testing, because it’s so unique to gaming, because they have these microtransactions right in app purchases which are 20 cent transaction 50 cent transaction for something that you want to do, or a hint that you want to be revealed, or a door that you want to be open to something like that. What attackers do is they steal from, you know, there are these dark web where you can go and buy credentials, you can buy credit card numbers, you can buy access to a lot of different things. Now for credit card specifically, you don’t know whether the card number is valid or not unless you perform a transaction. And if I were to pay $1 per card stolen card number, I absolutely can’t spend $1 To perform a transaction and then find out whether the card is valid or not. Right. So games offer the perfect channel for these attackers to come in and perform these inap actual legit transactions at five cents 10 cents and find out which cards are still valid, which ones are still working, unbeknownst to the card owners and then they go and resell them at a higher value because now Using nodes are super good quality, and they can guarantee that these all work. Just imagine from a card company, the shock of their life, on one hand, they’ve been exploited by these attackers to perform the transaction. So they all say, Oh, amazing, our numbers are increasing revenues increasing. But then as soon as the consumers realize they’re going to file for refunds, and chargebacks, because they did not perform those transactions. Worse, these cards get now used for somewhere else. And everybody thinks it’s this gaming company, or the manufacturer, who has actually been exploited or has compromised their car details, and then the gamers go away from them. And that’s why it’s company like ours that comment and you know, allow to be the intermediary, the proxy, that if you don’t trust somebody, if you haven’t had that relationship for manufacturers of the companies as well, to take away the burden of payment transactions, to take away the burden of accepting card numbers to perform those transactions, because those fraud services, the risk analytics that go in, in analyzing whether there is a pattern here, like the card testing pattern, or been attacks in another one, where the first six digits of the card numbers only reveal the type of issue or the rest can be guessed, and you keep on guessing. And see if you can create a card number that’s actually valid. So that’s where you know, you can come in and offer something of value to both the consumers from a purely protection of their assets, but to the game developers and manufacturers and hosting providers where they don’t have to worry about this real threat that they’re facing day in and day out.

Michael Waitze 21:47
Yeah, it’s so interesting, right? There’s so much information in there that you kind of take for granted. Or like you just said a Ben attack, were the first digits of the card, let you know what it is. I bet if you told people, if you gave them the first four numbers of a card, four and seven, five, they wouldn’t know it was visa. Right? Yeah, the normal person doesn’t know that. Right? Because they’re not paying attention to that. But when you get deep into the morass on this, particularly if with this card testing, they know this for sure, right. But the other thing that’s super interesting to me is that this idea of doing microtransactions as a way to create fraud, and to steal things, this has been going on for centuries. But if I steal two cents from you, just every single day, at some point, it turns into millions of dollars. But I also want to mention this too, right? We talked about removing the friction and where companies that do payments play a role here. Imagine if you know, I think about everything in sports as an analogy to the real world, right? So pick baseball, pick cricket, if you want, it doesn’t matter to me, because right they both have a guy who starts with the ball. In one game, he’s bowling and another game he’s pitching but the same thing, but you want to protect against that person doctoring the ball or putting stuff on the ball. So make it harder to either have the wicket of the bat hit it, right. But imagine if between every single pitch or bowl, a referee had to walk out and like check the poll and test. Nobody would watch the game. Nobody would play. Is that fair?

Phoram Mehta 23:13
Yeah, no great, very, very app, you have to make sure that the ecosystem is both fair, clean, and allows for the experience to go through. You know, without having any suspicion that eats at the trust that has been created the fun. Yeah, the fun part,

Michael Waitze 23:30
right. I mean, that’s why people Game Of course, they game to win and to be better and to get higher on a leaderboard. But part of it is, you know, the dopamine and the fun that gets created. And again, if someone’s always interrupting it, it’s not fun at all. Now, can I ask you this? What is it like from a security standpoint for you and for your team? When you go to the manufacturer, right? Because in a way it’s on them to protect their own players? I don’t know all the right terminology. Because the point of pain is the point of payment. No, yeah. Right? Because that’s where all the you can steal IP. But that has nothing to do with the player. You can steal some data, but again, that has nothing It doesn’t interrupt me playing my game. But my stuff gets stolen when I start to pay for stuff.

Phoram Mehta 24:15
Yeah, absolutely. So you know, from a manufacturer, there are primarily a few things that they want to protect. Go ahead, they obviously the number one thing that they want to protect is the IP that the game itself the experience of the game that like you were talking about, you know, the cricket and baseball analogy stays true to what the manufacturer wants it to be so that people can’t just come in and cheat. People can alter the experience in a different way people can steal that game and create a fake game and start taking away customers from them by selling it either at a cheaper rate or or doing something else. So there you know, our advice is you have To follow basic security hygiene, to ensure that the right type of whether it is encryption the right type of secure development lifecycle has been followed. The reason to talk about this with the game manufacturer is security needs to be embedded as part of the entire experience, it can’t come in just for payments, it can’t come in just for data or just for login. Now, if once the game manufacturers understand that, then, as you mentioned, some of the most critical parts of that experience besides the player as well, right after the play our payments, our login are the data that they accept to ensure that you know, if it’s a an adult game to ensure that only the right type of people can come in, if it requires some kind of verification that those verifications happen if it requires, like certain levels, that the timing needs to be monitored, and all of that. Now, all of these are extremely important parts of the experience that the consumers get for that the discussion is around, how can we integrate the experience of payments either upfront, or during so that, you know, as long as for instance, again, if you get into a subscription type of service, when you say any transaction below $10, don’t ask me for a password again, just do it. Now for a manufacturer of a game to build that complex logic to always have the risk algorithms, the fraud detection mechanisms going is an incredibly steep ask. And that is not their forte, that is where companies like ours can come in and help them.

Michael Waitze 26:43
I’m so glad you said that. Because I was going to ask you about this right? I think lay people have this idea that if you can build a complex multiplayer game, you must have the skills to build other complex software. And security software is the same thing. And you saw me taking notes because I was trying to figure out a way like how do I explain another place where something similar happens. And I think I found one. You know, again, just to get back to this idea of building a building, it’s just another it’s a massive engineering problem. And frankly, when I was building my house, we used a wrap. I don’t know if you know who they are. They do structural engineering testing. So they want to make sure that even if you’re going to build something that looks great, they’re going to do a test before it gets built to make sure that actually the structure itself will be good enough to stand. But you know, your architect is not designing the locks on your front door. And neither is the guy who’s building your house. They outsource that to somebody else. Because even though they know how to build stuff at scale, and nontrivially, they don’t want to be in the lock business. And it’s got to be kind of the same thing. A lock is not necessarily as complex. But again, to be fair, we put fingerprint identification on the front door of our house. So it wasn’t just like a key. Right? So it’s more complex. But this is the same thing with a gaming manufacturers like yeah, we got the games, we know how to build the assets, we build digital assets, we can do all this other stuff. But how do we protect us? Can we please find somebody to help us kind of thing? No. Isn’t it the same thing?

Phoram Mehta 28:10
Yeah, no, it is it that is, again, a part of that education and awareness is finding the right type of partnerships. I mean, we’ve seen again, supply chain is incredibly critical. And there are lots of parallels to how bad supply chain basket logistics with one weak player in that entire chain can completely destroy, whether it is, you know, the chip manufacturing because of again, wars and pandemics and other things, or something as simple as a payment mechanism where they just chose the wrong partner because now you know, they are not able to defend against a new type of attacks that is going on. So, you know, striking the right partnerships that provides that balance between innovation, experience, and trust is extremely important. Now there are again, a lot of compliance requirements. If you are accepting credit cards, for example, there is lots of other expectations depending on which market that you live in data, stories, data sovereignty requirements, again, in this part of the world, more than a lot of others, where you have to treat the data in a certain way where you have to handle all kinds of sensitive information in certain way and then demonstrate that on an ongoing basis. And that’s where, again, having the right partners by your side allow you to focus on creating the best gaming experience that you can.

Michael Waitze 29:36
Look, this has been a really interesting conversation. You’ve got to promise me you’re going to come back and do more of this because this was great. And I learned a ton, Phoram Mehta, the Chief Information Security Officer for Asia Pacific from PayPal. That was awesome. Thank you. So

Phoram Mehta 29:50
thanks. Thanks a lot, Michael for having me. I also enjoyed the conversation. Good luck.