PayPal Security Holes Expose Customer Card Data, Personal Details

mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."

PayPal is not a bank

[DaTrueDave]

And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.

Re:PayPal is not a bank

[HerculesMO]

But the problem is that they operate like one. And as such, should be regulated as one.

Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.

Re:PayPal is not a bank

[Kenja]

They only operate like one when the users treat them like one, the same can be said for the corner store that offers a credit tab. I use Pay Pal, but never keep money in them, or do direct bank transfers to them, or accept their offers of credit.

Re:PayPal is not a bank

[firex726]

Yep, they want all the functionality of a bank, but none of the regulation.

Re:PayPal is not a bank

[Kenja]

Yep, they want all the functionality of a bank, but none of the regulation.

So they want to be a bank! <zing!>

Re:PayPal is not a bank

[fredprado]

But the fact that people can do that means they provide all the services of a bank, even if you choose not to use them, and therefore should be regulated as one.

Re:PayPal is not a bank

[udachny]

Why would you want to break something that works for its purpose?

Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?

Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.

Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?

Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)

So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.

You and government of Argentina have something in common.

Re:PayPal is not a bank

[tibit]

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.

The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.

Re:PayPal is not a bank

[dkleinsc]

That's why I'm of the view that we need to introduce "duck-typing" (if it walks like a duck, etc) to regulatory systems:

Instead of saying "If you are a bank, you must protect depositors by doing XYZ", say "If you have any kind of customer deposit account, you must protect depositors by doing XYZ". It's about regulation based on behavior rather than regulation based on classification, preventing the old "We're not a bank, we're a money transfer system / mortgage brokerage / ..."

Re:PayPal is not a bank

[theendlessnow]

If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.

Re:PayPal is not a bank

[udachny]

Honey, nobody gives a hoot about your business model. You are so quick to jump on PayPal, you want it to be a bank? So which bank exactly do you want PayPal to be, bank of America? Citi? HSBC? They are ready to take over that business and handle it with such care, that you'll be out of business in no time.

Maybe you want the same rules are regulations and taxes and laws apply to your eBay store as there are IRL rules and taxes and laws and regulations that apply to Brick and Mortar stores? How quickly would you fold if you had to comply with everything that they have to comply with? It wouldn't take too long, besides, you'd be outsold by their online presense if PayPal is turned into a 'real' bank in the first place.

You think PayPal is bad for business? Nobody prevents you from charing VISA or taking a check for you eBay transactions.

You don't like living off of gov't handouts? So why do you want to turn another company into a bank, so that they could get government handouts? FDIC is a handout. So is Federal Reserve discount window.

Here is eBay's policy on payments with the list of the options

For the lazy:

Allowed:

PayPal

ProPay

Skrill

Paymate

Credit card or debit card processed through the seller's Internet merchant account

Payment upon pickup

Bill Me Later

--

Restricted but still allowed for certain listing categories:

Bank-to-bank transfers (also known as bank wire transfers and bank cash transfers)

Checks

Money orders

Online payment services: Allpay.net, CertaPay, hyperwallet.com, Fiserv, Nochex.com, XOOM

Re:PayPal is not a bank - it is in Europe!

[stiggle]

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

Irresponsible disclosure

[Hatta]

If this bug has been known since July your failure to publically announce it has left thousands of people vulnerable for months. That is irresponsible disclosure. Responsible disclosure is immediate disclosure. Period.

Re:Irresponsible disclosure

[X0563511]

Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)

Re:Irresponsible disclosure

Don't go public - sell the vulnerability on eBay to the highest bidder. It makes the public aware of the issue - without disclosing the details - and allows PayPal to keep the details a secret if they want to.

Re:Irresponsible disclosure

[wbr1]

They had to wait to disclose till they changed their TOS to stop class action suits. Simple.

Re:PayPal is not a bank - it is in Europe!

[ccguy]

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

I keep hearing this. Maybe they should be regulated like one, but they definitely don't behave any different over here than they do over the US. I have an account in both places (I'm Spanish but used to live in the US) so I know quite well.

Paypal STILL abuses all they want. Just the other day, I applied for a *debit* card in my US account. It was denied instantly (possibly because I did it via a Spanish IP address). My account is now under supervision, and they want proof of SSN (which I had already sent years ago), picture ID, and more. If not, well, funds on hold, account useless and so on.

In general, using your perfectly fine account from overseas will cause problems. Serious ones. It's not like they call you to check things. They just put everything on hold and ask for documentation you may not have with you, and even if you did you may not want to share with them.

That exact same information

[s0nicfreak]

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date). Heck anyone walking down the street can get my address, can see previous purchases if I have my curtains open, and could use my address to find my phone number. I'd be much more worried about someone waking up to my mailbox and opening my bank statement, but only because then they're right at my door (and could come in and attack me), rather than who-knows-where viewing it on the internet. But why fear that information getting out at all? My bank account has protections against use by unauthorized people, and if I had a real credit card it would as well (personally I use prepaid credit cards which don't have such protections, but I only put on what I'm going to use). I have at least half a brain and don't leave money in paypal. So I'm not sure exactly the fear here. Paypal can't even be used for adult services, so it's not like someone is going to print out your fleshlight purchases and send it to your boss/wife/etc..

If Paypal were regulated like a bank, all similar services would be as well, and that would just raise the bar of entry and ensure no competitor ever puts up a fight against paypal. It would also eventually ensure that people that can't get a bank account or credit card for whatever reason, can't do online transactions. (I'm sorry but I am willing to take peoples' money even if they overdrew their account when they were a broke college student and ended up in Chexsystems.) Paypal sucks, but personally I NEED what it does, as do MANY other people - so either it needs to keep doing it or someone else has to start doing it better. If someone could start a service doing what it does but with all the regulations of a bank, they'd be doing it.

Re:That exact same information

[sunderland56]

Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.

Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.

Re:That exact same information

[s0nicfreak]

So you are saying the point is not the protection of your account, but the punishment of the person stealing your account? How is it "dangerous" for the person stealing your information to not be punished?

Re:That exact same information

[tibit]

Wait, people still get their bank statements in the mail?! What for, may I ask? Every bank out there offers paperless communications. It's silly not to use it.

If you're victimized by this

[NoNonAlphaCharsHere]

You can always file a class action lawsuit. Oh. Wait.

Re:If you're victimized by this

You can always file a class action lawsuit. Oh. Wait.

IANAL, but couldn't we organize as many affected people as possible to simultaneously file individual Small Claims for their maximum value (now $10,000 here in California for individuals, $5,000 for business) all over the country? How many representatives do you think PayPal can (or is willing to) send to each and every court case? The majority of people will probably win on default.

PayPal can either pay a few million up front on a class action, or up to $10,000 per person individually. Personally, I'd rather go fro the small claims. More money for you (it's expensive to get your identity back if stolen) and potentially higher penalty for PayPal if you can get everyone to file claims. It is unlikely they'll file for bankruptcy and skimp out on the collection, and their "wages" should be adequate enough to see a lump sum.

Ebay & Paypal pissed off a lot of people

[npetrov]

Many years ago I disclosed a vulnerability to Ebay to get any user's email.

It took 2-3 hours to talk to their tech support and convince them that this is a serious problem. I had to show multiple examples of telling them emails of users randomly picked by tech support. Eventually they closed the hole. Within 12 hours actually, which was not too bad.

Several years later, when I had some issues with Ebay, they did not want to take that help into account.

Ebay & Paypal had so many changes over the past 5 years and pissed off a lot of people as a result. No wonder someone went public with the issues. I used to have multiple power seller accounts, and after all these changes I stopped selling there.

If I saw a vulnerability now with either ebay or paypal, I'd not bother telling them. I'd actually just wait for a story like that and laugh at them from a perspective of what goes around - comes around.

PCI, anyone?

[dkleinsc]

If Visa, Mastercard, Amex etc are treating everyone fairly, it seems like PayPal would now be due for a major smackdown courtesy of the big-name credit card networks. I'm talking about a $10^9 order of magnitude smackdown. If I recall correctly, proper compliance means certifying a bunch of stuff under penalty of perjury, which means that PayPal is not only organizationally breaking the rules but may have individuals breaking the rules as well.

Of course, equally likely, these companies will be too worried about hurting their relationship with a big payment processor to actually do anything about it.

Grounds for a class action?

[macraig]

And this is precisely the sort of scenario that motivated me to take PayPal up on its unusual offer to "opt out" of its new recent adjustment to its service agreement that attempts to force customers to only use singular arbitration and prohibit class actions altogether. These news clauses are all the rage in service industries; all the corporate kids are dying to get one. Valve has one, AT&T has one, and now PayPal. I'm sure there are hundreds more I don't know about or mindlessly clicked-thru. Why PayPal chose to give customers the ability to reject that clause I can't figure, but I exercised it and this incident is demonstrative why. The rest of you have until December 31st IIRC to consider the same; you aren't likely to get this choice often.

As to why these clauses are a big fucking deal, the New York Times and TechDirt both published good analyses of the Supreme Court decision last year that inspired it and the inevitable effects. It's the same Court that gave us the Citizens United ruling and others that are almost slavishly favorable to business at the expense of the common good.