Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PayPal Security Holes Expose Customer Card Data, Personal Details

Soulskill posted about a year and a half ago | from the time-to-do-a-chargeback-on-their-security-contractors dept.

Security 87

mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."

cancel ×

87 comments

Sorry! There are no comments related to the filter you selected.

PayPal is not a bank (5, Insightful)

DaTrueDave (992134) | about a year and a half ago | (#41853549)

And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.

Re:PayPal is not a bank (5, Insightful)

HerculesMO (693085) | about a year and a half ago | (#41853599)

But the problem is that they operate like one. And as such, should be regulated as one.

Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.

Re:PayPal is not a bank (4, Insightful)

Kenja (541830) | about a year and a half ago | (#41853675)

They only operate like one when the users treat them like one, the same can be said for the corner store that offers a credit tab. I use Pay Pal, but never keep money in them, or do direct bank transfers to them, or accept their offers of credit.

Re:PayPal is not a bank (4, Insightful)

fredprado (2569351) | about a year and a half ago | (#41853777)

But the fact that people can do that means they provide all the services of a bank, even if you choose not to use them, and therefore should be regulated as one.

Re:PayPal is not a bank (1)

phorm (591458) | about a year and a half ago | (#41856439)

None of that will help you much if your credit-card # has been lifted from Paypal, which is unfortunate as credit-card was the safest way to deal with them (the horror stories of those with direct-linked bank accounts are numerous)

Re:PayPal is not a bank (4, Insightful)

firex726 (1188453) | about a year and a half ago | (#41853679)

Yep, they want all the functionality of a bank, but none of the regulation.

Re:PayPal is not a bank (5, Funny)

Kenja (541830) | about a year and a half ago | (#41853689)

Yep, they want all the functionality of a bank, but none of the regulation.

So they want to be a bank! <zing!>

Re:PayPal is not a bank (4, Insightful)

theendlessnow (516149) | about a year and a half ago | (#41855069)

If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.

Re:PayPal is not a bank (4, Insightful)

udachny (2454394) | about a year and a half ago | (#41853949)

Why would you want to break something that works for its purpose?

Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?

Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.

Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?

Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)

So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.

You and government of Argentina [slashdot.org] have something in common.

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41854499)

roman_mir sockpuppet drivel. I want to apply the banking rules to the fucking BANKS. "Highly regulated" - what a fucking joke. You're the guy that "those who ignore the lessons of history are doomed to repeat them" was written ABOUT. Don't bother responding, I'm not interested in your opinion.

Re:PayPal is not a bank (1)

tlhIngan (30335) | about a year and a half ago | (#41854521)

I suppose the "Paypal is not a bank" loophole is to allow anyone to actually receive money from credit card payments without a merchant account.

Otherwise two random people needing to pay each other will have to do so via cash, money order, cheque or other transfer mechanism. Most of those ways involve the postal service in some form - which while I'm sure USPS would be happy, it goes against the whole "internet shopping" thing where you can buy stuff without having to trudge down to the store.

And I'm fairly certain the you cannot substitute a Google Checkout or Amazon Payments account for a Paypal account unless you happen to be a business (required for merchant accounts).

And trust me, merchants accounts screw you over just as badly as Paypal does.

Re:PayPal is not a bank (1)

udachny (2454394) | about a year and a half ago | (#41854621)

OK, why is it a 'loophole'?

A bank is a place you would bring your money to for storage, maybe you open a savings account, which means you want your money to be invested (of-course given the fake FDIC insurance, the banks don't even care to hold your money before you can withdraw from your so called 'savings' account, so you know the money is really fake because it doesn't really make any difference to the bank that supposedly it's being loaned out, so you can get a portion of the interest that the bank collects).

PayPal doesn't take your cash and give it out as loans, so at most it is a storage and transaction mechanism. Of-course if you go by the very original idea of what a bank is, then maybe, I suppose the very first banks were just holding deposits and not loaning the money out, but maybe even that is not true.

The point is that for PayPal to be a bank today, it would have to give out loans, that would mean that PayPal doesn't have 100% of the money that it claims it has on hands at any point in time. Is PayPal giving out loans with your deposit there?

Besides, who the hell even HOLDS 'deposits' in PayPal accounts except for merchants? When I buy something via PayPal I just charge it to my credit card, that's all the service is for AFAIC.

If people object that PayPal's 'deposits' are not federally insured - most people in the world hold their money in banks that have no such thing, no federal insurance of any kind, and those banks actually give out loans and hold fractions of the reserves.

PayPal is like online Western Union, a way to move some money from person A to person B, this does not make them a bank.

Re:PayPal is not a bank (5, Insightful)

tibit (1762298) | about a year and a half ago | (#41854637)

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.

The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41854717)

Are you a shill or are you serious?!

He's serious about /. alright... serious enough to create a sockpuppet account to avoid his terrible karma.

It's all openly stated in his signature link.

Re:PayPal is not a bank (1)

udachny (2454394) | about a year and a half ago | (#41854869)

Are you a shill for the political elite, who, I am sure, want to regulate every single thing and creature under the Sun, so they can impose their own costs and controls over everybody?

I don't see transaction costs of PayPal being 'ridiculously high' at all, I like their service. In fact there [wmtransfer.com] ARE [ukash.com] alternatives [bitcoin.org] (and more [wikipedia.org] ), and I do not like them.

If you do not like their transaction costs, why are you using them? Nobody is FORCING you to use them, right? It's not like somebody is standing with a gun to your head, saying: here, use this PayPal, it's 'good for you', or is there?

PayPal's profit margins is their business, saying that banks would blush if they had those profit margins is disingenuous, banks get 'FDIC insurance', banks get fake credit from the Fed, banks post 'record earnings' based on spread they make from Fed's 0% interest rates to Treasury's 2-3% bond purchases.

I don't put debit card into PayPal I use my credit card, if PayPal wants problems it can get them and not from me, from the credit card company. So if your mode of operation: give anybody my banking information and never expect any problems, well, no amount of FDIC and 'consumer protection' will help you.

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41855693)

Everyone: If it looks like a bank, and acts like a bank, it's a bank.

Libertarians: Fuck it.

Re:PayPal is not a bank (1)

tibit (1762298) | about a year and a half ago | (#41859661)

Sweetheart, I don't know where you live, but if you're on eBay, you either accept paypal or you don't do business. That's all there's to it. Sure nobody is forcing me to use them, just as nobody is forcing me to go to work, or to do business on eBay. But then you'd be bitching I'm living off gov't handouts, right? So, you see, the reality is that if you want access to the unique marketplace that eBay is (there's nothing else that remotely compares to it), you have to use paypal. That's the end of this story.

Re:PayPal is not a bank (2)

udachny (2454394) | about a year and a half ago | (#41860635)

Honey, nobody gives a hoot about your business model. You are so quick to jump on PayPal, you want it to be a bank? So which bank exactly do you want PayPal to be, bank of America? Citi? HSBC? They are ready to take over that business and handle it with such care, that you'll be out of business in no time.

Maybe you want the same rules are regulations and taxes and laws apply to your eBay store as there are IRL rules and taxes and laws and regulations that apply to Brick and Mortar stores? How quickly would you fold if you had to comply with everything that they have to comply with? It wouldn't take too long, besides, you'd be outsold by their online presense if PayPal is turned into a 'real' bank in the first place.

You think PayPal is bad for business? Nobody prevents you from charing VISA or taking a check for you eBay transactions.

You don't like living off of gov't handouts? So why do you want to turn another company into a bank, so that they could get government handouts? FDIC is a handout. So is Federal Reserve discount window.

Here is eBay's policy on payments with the list of the options [ebay.com]

For the lazy:

Allowed:

PayPal

ProPay

Skrill

Paymate

Credit card or debit card processed through the seller's Internet merchant account

Payment upon pickup

Bill Me Later

--

Restricted but still allowed for certain listing categories:

Bank-to-bank transfers (also known as bank wire transfers and bank cash transfers)

Checks

Money orders

Online payment services: Allpay.net, CertaPay, hyperwallet.com, Fiserv, Nochex.com, XOOM

Re:PayPal is not a bank (1)

bitingduck (810730) | about a year and a half ago | (#41854899)

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare.

They're one of the few places you can get different rates for micropayments (less than $10) on cc processing, which does make them less expensive for some types of transaction. Most of mine are less than $5, so I need that. But for regular cc processing they're comparable to regular banks/merchant accounts. Other than that, you're probably pretty accurate.

Re:PayPal is not a bank (1)

phorm (591458) | about a year and a half ago | (#41856467)

But then there are no alternatives to PayPal

Actually, there are. Google wallet is one example.
Unfortunately, paypal is the de-facto (often only, and required) payment provider for eBay. How they've avoided anti-trust on this I'm not user (or a class-action for that matter, considering that ebay's shown exchange-rate differs greatly from what paypal actually ends up with).

Re:PayPal is not a bank (1)

tgd (2822) | about a year and a half ago | (#41856599)

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

On top of that, it makes a very handy point of abstraction between my credit cards, and shifty or untrustworthy sellers. Unlike my credit card information, PayPal payments leave the transaction details in PayPal's systems, not some fly by night's systems. And (most importantly, in my experience) PayPal makes it trivial to stop and permanently block recurring payments. Normal credit cards can't do that -- once a recurring payment is set up, even if your expiration date or security code changes, they can still keep right on billing. The only way to block it if you have a company (*cough*XMRadio) that keeps billing you no matter how often you cancel is to change your credit card account number. If you're lucky enough to have a shady company like that makes it almost impossible to cancel an account and takes PayPal (*cough*angieslist), its a couple clicks to stop and block the recurring payment permanently.

That alone is worth using PayPal for.

Re:PayPal is not a bank (1)

udachny (2454394) | about a year and a half ago | (#41856687)

Precisely, I wouldn't buy almost anything online if I always had to give my CC number to every merchant, this way PayPal knows my credit card, and I know it knows it, but the other people will have to deal with PayPal not with my credit card. In fact I very rarely buy anything online unless I can proxy the payment through PayPal (and in some cases WebMoney, but that's for a slightly different purpose).

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41861963)

I use PayPal and you are totally full of shit.

People use PayPal because there is no alternative. It's a shitty service. I use it frequently, but I can't say I enjoy it and I certainly worry about encountering the frequent issues other people have with their accounts getting frozen.

PayPal is incredibly poorly run. I hope regulators do tighten things up and make PayPal honest. I'd feel a lot better about using it then.

Re:PayPal is not a bank (3, Insightful)

dkleinsc (563838) | about a year and a half ago | (#41854749)

That's why I'm of the view that we need to introduce "duck-typing" (if it walks like a duck, etc) to regulatory systems:

Instead of saying "If you are a bank, you must protect depositors by doing XYZ", say "If you have any kind of customer deposit account, you must protect depositors by doing XYZ". It's about regulation based on behavior rather than regulation based on classification, preventing the old "We're not a bank, we're a money transfer system / mortgage brokerage / ..."

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41855911)

But one good thing about Paypal is that they don't issue money. Banks issue 97% of the money in existence, in the form of debt. i.e. 97% of the money that exists was created out of nothing, by banks, when people asked for loans from them.

Banks also don't actually hold most of the money which their customers BELIEVE is in their accounts.

www.positivemoney.org.uk

Re:PayPal is not a bank (1)

defaria (741527) | about a year and a half ago | (#41856211)

Regulation is not the solution - Wall Street has lots of regulations - they also have Bernie Madoff.

And what the hell are you talking about that people have "no recourse if people want to get their money out/back/etc"!?!? There are already plenty of laws about property and ownership of all kinds of things as well as plain ole money. There's also laws about fraud, etc. People have a much recourse with getting their money back from Paypal as from any other business or store for that matter. People have no recourse?!? BULLSHIT!

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41857219)

Regulation is not the solution - Wall Street has lots of regulations - they also have Bernie Madoff.

And what the hell are you talking about that people have "no recourse if people want to get their money out/back/etc"!?!? There are already plenty of laws about property and ownership of all kinds of things as well as plain ole money. There's also laws about fraud, etc. People have a much recourse with getting their money back from Paypal as from any other business or store for that matter. People have no recourse?!? BULLSHIT!

Where's that '-1 ignorant moron' mod when you need it?

Re:PayPal is not a bank (1)

AdamWill (604569) | about a year and a half ago | (#41862135)

Wall Street *had* lots of regulations.

Then Bush got elected (okay, to be fair, Clinton was hardly a big regulator either), and cut all the regulations, because they were just unnecessary government interference and red tape, needlessly restricting the efficient movement of capital.

Witness: the result.

Re:PayPal is not a bank (1)

AdamWill (604569) | about a year and a half ago | (#41862109)

(channels a slashdot libertarian)

Not to worry, the free market will take care of that for you. Competing payment sites will emerge, offer better security and customer protection, and eat PayPal's lunch. Everything will be fine!

(stops channelling slashdot libertarian)

Notice how that hasn't happened.

Re:PayPal is not a bank - it is in Europe! (4, Interesting)

stiggle (649614) | about a year and a half ago | (#41853751)

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

Re:PayPal is not a bank - it is in Europe! (2)

ccguy (1116865) | about a year and a half ago | (#41853951)

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

I keep hearing this. Maybe they should be regulated like one, but they definitely don't behave any different over here than they do over the US. I have an account in both places (I'm Spanish but used to live in the US) so I know quite well.

Paypal STILL abuses all they want. Just the other day, I applied for a *debit* card in my US account. It was denied instantly (possibly because I did it via a Spanish IP address). My account is now under supervision, and they want proof of SSN (which I had already sent years ago), picture ID, and more. If not, well, funds on hold, account useless and so on.

In general, using your perfectly fine account from overseas will cause problems. Serious ones. It's not like they call you to check things. They just put everything on hold and ask for documentation you may not have with you, and even if you did you may not want to share with them.

Re:PayPal is not a bank - it is in Europe! (0)

Anonymous Coward | about a year and a half ago | (#41854281)

Are you sure that your problems aren't caused by regulation? I can quite easily see a regulatory requirement that they avoid international transfers between fake accounts. By opening accounts in two countries, you could easily be falling prey to such a regulation. Banks tend to be more picky about such things, not less. I once tried to cash a check while my driver's license was suspended. No go; no way. This was while I was in college, so I had student ID. Unfortunately, they wouldn't accept it.

Re:PayPal is not a bank - it is in Europe! (1)

niado (1650369) | about a year and a half ago | (#41854293)

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

Actual banks perform similar activities to prevent ID theft, which is currently rampant. Several times I have had my debit card (through a bank) frozen due to sudden account activity in another US state, not even overseas. Usually this is just a source of frustration, but one time I was very glad that it happened, since the account activity really was fraudulent.

Re:PayPal is not a bank - it is in Europe! (1)

ccguy (1116865) | about a year and a half ago | (#41854491)

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

How the fuck is asking me to send someone I don't know at all a scanned copy of a picture ID *help* protect my ID? You really have it backwards.

Re:PayPal is not a bank - it is in Europe! (1)

niado (1650369) | about a year and a half ago | (#41856179)

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

How the fuck is asking me to send someone I don't know at all a scanned copy of a picture ID *help* protect my ID? You really have it backwards.

Picture ID is generally used as a cursory method of proving your identity. If you let someone take care of your money but aren't comfortable with them having your picture ID, then you will need to find someone besides paypal, as they aren't in the business of money laundering.

Though I do agree that it would be better if they called you to check on a suspicious transaction. Banks do this, and usually don't require as many hoops to jump through as paypal does, oddly enough.

Which doesn't actually help much (1)

Anonymous Brave Guy (457657) | about a year and a half ago | (#41856275)

Unfortunately, given the standard of regulation of banks in the relevant jurisdiction, that doesn't mean very much at all. In practice, you would probably still have to take legal action against them in another country if they screwed you in one of their notorious surprise moves, such as freezing your account because you irritated some automated potential fraud algorithm with an imperfect heuristic.

Unless they locked up an account belonging to a business with serious transaction volumes (and by that point they reportedly pay more attention to customer service anyway) it seems unlikely that most people would find it cost effective to go after them in court. So being regulated as a bank in Luxembourg isn't really worth much at all, except for apparently being quite effective in convincing people like the parent poster that PayPal in Europe is a safer bet than their infamous US operation.

(I am neither a lawyer nor an accountant, but I have investigated this issue from a business point of view relatively recently. At that time the legal/regulatory situation appeared to be quite clear and obviously in PayPal's favour.)

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41853767)

Actually in europe they are a bank.

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41854613)

The real problem with PayPal is that if you buy ANYTHING on eBay you are almost always REQUIRED to use PayPal to pay for it. I used to be able to send Western Union money orders to pay for items, but that is no longer the case, and if you have any problems with PayPal (and if you use them alot, you will), they are quite less than helpfull. They mostly auto-scan your email, and auto-reply with something from their FAQ that does not resolve or even help with the problem.

Re:PayPal is not a bank (1)

mynamestolen (2566945) | about a year and a half ago | (#41856297)

Mod parent up! I stopped using paypal anyway when they cut of Julian Assange donations. Scum.

Re:PayPal is not a bank (1)

aztracker1 (702135) | about a year and a half ago | (#41856059)

given that my actual bank password cannot be anything other than us letters and numbers, no special characters (at two banking institutions)... An incident where I had over a million dollars in my account (magically) for a couple days, another where a bank error cost me a few hundred, and another still when a merger lost a friend over 10K with no tracking ability... I don't trust banks all that much either.

Re:PayPal is not a bank (1)

Pax681 (1002592) | about a year and a half ago | (#41857669)

In Eorope os is regulated as a bank, see below for a quote from the wiki page ;) [wikipedia.org]

As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank.

regulatory link for Europe Here [wikipedia.org]
however they do take the piss as it happens even though they are based in an EU country they seem to get away with some odd procedures i don't think other banks do get away with

Re:PayPal is not a bank (1)

slick7 (1703596) | about a year and a half ago | (#41857935)

And about as reliable.

The only thing reliable is the banksters death grip on debt slavery. The safest place for money is your pocket, in a land of avarice.

Re:PayPal is not a bank (1)

helix2301 (1105613) | about a year and a half ago | (#41858035)

People need paypal to run there business imagine how they feel about this, paypal needs to step up there security team ASAP.

Re:PayPal is not a bank (1)

sjames (1099) | about a year and a half ago | (#41859403)

I wouldn't go that far, I don't know PayPal well enough to call them an acquaintance, much less a trusted one.

More like giving the money to a stranger who looks like he might not be homeless and jonesing and hoping for the best.

Re:PayPal is not a bank (0)

Anonymous Coward | about a year and a half ago | (#41860021)

They are one when it suits them.

Irresponsible disclosure (3, Insightful)

Hatta (162192) | about a year and a half ago | (#41853755)

If this bug has been known since July your failure to publically announce it has left thousands of people vulnerable for months. That is irresponsible disclosure. Responsible disclosure is immediate disclosure. Period.

Re:Irresponsible disclosure (4, Insightful)

X0563511 (793323) | about a year and a half ago | (#41853809)

Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)

Re:Irresponsible disclosure (2, Funny)

Anonymous Coward | about a year and a half ago | (#41854235)

Don't go public - sell the vulnerability on eBay to the highest bidder. It makes the public aware of the issue - without disclosing the details - and allows PayPal to keep the details a secret if they want to.

Re:Irresponsible disclosure (1)

AmiMoJo (196126) | about a year and a half ago | (#41860573)

Give them an hour. That is long enough to confirm the problem and take their site offline until they can fix it. Otherwise people could be being robbed while PayPal ignore your email for a week. Reading this guy's description of how easy it was to find the flaw you would have to assume that others already knew about it.

In PayPal's case it is particularly important to act quickly because they are incredibly slow to react and have been hacked before. PayPal doesn't look after its customers, and won't act on your report promptly anyway.

Re:Irresponsible disclosure (0)

Anonymous Coward | about a year and a half ago | (#41854259)

You're an idiot. Period.

Re:Irresponsible disclosure (3, Insightful)

wbr1 (2538558) | about a year and a half ago | (#41854937)

They had to wait to disclose till they changed their TOS to stop class action suits. Simple.

eCommerce, !Paypal (-1, Offtopic)

corychristison (951993) | about a year and a half ago | (#41853825)

I've been converting my website clients to Stripe [stripe.com] , now that they are available in Canada.

These are clients I set up when they were just starting up and had no other means of accepting credit cards. Most now have merchant accounts, but some have transaction fees through the roof, Stripe has better rates in most cases and no monthly fees.

That exact same information (3, Insightful)

s0nicfreak (615390) | about a year and a half ago | (#41853975)

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date). Heck anyone walking down the street can get my address, can see previous purchases if I have my curtains open, and could use my address to find my phone number. I'd be much more worried about someone waking up to my mailbox and opening my bank statement, but only because then they're right at my door (and could come in and attack me), rather than who-knows-where viewing it on the internet. But why fear that information getting out at all? My bank account has protections against use by unauthorized people, and if I had a real credit card it would as well (personally I use prepaid credit cards which don't have such protections, but I only put on what I'm going to use). I have at least half a brain and don't leave money in paypal. So I'm not sure exactly the fear here. Paypal can't even be used for adult services, so it's not like someone is going to print out your fleshlight purchases and send it to your boss/wife/etc..

If Paypal were regulated like a bank, all similar services would be as well, and that would just raise the bar of entry and ensure no competitor ever puts up a fight against paypal. It would also eventually ensure that people that can't get a bank account or credit card for whatever reason, can't do online transactions. (I'm sorry but I am willing to take peoples' money even if they overdrew their account when they were a broke college student and ended up in Chexsystems.) Paypal sucks, but personally I NEED what it does, as do MANY other people - so either it needs to keep doing it or someone else has to start doing it better. If someone could start a service doing what it does but with all the regulations of a bank, they'd be doing it.

Re:That exact same information (4, Insightful)

sunderland56 (621843) | about a year and a half ago | (#41854299)

Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.

Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.

Re:That exact same information (2)

s0nicfreak (615390) | about a year and a half ago | (#41854453)

So you are saying the point is not the protection of your account, but the punishment of the person stealing your account? How is it "dangerous" for the person stealing your information to not be punished?

Re:That exact same information (1)

dkleinsc (563838) | about a year and a half ago | (#41854875)

The point is: The risks are higher, the payoff is less, and like any other law the incentive not to violate it is the risk of being punished.

Re:That exact same information (1)

s0nicfreak (615390) | about a year and a half ago | (#41855733)

But you're just explain to me why someone would be more willing to steal this information online; I'm asking what the danger is in this information being taken by someone, online or off.

Re:That exact same information (1)

s0nicfreak (615390) | about a year and a half ago | (#41856005)

(I apologize for the typos, I swear my keyboard is malfunctioning.)

Re:That exact same information (2)

tibit (1762298) | about a year and a half ago | (#41854701)

Wait, people still get their bank statements in the mail?! What for, may I ask? Every bank out there offers paperless communications. It's silly not to use it.

Re:That exact same information (1)

s0nicfreak (615390) | about a year and a half ago | (#41854833)

Personally, two reasons. 1. We have savings accounts for our kids, and with the younger ones don't want to require them to view the statements online just yet.. 2. I run a home business, and when I'm figuring out financial things, doing my taxes etc. I just find it easier to deal with paper.

My inlaws get paper statements because they refuse to do any online banking, which is a good thing as they occasionally get viruses that would grab their banking info if they did...

Re:That exact same information (1)

tibit (1762298) | about a year and a half ago | (#41859727)

What about just printing out the statements every month? It's surely more resource-conscious than having to ship two sheets of paper in an envelope every month, for every account? Heck, you can easily automate it, so that when the statements are available they'll just "magically" print out. That's how I do it.

Re:That exact same information (1)

s0nicfreak (615390) | about a year and a half ago | (#41885141)

Then I would have to pay for more printer ink. A small amount yes, but it adds up over time. As the mailman is already bringing me other mail and the bank is already printing out other statements, it takes no extra resources to print nor bring me mine.

I'd also have to ensure my printer is plugged in at print time if I automated it. I keep my printer unplugged until I'm using it. So printing it out would be extra work for me; a small amount, but still enough for me to prefer the convenience of the bank printing it for me. Since I am not afraid of someone having the info (because still no one has told me why I should fear it), I am not afraid of it being in my mailbox, and therefore I have no reason to give up that convenience. Not that I'm putting down anyone for which not getting a paper statement is more convenient, or takes less resources, or etc.; but for my lifestyle, right now, I want paper statements.

Re:That exact same information (1)

tibit (1762298) | about a year and a half ago | (#41896015)

I guess if you don't automate the "IT stuff" in your home, then it's surely less hassle to get paper stuff mailed in. At home I use a USB controlled powerstrip [pwrusb.com] and have tweaked my iMac's cups to turn the laser printer on and wait a bit before trying to use it, and then to turn it off if unused for 2 minutes. I have a little laserjet P1006 that has phenomenal start-up time and throughput for such a cheap, low-end device (usable in 15 seconds from cold start). I similarly turn off the time capsule when there are no more connections to it at night for at least 15 minutes. It gets turned back on in the morning. I also heavily automate various online tasks such as downloading account statements. Banks do faux-security and wouldn't email the damn statements, even if the recipient's email server supports smtps. For the TV and other devices that I want to centrally control, I use a little ethernet-attached industrial I/O system with relay outputs (Beckhoff's BK9000), and talk to it via Modbus. I'm sure there are cheaper things that Beckhoff's out there, but I got them very cheaply on eBay together with I/O modules.

Re:That exact same information (0)

Anonymous Coward | about a year and a half ago | (#41854349)

Well, the key here is any *one* can get your info by following you around, stealing your mail, going through your garbage, etc. Any *number* can effectively do that if your financial info is openly available on the 'net. That is a big difference. Oh, and you need a credit card to use paypal so you don't really need paypal, you just need a more useful credit card.

Re:That exact same information (1)

s0nicfreak (615390) | about a year and a half ago | (#41854441)

Anyone going through my mail could them post that info on the internet. You don't need a credit card to use paypal. You need paypal to ACCEPT paypal transactions, transactions from the many people in the world that can't/won't get a credit card, that can't get a bank account with a debit card that works as a credit card, or don't trust other online credit card processors. The amount of money it would take to use a processor with bank regulations would mean I would be making no profit.

Not the same if using temp credit card number ... (1)

perpenso (1613749) | about a year and a half ago | (#41854623)

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date)

Its not the same info if you give paypal a temporary credit card number, the sort your bank gives you through their webpage. These numbers are aliases for your real number but you get to pick the max amount to be charged and the month the card expires in. Some of these numbers even lock to the first vendor to post a charge. So if "stolen" and there is money left on the alias a 3rd party can't post a charge.

Re:Not the same if using temp credit card number . (1)

s0nicfreak (615390) | about a year and a half ago | (#41854693)

Good point. If you use paypal like that, it would give out little more info than anyone walking down your street - or anyone looking at Google maps, for those of you yelling that it's different online for some reason - can already see.

If you're victimized by this (4, Insightful)

NoNonAlphaCharsHere (2201864) | about a year and a half ago | (#41854015)

You can always file a class action lawsuit. Oh. Wait.

Re:If you're victimized by this (2, Interesting)

Anonymous Coward | about a year and a half ago | (#41854989)

You can always file a class action lawsuit. Oh. Wait.

IANAL, but couldn't we organize as many affected people as possible to simultaneously file individual Small Claims for their maximum value (now $10,000 here in California for individuals, $5,000 for business) all over the country? How many representatives do you think PayPal can (or is willing to) send to each and every court case? The majority of people will probably win on default.

PayPal can either pay a few million up front on a class action, or up to $10,000 per person individually. Personally, I'd rather go fro the small claims. More money for you (it's expensive to get your identity back if stolen) and potentially higher penalty for PayPal if you can get everyone to file claims. It is unlikely they'll file for bankruptcy and skimp out on the collection, and their "wages" should be adequate enough to see a lump sum.

xxxterm (-1)

Anonymous Coward | about a year and a half ago | (#41854025)

I don't know for sure if this will protect you, but it seems like something worth checking out. https://opensource.conformal.com/wiki/xxxterm [conformal.com]

Serious Concern over Partnership with Discover? (1)

fallen1 (230220) | about a year and a half ago | (#41854119)

Should this not cause everyone who has a PayPal account serious concern since Discover will be issuing cards to each person with a PayPal account? Will this card number be linked to your PayPal account AND visible in your PayPal account information?

While I don't think they have started issuing cards yet, this is still a current and future problem. IF they had started issuing cards and even if you had no money in your PayPal account, they could still attempt to use the Discover number, if known, and see what they can get. If I was Discover, I'd be blowing up PayPal's phones with calls to the CEO discussing this situation - and our very reasonable consideration to kill the deal.

PayPal should be a BankLite (1)

RobertLTux (260313) | about a year and a half ago | (#41854223)

as long as they can Hold Funds (and basically say Not Going to Tell You Why So FOAD) they should either

1 be required to release funds by Court Order

or

2 be prosecuted under RICO laws (and any other banking fraud regs)

i wouldn't require them to hold to the entire stack of regs that a full Bank would but holding Millions of Dollars in funds for %random_reason% needs to stop NOW.

Template Message To EBay Sellers (-1)

Anonymous Coward | about a year and a half ago | (#41854225)

Given the ongoing security problem with PayPal ( http://it.slashdot.org/story/12/11/02/1444250/ [slashdot.org] ), do you accept any other payment method?

Ebay & Paypal pissed off a lot of people (2)

npetrov (1170273) | about a year and a half ago | (#41854397)

Many years ago I disclosed a vulnerability to Ebay to get any user's email.

It took 2-3 hours to talk to their tech support and convince them that this is a serious problem. I had to show multiple examples of telling them emails of users randomly picked by tech support. Eventually they closed the hole. Within 12 hours actually, which was not too bad.

Several years later, when I had some issues with Ebay, they did not want to take that help into account.

Ebay & Paypal had so many changes over the past 5 years and pissed off a lot of people as a result. No wonder someone went public with the issues. I used to have multiple power seller accounts, and after all these changes I stopped selling there.

If I saw a vulnerability now with either ebay or paypal, I'd not bother telling them. I'd actually just wait for a story like that and laugh at them from a perspective of what goes around - comes around.

Re:Ebay & Paypal pissed off a lot of people (1)

Lumpy (12016) | about a year and a half ago | (#41855039)

It's why I dont use ebay any more. Their fees are insane and overall it's a bad deal for everyone involved.

Re:Ebay & Paypal pissed off a lot of people (1)

npetrov (1170273) | about a year and a half ago | (#41862587)

What is rather odd is that I did not buy or sell anything for several years after that incident. However, recently I have been buying a lot of stuff that costs $2-3 including shipping. It really beats me how this sales model makes sense to anyone.

PCI, anyone? (3, Interesting)

dkleinsc (563838) | about a year and a half ago | (#41854533)

If Visa, Mastercard, Amex etc are treating everyone fairly, it seems like PayPal would now be due for a major smackdown courtesy of the big-name credit card networks. I'm talking about a $10^9 order of magnitude smackdown. If I recall correctly, proper compliance means certifying a bunch of stuff under penalty of perjury, which means that PayPal is not only organizationally breaking the rules but may have individuals breaking the rules as well.

Of course, equally likely, these companies will be too worried about hurting their relationship with a big payment processor to actually do anything about it.

Re:PCI, anyone? (1)

evilviper (135110) | about a year and a half ago | (#41889457)

Payment card companies can only push around the little guys. If Paypay is anything but incompetent, they have lawyers OBSESSING over those PCI-DSS requirements, and ensuring they meet them TO THE LETTER, with the minimum of effort. "Compensating controls" appear in the regs an awful lot, so you have a blank check to make-up your own pretend security methods. I know I worked for companies who did the same.

So those emails are right! (0)

Anonymous Coward | about a year and a half ago | (#41855807)

All those I get saying there's a problem with PayPal I've been discarding as spam, now I know they must be true.

Grounds for a class action? (2)

macraig (621737) | about a year and a half ago | (#41855819)

And this is precisely the sort of scenario that motivated me to take PayPal up on its unusual offer to "opt out" of its new recent adjustment to its service agreement that attempts to force customers to only use singular arbitration and prohibit class actions altogether. These news clauses are all the rage in service industries; all the corporate kids are dying to get one. Valve has one, AT&T has one, and now PayPal. I'm sure there are hundreds more I don't know about or mindlessly clicked-thru. Why PayPal chose to give customers the ability to reject that clause I can't figure, but I exercised it and this incident is demonstrative why. The rest of you have until December 31st IIRC to consider the same; you aren't likely to get this choice often.

As to why these clauses are a big fucking deal, the New York Times [nytimes.com] and TechDirt [techdirt.com] both published good analyses of the Supreme Court decision last year that inspired it and the inevitable effects. It's the same Court that gave us the Citizens United ruling and others that are almost slavishly favorable to business at the expense of the common good.

I wish I didn't need Paypal (1)

mfh (56) | about a year and a half ago | (#41856731)

I use Paypal all the time on websites because of the "devil you know" philosophy. I know them. They are pretty evil, but at least I know to what extent they are evil. I'd like to sell stuff through them but well they are just too tough to deal with to make it worthwhile.

They have interfered with commerce on almost every level. Their API is pretty antiquated and full of obfuscated settings. By now I should be able to sign up to a website, give them my info, upload a virtual product, and collect money from whoever buys it.

I should NOT have to pay if someone tries to fuck them over. That's their problem. But Paypal totally ruins businesses that get targeted by chargeback scammers, to the extent that they SHOULD BE INVESTIGATED FOR FRAUD... because it's pretty likely that at least some employees in Paypal are fraudsters. This recent leak could have been an inside job.

If you ever need to dispute something with them just toss a coin. You'll never know if you'll win unless you have an agreement with them that is tested and works. But even then... who knows?

Don't try to do anything nice for anyone like collect charitable funds because you'll have a bad time.

Re:I wish I didn't need Paypal (0)

Anonymous Coward | about a year and a half ago | (#41861587)

I can certainly understand the "devil you know" philosophy but to be so dependent on one very abusive payment provider is far from ideal. By all means continue to use PayPal for important purchases but why not consider experimenting with other options for less important items. At least they you will eventually know 2 devils and can phase the worst one out and begin experimenting with a third.

I don't have a PayPal account. All the "I hate PayPal but I use it all the time" comments make me think I'd be much better off by joining PayPal.

Is it fake data? (0)

Anonymous Coward | about a year and a half ago | (#41857765)

I used to work at PayPal. The article is unclear if any of the exposed data is real or fake. Generally all the QA stages have fake data. In fact I am almost sure that they all have fake data.

Focus the discussion? (1)

Anonymous Coward | about a year and a half ago | (#41867699)

Every time there's a thread on PayPal people inevitably diverge into demanding "PayPal be regulated like a bank" or "PayPal is making profit on my money sitting in account's balance" or "PayPal should do this and that"... So much noise from people who know so little about what things actually are and are just looking for scapegoat to blame.

- PayPal *is* regulated like a bank in some parts of the world
- PayPal is *not* a bank in US so it does not (and can not!!!) make money on the balances - WellsFargo (PayPal's bank) is the one doing it
- If you know what and how PayPal should do things better you have two options - join PayPal and teach them (or help them fix things) or start you own alternative and "do things right". Oh, would I love to see you do that!!! A few attempts over the last years come to mind, notably Yahoo and Google. I'm sure *you* know how to do it right, right?

But I'm diverging as well... Coming back to the original post. Read it again, please. PLEASE! Did you not notice the "stageXmbXXX" in the text preceeding the screenshots? Gawd, people... Enough with the histeria, already. Though I agree it's "some" security risk to allow access to its internal staging environment (not production, testing!) I fail to see how that translates into "real" customer data and you feeling vulnerable. Someone saw a drawing of a prototype of your house and you immediately assume they have keys to it.

As much fun as it is to yell at "big targets" and feel all so powerful doing so it helps so much more to think for yourself and actually get to know the subject you are expressing an adamant opinion about.

It's hard to take a "bounty program" seriously (1)

pterry (100705) | about a year and a half ago | (#41868911)

that doesn't disclose how much it pays. All it says [paypal.com] is

PayPal security team will determine the bounty amount and all decisions are final.

Would you trust Paypal to reward you fairly?

They also generously offer (1)

pterry (100705) | about a year and a half ago | (#41868963)

not to sue / prosecute you - if they conclude that your disclosure respects and meets all their guidelines. Oh and the program is "subject to change or to cancellation at any point without notice".

Shill Bidding Fraud on eBay (1)

PhilipCohen (1319503) | about a year and a half ago | (#41876075)

And, regretably, the ugly reality for consumers dealing with the eBafia/PreyPal complex ... “Shill Bidding Fraud on eBay: Case Study #5” ... http://bit.ly/N1nTlc [bit.ly]
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>