Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Security Holes Expose Customer Card Data, Personal Details

Posted by Soulskill on from the time-to-do-a-chargeback-on-their-security-contractors dept.

mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."

13 of 87 comments (clear)

  1. PayPal is not a bank by DaTrueDave · · Score: 5, Insightful

    And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.

    1. Re:PayPal is not a bank by HerculesMO · · Score: 5, Insightful

      But the problem is that they operate like one. And as such, should be regulated as one.

      Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.

      --
      The price is always right if someone else is paying.
    2. Re:PayPal is not a bank by Kenja · · Score: 4, Insightful

      They only operate like one when the users treat them like one, the same can be said for the corner store that offers a credit tab. I use Pay Pal, but never keep money in them, or do direct bank transfers to them, or accept their offers of credit.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:PayPal is not a bank by firex726 · · Score: 4, Insightful

      Yep, they want all the functionality of a bank, but none of the regulation.

    4. Re:PayPal is not a bank by Kenja · · Score: 5, Funny

      Yep, they want all the functionality of a bank, but none of the regulation.

      So they want to be a bank! <zing!>

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    5. Re:PayPal is not a bank by fredprado · · Score: 4, Insightful

      But the fact that people can do that means they provide all the services of a bank, even if you choose not to use them, and therefore should be regulated as one.

    6. Re:PayPal is not a bank by udachny · · Score: 4, Insightful

      Why would you want to break something that works for its purpose?

      Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?

      Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?

      I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

      You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.

      Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?

      Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)

      So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.

      You and government of Argentina have something in common.

      --
      MY OTHER COMMENTS
    7. Re:PayPal is not a bank by tibit · · Score: 5, Insightful

      Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.

      The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.

      --
      A successful API design takes a mixture of software design and pedagogy.
    8. Re:PayPal is not a bank by theendlessnow · · Score: 4, Insightful

      If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.

  2. Re:PayPal is not a bank - it is in Europe! by stiggle · · Score: 4, Interesting

    Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

  3. Re:Irresponsible disclosure by X0563511 · · Score: 4, Insightful

    Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  4. If you're victimized by this by NoNonAlphaCharsHere · · Score: 4, Insightful

    You can always file a class action lawsuit. Oh. Wait.

  5. Re:That exact same information by sunderland56 · · Score: 4, Insightful

    Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.

    Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.