Moats vs Policemen

The Economist has a nice article on Google Checkout vs PayPal. One comment on the article noted

You missed a crucial strategic element in Google's development of its Checkout service. Currently, Google's income comes from a "pay per click" advertising model that is exposed to click-frauders. Linking advertising all the way through to a payment service could, in future, provide a compelling alternative that eliminates the risk of click-fraud and the wasted half of the advertising budget. Rates would, of course, rise to compensate but we should all welcome improved efficiency as well-focused advertising can be as interesting as the news.

Fraud is a key element not just to AdWords and Google Checkout, but to online payment in general.

A buddy of mine, who is expert at fraud, told me there are two basic approaches to minimizing it. The first, popular with banks, is the "moat" method where you make it really really hard to get in, but once you are in you can do what you like. The second, pioneered by PayPal, is the "policeman" method where you eliminate virtually all of the barriers to entry, but then you carefully watch what people actually do and spot the bad guys that way.

My buddy argued that the "moat" method as a loser because, when people have options (as they do online), high barriers to entry deter honest users more than they deter thieves. Thieves know that there is a money pot on the other side of the moat and will do whatever it takes to get over it. Honest users just want to pay their bill, so will quickly switch to other channels. This is why PayPal was able to dominate online payment, and banks still suck at it.

Banks seem to suck in general. Here is an example of a bank sucking.