Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal Unveils Mobile Payment System

Soulskill posted more than 2 years ago | from the for-sniping-that-cup-of-coffee-at-the-last-second dept.

Businesses 99

angry tapir writes "PayPal is targeting small businesses, service providers, and casual sellers on the move with its new PayPal Here service, which allows vendors to process a variety of payments including checks and cards using their mobile phones. The new service includes a free app and encrypted thumb-sized card reader, which allows merchants with an iPhone, and later Android smartphones, to process payments."

Sorry! There are no comments related to the filter you selected.

Why hasn't PayPal been innovated out of existence? (1)

Anonymous Coward | more than 2 years ago | (#39375965)

Given PayPal's well-documented history of abusing customers, arbitrarily freezing/keeping hundreds of thousands of dollars in customer money and being difficult to deal with, why hasn't anyone come up with a better way of doing things? Alternatively, why hasn't the US legal system, which seems to enjoy regulating everything to death, come down hard on PayPal and forced them to be more accountable? If they're going to act like a bank, they need to be held accountable like a bank.

Re:Why hasn't PayPal been innovated out of existen (5, Informative)

CaptSlaq (1491233) | more than 2 years ago | (#39376101)

Since you probably don't work in this space, I'll drop you a hint: https://squareup.com/ [squareup.com]

Re:Why hasn't PayPal been innovated out of existen (0)

poetmatt (793785) | more than 2 years ago | (#39377541)

Square is both a: a million times better and b: not paypal.

Those two reasons alone should be sufficient for anyone who has ethics and doesn't want to support paypal's censorship.

Re:Why hasn't PayPal been innovated out of existen (0)

Anonymous Coward | more than 2 years ago | (#39399909)

Square is both a: a million times better and b: not paypal.

c: not available outside USA.

While millions of ppl outside USA may spiritually unite with your paypal-bashing, they have way fewer options for accepting payments.

Re:Why hasn't PayPal been innovated out of existen (2)

Ihmhi (1206036) | more than 2 years ago | (#39380577)

Great! Now all we need is for the vast majority of the Internet to support it like Paypal does.

The only thing Paypal has going for it right now is the convenience. If you shop anywhere, you can probably use Paypal. Squareup - if it's really as good as you say - needs to get its foot in the door in a couple of big places and word will spread from there.

Re:Why hasn't PayPal been innovated out of existen (2)

hobarrera (2008506) | more than 2 years ago | (#39376751)

Because it's the only thing that works in most countries. Hell, it's one of the few that even exists outside the US.

Re:Why hasn't PayPal been innovated out of existen (4, Insightful)

Goaway (82658) | more than 2 years ago | (#39376825)

Because they don't abuse customers in general. They abuse sellers. The regular users who are paying are left alone, and thus the service is popular. Sellers don't really have a choice, and just have to put up with whatever bullshit PayPal comes up.

Re:Why hasn't PayPal been innovated out of existen (0)

Anonymous Coward | more than 2 years ago | (#39379183)

This is exactly what I think. Most users are buyers that have no ideas with the bullshit done by paypal to sellers.

The thing with paypal is that while you will most likely have bad experience with paypal during your life, not every one will have a VERY bad experience. When things go bad with paypal, they go real bad real fast. They'll start by blocking your account. Then proceed to pump money from your bank account or your credit card to "cover refund fees" or other bullshit.

Unless you are a popular blogger, you can suck it up and accept you've just lost thousands of dollars. All that because the US accepts that paypal is a money laundering service and not a "bank".

Not that bank are more ethical, but at least you have recourse against them when shit hits the fan.

Re:Why hasn't PayPal been innovated out of existen (4, Informative)

MickLinux (579158) | more than 2 years ago | (#39382807)

Nonsense. Don't you remember the fiasco about them claiming to insure against fraud? Then it turned out that they were "self insuring", and never paid once.

I was one of those who lost something like $350 on it [the normal used price for that particular Quark Xpress]. I proved fraud 5 different ways: two of them were that the seller claimed to be selling a licensed copy of Quark Xpress, and actually delivered a Windows 95 user manual; and the seller claimed to be from the Antilles [not a Russian mafia hotbed] and shipped from Tbilisi Georgia, which would have caused me not to buy, right there.

Anyhow, Paypal said that since he shipped *something*, they considered that a 'quality dispute', which they didn't cover.

I never got my money back, and Paypal has never paid on the claim, and as far as I am concerned, *Paypal's fraud* worked hand in hand with the sellers' fraud.

No, it is NOT TRUE that Paypal doesn't abuse customers in general. There is a class actual lawsuit that demonstrated that. I just never signed on to it, because plaintiffs in class action lawsuits typically never collect. But if Paypal ever wants me to consider doing business with them in any way, shape, or form, they'll first pay me back the money I lost, plus interest.

And yes, I am aware that Paypal is in the middle of a media blitz right now, which means that they probably are paying for "online reputation protection" as advertised on National Public Radio, and therefore I am probably going to be modded with a combination of "Troll" and "overrated" to make my post vanish. I've noticed that that has been the pattern these days.

So be it. I'm still going to post the truth.

Saying "they don't abuse customers" is false. I'll assume you said it in ignorance.

Re:Why hasn't PayPal been innovated out of existen (1)

morgauxo (974071) | more than 2 years ago | (#39381251)

Because the vast majority don't give the slightest care to ethical issues like those surrounding Paypal AND once they learn to do things one way with one company's product they have zero interest in learning to use another's product, even if the interface is better or basically the same. Strangely this does not apply to learning a new version of the original product. They will go right along with those changes.

Meanwhile the rest of us pretty much are locked in because there is no use changing money with yourself. That's the problem with online auctions anyway. In person, so long as you can swipe a card it's all good. IE go with Square. Of course... the things those companies have done that provide the card you are swiping... I can't help you there.

Basically, people suck.

Just don't lose your phone. (1)

Nyder (754090) | more than 2 years ago | (#39375967)

Wonder what sort of damage losing your phone could do to your business with this?

Re:Just don't lose your phone. (2)

American Patent Guy (653432) | more than 2 years ago | (#39376105)

I wonder what sort of damage losing your THUMBS could do to your business... I'm rather fond of mine!

Re:Just don't lose your phone. (1)

neokushan (932374) | more than 2 years ago | (#39376873)

The same kind of damage loosing your card reader would do to any other. You have a backup, you always have a backup.

Re:"loose" vs "lose" (0)

Anonymous Coward | more than 2 years ago | (#39387155)

Damn it, "loosing" != "losing". I'm so tired of seeing this.

Re:Just don't lose your phone. (0)

Anonymous Coward | more than 2 years ago | (#39377135)

Oh I don't know, same as losing your wallet?

At least you can lock your phone and remotely wipe it if it gets lost.

paypal sucks (0, Funny)

Anonymous Coward | more than 2 years ago | (#39375971)

Just use bitcoins instead. Paypal sucks

WTH? (3, Insightful)

ledow (319597) | more than 2 years ago | (#39375975)

First question:

Would you stick your card into that device and/or type you PIN into a random Android mobile?

I think that should tell you everything you need to know about how much that will get used.

Re:WTH? (2)

plaukas pyragely (1630517) | more than 2 years ago | (#39376043)

I don't know how they did this but it *can* be safe. If encryption of card data happens on the device itself (not android application) then it should be fine.

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39376393)

How do you know that the random phone that's just been handed to you by a waitress has encrypted the data that it's just read off your card and sent it securely? How do you even know it's the PAYPAL software / hardware running and not a cheap knock-up that I coded in an afternoon to look and act the same while actually just skimming your card?

It's Chip-and-PIN again but this time with entirely untrusted (and untrustable) devices.

Really? You want me to put my card, chip and PIN into a (potentially rooted) Android phone that you bought from the shop last week and installed a PayPal app on? Honestly? Are you insane?

Re:WTH? (5, Insightful)

Overzeetop (214511) | more than 2 years ago | (#39376465)

So you won't let the waitress swipe your card, but you'll let her take it into another room for several minutes?

Re:WTH? (3, Informative)

krinderlin (1212738) | more than 2 years ago | (#39377193)

Universe, I'm wishing desperately for mod points for the parent. People are so blind to just how horribly insecure the system is already. A rooted phone is the least of your worries. They just busted a skimming ring here in Atlanta restaurants a few months ago. This is no less insecure than what's already in place but far more convenient.

As for the GP: Also, realize that most of this is US based and we don't use "chip & pin". Period. Also, most people run debit cards as credit cards. Companies actively encourage you to sign for purchases and not key in your pin with various rewards. Some banks even charge the customer a fee per pin-based transaction. These are magnetic stripe machines that always run the card via the Credit Card processing company (MasterCard and Visa), not via the bank. The rules are different for those, and you most certainly won't be using your craptastic PIN.

I won't go into the level of security a 4 digit PIN does not provide given enough money you can get via fraud for a particular card.

Re:WTH? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39377883)

Mod this parent up. Posting as AC on purpose. I'll add that in a dispute over a debit charge, the problem as the cardholder is that you are fighting with your bank (debit card issuer) to get your money back.

When disputing a credit charge, you are helping the bank (credit card issuer) that "loaned" you the money get *their* money back. With debit, the bank is not overly encouraged to spend a lot of resources on helping you get your money back as it isn't their money that was defrauded since there is no profit in it and the risk is that you (one customer) will leave for another bank, and there are barriers (hassle) to you if you do this.

With a credit card, the risk is they will lose you as a customer (you will use some other form of payment) and lose their profit (interest and transaction interchange and data mining value - spend patterns, market analysis, marketing other products and services, etc.).

The bottom line is that the security focus of the industry isn't to protect the cardholder from fraud, but the banks in protecting their revenue streams.

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39379713)

Companies actively encourage you to sign for purchases and not key in your pin with various rewards. Some banks even charge the customer a fee per pin-based transaction.

I'm charged .50 per pin based debit transaction and my reward for using it as credit is "fraud protection".

Re:WTH? (1)

houghi (78078) | more than 2 years ago | (#39380665)

No, I won't. In Belgium they will come to the table with a mobile terminal. I enter the card with the chip in the terminal (so no swiping) and enter my pin code. The waiter waits for the OK signal and gives me my receipt and the transaction is done.

He does not even touches the card, so he can't remember the details to abuse it. I have seen terminals without the strip reading ability.

Images of some terminals [banksys.be]

Re:WTH? (1)

Goaway (82658) | more than 2 years ago | (#39376847)

Why do you think any other device you might be handed is any safer than a phone?

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39389675)

Firstly, because a dedicated terminal is less likely to be infected with malware...it isn't used to read anyone's e-mail, read web pages, and may have only a very indirect and limited connection to the Internet. And secondly because a system that works properly ought to ensure that the card authenticates the reader as well as the other way round. The reader can, of course, be hacked if you try hard enough. But it's a lot harder, and a lot less likely to happen without the merchant's knowledge.

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39376713)

But how do you know that's a "real" device, and not something looking just like one, but handing the data over to the phone unencrypted? Steps that the merchant can take to keep things safe for you doesn't do you much good against GP's argument against letting random things read your card.

Of course, GP only makes sense for debit cards, where if someone steals your card and PIN, you lose. With credit cards, the merchant involved in any fraudulent transactions gets soaked for the charge plus a fine, so it doesn't really matter if someone records your card number. (Note that recording your card number is also as simple as taking a photo of the front (for PAN) and back (CSC), or with good lighting, you can get both from the back -- so this is not an appreciable difference vs. merchants requiring you to hand them your card to swipe it behind the counter.)

Re:WTH? (1)

Goaway (82658) | more than 2 years ago | (#39376857)

How do you know that any terminal you stick a card into is real?

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39376049)

(Posting AC because I'm at work)

Um, why would that make any difference compared to something like Square's almost identical payment system which gets used quite a bit?

Re:WTH? (4, Insightful)

Lumpy (12016) | more than 2 years ago | (#39376069)

Yes, a lot of people do this all the time. I have been using SQUARE on my iphone for a year now to do this for my small business.

What??? (1)

Oh Gawwd Peak Oil (1000227) | more than 2 years ago | (#39376565)

Wait a second. That's a fact you posted. This is Slashdot. The GP post is insightful, dammit! Insightful!

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39376089)

It's been done for over a year already by Square. Who cares about the device... it comes down to you only giving your credit card to someone you trust. For example, you would not give your credit card to some random craigslist guy, but you might give it to the cash only vendor that's been selling foodstuffs or the like on the street outside your office.

Re:WTH? (1)

GIL_Dude (850471) | more than 2 years ago | (#39376275)

It's all well and good to trust the individual. But do you also trust that the individual is a phone security expert? Do you trust that he hasn't inadvertently installed something on that phone that included malware? How many untrusted people are you also giving your card data to by letting it get into that phone?

How about this instead - the seller can trust ME. He can enter his account information (perhaps an account that is setup in such a way that it only accepts deposits and cannot have remote debits) on MY phone and I will transfer the payment into it. He won't trust me with that? Then why would I trust his phone with my card data?

Re:WTH? (1)

krinderlin (1212738) | more than 2 years ago | (#39377269)

As was said before, yet you trust the waitress to wander off into another room for several minutes with your card? Do you even know what a skimmer is? Do you realize you've likely given your card AND pin to several of them already at your local ATM [krebsonsecurity.com] ? This is no less secure and far more convenient and cheaper for the merchants. Electronic banking is fundamentally broken, this isn't making it worse.

Re:WTH? (1)

Inda (580031) | more than 2 years ago | (#39377401)

You don't have portable readers in your country?

The card never leaves your sight.

Failing that, get up off your arse, walk to the bar/till/reception and pay there.

I've never met anyone who's card's been skimmed.

Re:WTH? (2)

krinderlin (1212738) | more than 2 years ago | (#39377585)

My partner's card got skimmed by a rig on a Bank of America ATM. I've been to ATM's before and noticed skimmers. I've seen handheld skimmers and attachments for portable terminals when I interned with fraud investigations at a major card processor. It happens more than you think, since the information is easily used to commit fraud with card not present transactions.

In my entire life, I've been in exactly one restaurant with portable readers. They are extremely rare in the United States. This is mostly because every time the regulators try to up the security enforcement, the processors complain about the cost and turn around and tell merchants that everyone must buy new terminals. The merchants pitch such a hissy fit, nothing ever gets done.

Unfortunately, the "terminal replacement" problem is so wide spread, it's impossible to vote with your wallet. Fortunately, big players like Visa and Master Card have gotten fed up with the merchants and have simply said, "Buy a new EMV contact and contactless (NFC, mobile wallets, etc.) terminal between 2013 and 2015. As of 2015, if a fraudulent transaction occurs that could've been prevented by EMV, then you are liable for it.

The net effect will be similar to the UK where suddenly everyone has chipped cards and/or NFC wallets and merchants won't accept anything else. It's very sad that it's taken this long and the advent of NFC to get anything done.

Also, for reference: Here's a local news report [11alive.com] of the bust here in Atlanta.

Re:WTH? (0)

Anonymous Coward | more than 2 years ago | (#39378213)

Here in Canada most retailers are now EMV enabled and very few cards don't have chips. Most restaurants also have portable card machines. Not that those can't be hacked but I do feel a bit safer when they type in the amount then hand the machine you to to put in your card. Yes you can put in the card upside down and get a chip read error that then fall back to swipe but if the card holder files a charge back the merchant loses every time.

The chip also protects the merchant. If the transaction was with chip/pin then we get our money no matter who typed in the PIN number. If you kids borrows your card and knows the PIN then your SOL. Our business has gotten so if you don't know your PIN then you don't get to make the purchase.

Re:WTH? (-1)

Anonymous Coward | more than 2 years ago | (#39376145)

Never trust Android or its users.

Re:WTH? (-1)

Anonymous Coward | more than 2 years ago | (#39376235)

Aside from the fact that Paypal is about as trustworthy as a rabid animal, you'd stick your card into a device that you trust. Its essentially zero difference if that device is portable and routes data through the business's cellular data connection or if they have an installed device routing data over the business's landlines. You either trust the vendor or you don't. Its hardly like you're being exposed to extra danger. You trust that the nice gas station pumps aren't harvesting your card data for nefarious purposes. Although they certainly could. For all you know, there's a bloody smartphone in the pump with the card reader as its peripheral. Unlikely, but it isn't like any business is going to open one up so you can check.

Re:WTH? (1)

Goaway (82658) | more than 2 years ago | (#39376889)

And realistically, it doesn't matter how much you open up a device, you still can't tell if it is malicious or not.

Until the card itself is smart enough to handle the transaction without trusting the terminal, this is going to be insecure no matter what.

It's actually quite safe.....as long as you don't (4, Informative)

neokushan (932374) | more than 2 years ago | (#39376993)

Full Disclosure: I work in the credit/debit card industry. Specifically, I work in the part of that industry that involves testing the shizzle out of them.

Your old magstripe only card isn't safe, the magstrip can be easily copied in a variety of ways. Readers are cheap and skimmers that are so small, they can fit inside ATM card slots, are easy to buy online (and don't cost much). Lesson? Don't use the magstrip for anything, ever.

So what are you meant to do? Well, like a lot of the rest of the world, the US is switching over to EMV. In the UK, it's known as chip and PIN, but the basics are as follows:
Instead of a magstrip, your card has a "chip" inside it. That chip is where the communications happen. Readers contact the chip and exchange a bunch of cryptographic data, but the key thing is that the chip isn't simply "read", but it performs calculations itself, using its own private keyset that cannot be read by the chip reader. I can't stress that point enough. There's no way to read the contents of the chips, all you can do is communicate with it.
Each transaction is "Unique" and the card itself will sometimes request to speak directly to a Host (i.e. somewhere at your Bank's HQ), in what's called an "online" transaction. If the card chip isn't sure of a terminal, it will demand to go online before processing a transaction. Hell, sometimes it'll demand to go online just because it hasn't recently. The two then communicate in such a way that the terminal (the middle man) can't intercept in any meaningful fashion. Each message is cryptographically generated so that the host knows the card sent it and not some MITM.

The bottom line? Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account*.

*there is, of course, a small caveat to this. As I said, each transaction is unique, so theoretically someone could skim a single offline transaction from you, but if they try to replay that transaction, there's every chance the transaction will then go online (the terminal AND the chip can demand to go online at any point), in which case the host will void it immediately. There's also plenty of upper and lower transaction limits, so for example if a transaction amount is above say $50 or $100, it HAS to go online or will fail outright.

Re:It's actually quite safe.....as long as you don (1)

krinderlin (1212738) | more than 2 years ago | (#39377419)

I just looked into this. I did not know about the liability shift in EMV preventable fraud come 2015. I almost cried tears of joy. You have given me a glimmer of hope for the world. (Though it might be a bit cruel to the merchants, I have little sympathy. The U.S. has been way behind the curve on this simply because the merchants would pitch a hissy fit about buying new terminals every time.)

Re:It's actually quite safe.....as long as you don (2)

neokushan (932374) | more than 2 years ago | (#39377633)

Just to clarify your point, 2015 is for New Zealand and Australia, for the US/Asia it's 2013:

(Not sure where you're based)

http://www.atmmarketplace.com/blog/6355/EMV-deadline-for-U-S-ATMs-the-race-is-on [atmmarketplace.com]

However, considering the short time frame of this, I can't see how it's going to go smoothly. As you say, the merchants are all going to be very upset at this but tough to them - Europe has had EMV for years now, it's about time everyone upgrades.

Re:It's actually quite safe.....as long as you don (1)

bill_mcgonigle (4333) | more than 2 years ago | (#39379039)

Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account

These folks [bbc.co.uk] at Cambridge say the system needs an 'entire rewrite' to be secure. Is there data to refute them?

Re:It's actually quite safe.....as long as you don (1)

neokushan (932374) | more than 2 years ago | (#39379463)

What that flaw does is allow you to not require the PIN when performing a transaction. You can't clone the card, so you still need the card itself, plus you need to intercept communications between the card reader and the card (most shops aren't going to let you slide something between the card and terminal). You only use the PIN in terminal transactions, you don't use them for distance (Internet/Phone, etc.) transactions (different security is in place). A flaw for sure, but not exactly a deal breaker.

The PIN is sent in the clear anyway, you can "skim" the PIN relatively easily, but you still need the card itself

Re:It's actually quite safe.....as long as you don (1)

Bitsy Boffin (110334) | more than 2 years ago | (#39382515)

Watch the video.

http://www.youtube.com/watch?v=PWnH_yblgTc [youtube.com]

You do need the card (for this particular attack), but it is trivial to hide the fact that you are doing anything funny, all you have to do is have the wire from the fake card hidden literally up your sleeve.

Re:It's actually quite safe.....as long as you don (1)

neokushan (932374) | more than 2 years ago | (#39382749)

Even without the PIN, a stolen card can be used for all sorts of nefarious things. They have your credit card number, dates of expiration, even the CVN (3digit security number on the back), enough to order from many online stores. Many places will still accept cards without the PIN by using a signature as well, so really the issue is with the card being stolen. However, the GP was about people "skimming" cards via a hacked terminal and, to my knowledge this has yet to happen*.

*It's possible to make a magstripe card from data intercepted via an EMV transaction, however.

Re:It's actually quite safe.....as long as you don (1)

profplump (309017) | more than 2 years ago | (#39384431)

The system needs to be adjusted if merchants want to ensure they're processing a PIN-verified transaction, as opposed to an unauthenticated transaction. It doesn't make the card inherently insecure -- you can't generate PIN-verified transaction using this method -- but it does open up the merchant for chargebacks because they didn't require a PIN. And if your card allows non-PIN transactions it could be stolen and used without the PIN.

There are a variety of solutions. The technical one is to have the payment processor send back terminal-verifiable data about the type of transaction, so the card can't lie to the terminal. But an easy workaround for a merchants and cardholders would be to have their payment processor refuse any non-PIN transactions; if only PIN-authneticated transactions are allowed this flaw becomes meaningless.

Re:It's actually quite safe.....as long as you don (1)

swillden (191260) | more than 2 years ago | (#39379717)

Each transaction is "Unique" and the card itself will sometimes request to speak directly to a Host (i.e. somewhere at your Bank's HQ), in what's called an "online" transaction. If the card chip isn't sure of a terminal, it will demand to go online before processing a transaction. Hell, sometimes it'll demand to go online just because it hasn't recently. The two then communicate in such a way that the terminal (the middle man) can't intercept in any meaningful fashion. Each message is cryptographically generated so that the host knows the card sent it and not some MITM.

I think it's likely that all transactions will be on-line for the US implementation. MasterCard PayPass, Visa PayWave and Discover Zip all go on-line all the time, I believe. These are all EMV-derived protocols, but I don't think any of them are perfectly-compliant with any of the EMV usage modes. Also, I think they're all SDA plus a per-transaction dynamic CVV.

Re:It's actually quite safe.....as long as you don (1)

neokushan (932374) | more than 2 years ago | (#39379873)

You're right, none of them are completely EMV, they all use a different variant of the standard. In fact, nobody actually does proper EMV, often for political reasons. still, I'd be surprised if ALL transactions were online only, there's plenty of legitimate reasons for needing offline transactions (ticket inspectors on trains are common here). Then again, it's not entirely unthinkable.

Re:It's actually quite safe.....as long as you don (1)

swillden (191260) | more than 2 years ago | (#39395347)

In the US effectively all transactions are already on-line, so the off-line use cases don't really exist. Other approaches have been found. Given the capability, it's possible that off-line might be used... but at the same time the proliferation of Internet access is making it often just as easy to do it on-line. Even on a train.

Re:It's actually quite safe.....as long as you don (0)

Anonymous Coward | more than 2 years ago | (#39380363)

Chip & Pin isn't perfect. http://www.youtube.com/watch?v=PWnH_yblgTc

Re:It's actually quite safe.....as long as you don (1)

neokushan (932374) | more than 2 years ago | (#39382783)

Once again, I never said it was perfect, I said it prevents skimming (Which it does). All this does is let you get away without the PIN.

Re:It's actually quite safe.....as long as you don (2)

houghi (78078) | more than 2 years ago | (#39380767)

It makes me sad that this needs to be explained on a site like /.

Re:It's actually quite safe.....as long as you don (1)

Em Adespoton (792954) | more than 2 years ago | (#39382965)

The bottom line? Come 2013, when the US is mandated to support EMV, card skimming will be a thing of the past. Stick your card wherever you like, nobody can do anything with your bank account*.

*there is, of course, a small caveat to this. As I said, each transaction is unique, so theoretically someone could skim a single offline transaction from you, but if they try to replay that transaction, there's every chance the transaction will then go online (the terminal AND the chip can demand to go online at any point), in which case the host will void it immediately. There's also plenty of upper and lower transaction limits, so for example if a transaction amount is above say $50 or $100, it HAS to go online or will fail outright.

Speaking as someone who was involved in the early NA EMV specs, there is one HUGE caveat to this:
All the devices that support EMV have a fallback sequence in case something goes wrong. This comes out of the department of redundancy department, as Visa moved a lot of its processes from back in the dialup authentication days forward into EMV.

End result? it's possible to block the chip slot such that when you insert a card, it reports an error and prompts you to use the magnetic stripe instead... which can be skimmed.

Until they mandate NOT using fallback to track1/track2 data, this avenue will still be possible.

There are also more advanced methods of extracting the customer keys from EMV cards (a German group pulled this off years ago) -- this doesn't give the transport or merchant key, which limits the amount of damage that can be done, but it still means the "private" data can be pulled off an EMV card and then encoded onto T2 on a card with a "damaged" chip.

Re:It's actually quite safe.....as long as you don (1)

wrystarr (2604191) | more than 2 years ago | (#39481885)

PayPal says they plan to go Global with this but for now it's just the US. If you're in a European country (specially the UK) you can watch out for the release of mPowa. They will be first available in the UK and in some parts of Europe but they will be open to the North American market and other parts of the world after that. It may interest you that with mPowa you have an option to use a chip and PIN device. And also, process a payment manually. Of course, you can still use the card reader of you want. Their card reader device is sleek, less bulky than typical POS devices, there's no hardware to rent, its free for all time. All you pay is a small fee for each credit card or debit card transaction (.25%). There are no fees for making cash and check transactions, too. You can check their site http://www.mpowa.com/ [mpowa.com] so you can check them out yourself.

Re:WTH? (1)

Inda (580031) | more than 2 years ago | (#39377133)

Why would I type my PIN into a machine that doesn't have Chip and PIN [wikipedia.org]

Best regards,

The British Isles

Re:WTH? (1)

s0nicfreak (615390) | more than 2 years ago | (#39378465)

Because you're not at a store nor a computer, you don't carry cash, and you want to buy something.

I could see this being very useful at conventions, small-business events (where people are all over the store and outside and etc. and they only have one "real" card reader), and for freelancers. The card readers at walmart, at the gas station, at any random ATM, etc. and this are all equally potentially unsafe.

Paypal? (0)

Anonymous Coward | more than 2 years ago | (#39375997)

This is great news! Now what we'd like is, exactly like that, but not related to Paypal in any way

everyone who posts below this is a gaywad (-1)

Anonymous Coward | more than 2 years ago | (#39376027)

gaywads!

Re:everyone who posts below this is a gaywad (-1)

Anonymous Coward | more than 2 years ago | (#39376251)

I AM A GAYWAD

Re:everyone who posts below this is a gaywad (-1, Troll)

19thNervousBreakdown (768619) | more than 2 years ago | (#39376263)

Go gaywads!

How do they expect.... (4, Insightful)

Lumpy (12016) | more than 2 years ago | (#39376055)

To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

The internet is full of "paypal stole all my money" stories.

Re:How do they expect.... (0)

Anonymous Coward | more than 2 years ago | (#39376131)

Looking at the reader, it appears it's an unsecured dongle thingy like Square's reader. A neat platform for creating skimmers.
Anticipate "PayPal stole my credit card" stories to add to the pile.

Re:How do they expect.... (3, Informative)

EvilIdler (21087) | more than 2 years ago | (#39376561)

It wouldn't be very usable in my country for long, because magnetic strip readers are being taken off the market (due to a large number of East-European criminals skimming cards). Smart cards have started to become a requirement, with legacy devices losing the functionality to read the strip. PayPal's solution is a bit too late to be that usable in Europe.

Re:How do they expect.... (0)

Anonymous Coward | more than 2 years ago | (#39377991)

This is also the case in Canada.

Re:How do they expect.... (1)

houghi (78078) | more than 2 years ago | (#39380509)

The only country that still uses the magnetic strip almost by default is the USofA. Even in underdeveloped countries the chip is used. I have already seen cards that have no magnetic strip at all in Belgium and not even an embossed number, so the even older system of the sliding machine can't be used.

Re:How do they expect.... (0)

Anonymous Coward | more than 2 years ago | (#39382565)

This device can't be used as a skimmer. The swipe is encrypted before hitting the phone.

Source: I work for Paypal.

Re:How do they expect.... (1)

Lumpy (12016) | more than 2 years ago | (#39382787)

In the USA banks profit from credit card theft. So they refuse to switch to smartcards that eliminate card skimming.

Re:How do they expect.... (1)

wrystarr (2604191) | more than 2 years ago | (#39481921)

True that. You may want to check out mPowa's nifty POS system which is first launching in the UK and other parts of Europe. You can learn about this here: http://www.mpowa.com/ [mpowa.com] . mPowa is backed by Powa (www.powa.com). All you pay is a small fee for each credit card or debit card transaction (.25%). And there are no fees for making cash and check transactions.

Re:How do they expect.... (2)

tlhIngan (30335) | more than 2 years ago | (#39379415)

To compete with Square? They are already established and don't have a reputation for taking everything that someone has in their account on a whim.

The internet is full of "paypal stole all my money" stories.

Depends. First, they're doing the easy way of taking 1.7% instead of 1.75%, and second, well, Paypal is the only company out there if you want to accept random credit card payments.

Square basically is a merchant account with all the merchant account stuff. If you're just a small time seller off Craigslist and eBay, you probably cannot use Square without incorporating yourself as a business. With Paypal, you can.

And that's always the funny thing - it's the one thing Paypal has over everyone else (Amazon Checkout, Google Wallet/Checkout/whatever they're calling it, Square, etc). I've never understood why it's only Paypal that can offer the "allow random Joe to accept a credit card payment" option. If you're not a company/non-profit org or something, accepting credit cards is extraordinarily difficult - your option really is Paypal.

Visa's supposed ot have something similar, but that only works for Visa.

As for all the paypal stole my money stuff - it's true. Except that merchants deal with this far more often, and often the agreement will state you cannot discuss this in public. At least if you wish to keep your account.

Accepting credit cards in general sucks and I'm sure businesses would love to get rid of it, except they're convenient, and if you're big enough, cheaper than cash (handling cash costs money - extra staff training, safes, money dropoffs/armored car costs, etc).

Though, I have also seen businesses push you towards Paypal because they charge less than their merchant account does. And I've also chosen Paypal over native credit card handling - one business really ticked me off by asking for a scanned image of my credit card "for my protection" (note - when a business asks you to do it - it's not for preventing fraud off your card, it's for protecting them. After all, if you used someone else's card, you're not protected (that someone else is)). I probably should've reported them because if their email gets hacked, boom your credit carde is all over the 'net with CVV and signature, too.

Re:How do they expect.... (1)

Lumpy (12016) | more than 2 years ago | (#39382857)

" Paypal is the only company out there if you want to accept random credit card payments."

  Square has already been doing this. I can accept random credit card payments on my phone, swipe the card, or key in number. I am not a company I am a person.
  Yes I have to be offering a "service" but paypal requires that as well. Try to send a gift payment to someone and use a credit card.

Srsly? (1)

DroolTwist (1357725) | more than 2 years ago | (#39376073)

As if there isn't enough identity theft already, and now they seriously want me to enter in cc information into my phone?

Fortunately, these phones are totally secure and cannot be hacked. Not only that, the app is 100% secure.

Re:Srsly? (1)

ricosalomar (630386) | more than 2 years ago | (#39376157)

Perhaps I'm missing something, but why would I care about entering my CC info into a phone? I'm not liable for any unauthorized charges. In the country where I live, it's the vendor who's liable, not me, and certainly not the bank, may their names be praised.

Re:Srsly? (1)

ledow (319597) | more than 2 years ago | (#39376513)

Because your credit charges, card fees and interest rates will end up directly reflecting the amount of fraud that occurs.

It's already started with companies charging X% for different cards because they have been forced to absorb the fraud (since the Chip-and-PIN introduction in the EU, for example, which pushed liability to the retailer), every charge you get made against you ends up costing everyone involved - retailer, bank, card company, intermediate suppliers and, eventually, you.

You think that free money that's obtained by the people who commit fraud materialises out of nowhere once your credit card refunds you?

Don't do business with merchants who use this (1, Informative)

frovingslosh (582462) | more than 2 years ago | (#39376195)

It is nice to see what the thumb-size card reader looks like, and I assure you that if I ever see one I'll refuse to let that seller scan my card. Paypal is one of the most absurd abuses to ever come out of the Electronic Bay of thieves. and I'll never do business with them. This even concerns me that some retailer might trying processing your info through Paypal without your knowledge or consent.

Re:Don't do business with merchants who use this (0)

Anonymous Coward | more than 2 years ago | (#39378291)

I love PayPal. Been using it for years - never had a problem.

These little things are all over the place. (1)

Anon-Admin (443764) | more than 2 years ago | (#39376265)

Paypal is to to the arena, I have seen these little smart phone CC readers in a lot of places. The most common place is at Gun shows.

Then, how will Paypal handle that? They dont allow you to use there service to sell guns, ammo, explosives, etc. but with these readers there is no way to check what you are selling.

Will they start locking accounts randomly until the seller submits what they are selling?

Will they contact the customer for a "Survey" to see what was bought?

I wonder if the local dealers will start taking CC's for a dime bag?

Ahh well, Paypal sucks and I would never use them because of there draconian methodologies and rules.

please don't use paypal (0)

Anonymous Coward | more than 2 years ago | (#39376311)

If you have any respect for your money, do not use paypal. They more predatory than credit card companies.

Will never leave Square (1)

hsmith (818216) | more than 2 years ago | (#39376463)

Sorry PayPal, I hate your business. Square built this model and has done a great job at delivering.

Between Square for face to face transactions and Stripe for Web Commerce, there have been quite a few "revolutions" with payments from these smaller companies and they are quite welcome.

This is cool, but... (2)

Overzeetop (214511) | more than 2 years ago | (#39376617)

Paypal is the refuge of last resort for processing things because they capture your money. Google and Square both sweep money into your account directly. And 1% back on debit card purchases from your Paypal account? Why not just use a real CC and get 1%-5% cash back, plus have your money in a real bank, and not have your account balance exposed to fraud.

Re:This is cool, but... (0)

Anonymous Coward | more than 2 years ago | (#39382667)

Merchants can sweep to their primary holding in Paypal.

Dunder Miflin'ish (2)

bubblegoose (473320) | more than 2 years ago | (#39376699)

Does this remind anyone of the episode of "The Office" where Dunder Miflin introduces a triangle shaped phone?

Re:Dunder Miflin'ish (1)

patniemeyer (444913) | more than 2 years ago | (#39377159)

I actually thought it was a joke when I first saw the headline. This has the be the most unfortunate timing of a product release ever. Long live the Sabre (er, Paypale) Pyramid!

So paypal is like a bank... (0)

Anonymous Coward | more than 2 years ago | (#39376759)

But unlike a bank, they don't gaurantee your deposits as they are not FDIC insured...

It seems like paypal is very much like a bank these days...

Why isn't PayPal regulated already? (1)

HerculesMO (693085) | more than 2 years ago | (#39376801)

It's a bank, for crying out loud. It just wants to avoid all the liabilities that being called a "bank" means. It's a freaking bank.

Re:Why isn't PayPal regulated already? (1)

icebraining (1313345) | more than 2 years ago | (#39379483)

It is in the EU. I'm not sure if it really helps, though.

Screw that (0)

Anonymous Coward | more than 2 years ago | (#39376869)

What's that "Le Ryan.mov" file on the desktop? What moron posts a screenshot of his/her whole desktop?

Lets count the number of Phone CC systems (2)

BetaDays (2355424) | more than 2 years ago | (#39377015)

Paypal finally comes in

Square up http://www.squareup.com/ [squareup.com]

Intuit Go Payment http://intuit-gopayment.com/ [intuit-gopayment.com]

Any others anyone knows about? There are those that don't have a Cc swiper on it but looking for a list of ones that give free swipers.

Re:Lets count the number of Phone CC systems (1)

witherstaff (713820) | more than 2 years ago | (#39382251)

I have used intuit for a few years for many sales. Being able to hand someone a paper receipt with the bluetooth swiper/printer is nice. Some people don't care for a receipt, the older crowd seem to demand it to feel comfortable.

home depot has a button on their checkout (1)

mapkinase (958129) | more than 2 years ago | (#39377191)

home depot has a button on their checkout. I am not sure if useable or not.

And if you're stupid enough to do this... (1)

gestalt_n_pepper (991155) | more than 2 years ago | (#39378593)

You deserve whatever you get. I predict wide adoption.

Looks great, except... (0)

Kamiza Ikioi (893310) | more than 2 years ago | (#39378721)

There's only one downside: It uses PayPal.

Certainly not a coincidence... (1)

alleycat0 (232486) | more than 2 years ago | (#39379613)

...that an ad for Squareup (served by ad.doubleclick.net) appears at the top of of my browser window when viewing this article...

Didn't Apple patent this? (1)

walterbyrd (182728) | more than 2 years ago | (#39380215)

I thought there was a recent article on slashdot about Apple already patented this.

But then, Apple seems to think they "invented" everything.

Check out Beanstream mobile (0)

Anonymous Coward | more than 2 years ago | (#39380255)

Full disclosure: I work in their IT department.

http://mobile.beanstream.com

Free app, 150 currencies, all major credit cards, PCI compliant.

The trouble with Paypal... (2)

bornagainpenguin (1209106) | more than 2 years ago | (#39380405)

...is that they are effectively a form of electronic currency for the internet. In itself that wouldn't represent a problem, but when Paypal's currency ceases to be neutral, such as it was in the whole Smashwords debacle [techdirt.com] it loses its value to most people because unlike the physical form it is not legal tender in all circumstances. Money needs to be neutral for it to work properly. Paypal has shown time and time again their willingness to muck about with what is considered legal tender with their currency so it is not a good option for people.

Worse yet, considering it is highly apparent that Paypal was lying about the Credit Card companies pressuring it (given how they were so easily able to flipflop on the issue [techdirt.com] ) this means their currency is not an honest one and cannot be relied on to retain value. While personally I have used Paypal in the past I and never had any trouble, I have also been careful to limit my interactions with them and actively sought alternatives where ever possible. As time goes on and the kinds of incidents like the Smashwords one continue to add up it only increases my resistance to using Paypal where ever I can avoid it.

I imagine others feel the same...

right back where they started (0)

Anonymous Coward | more than 2 years ago | (#39385323)

Paypal used to have an app that would run on PalmOS devices that would allow you to pay other people with paypal accounts. It seems the mobile payment stuff got dropped once they jumped in with ebay.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?