Paypal in Trouble?

A few days ago I posted on the security hole I discovered in Paypal where payments to my email were flowing to someone else's account.  After denying the problem for quite a while, Paypal finally admitted it.

In the last two days, I have had two other problems with Paypal.  The first was that an account hold was slapped by Paypal on my account.  Apparently I accessed the account from an IP address (maybe a hotel on the road?) they had never seen me at before and so they froze my account until this morning when I had to spend an hour convincing them in various ways I really did control the account.

The second issue was when Paypal put a hold on a payment I received.  At first, I was ticked off at the buyer, thinking that person had received the item and then was trying to keep his money.  But it turned out the buyer had nothing to do with it.  Again, the Paypal computers saw the buyer account had been relatively inactive and held the payment until the buyer called in and convinced them the payment was legitimate.

Now, at some level, one can say that Paypal is trying to protect my money.  But if fraud is so prevelent in Paypal that these kind of onerous fraud checks and constant account and payment freezes are becoming the norm, then it may well be that their business model is in trouble.  Like strip searches at the airport, it may increase security but it may also kill the business.

If you had asked me five years ago, I would have said it likely that by 2009, we would have an online payments system that involved some type of digital certificates on individual computers tied to either a payment system or one's credit card number.  My corporate cash management account works this way, but the retail world does not.  Part of the problem is that there is only limited consumer incentive to demand such a system.  Currently, most fraud costs are pushed by card companies unto retailers rather than consumers (who can fairly easily void a fraudulent payment) reducing the percieved cost of low security.

Postscript:  It is always interesting to listen to the tone of customer service agents.  I talked to four different Paypal agents this morning, and the fairly clear undertone of their responses to my rants about these problems was "it's as bad around here as you think it is."

  • morganovich

    we looked into this back in the early 2000's. one of the key impediments to a distributed certificate program (or a program like amex blue, one of the great marketing failures of all time) is this:

    credit card companies charge merchants more for a card not present transaction. the assumption (likely accurate) is that if you a re physically there with the card, it is less likely to be fraud. so, they charge a higher % of the transaction in fees if the card is not present.

    the key piece of information is that the rate difference for CNP exceeds the increased instance of fraud. therefore, the credit card companies actually have an incentive to PREVENT physical verification. also, they have the online merchant over a barrel. it's not as if a large online store can stop accepting credit cards.

    the card holder never sees the fees, so they have no incentive to do much of anything other than transact as they please.

    it would be easy and inexpensive to distribute readers for a PC that would allow a card swipe (and likely add PIN), but until it pays the CC companies to do so, they won't.

    it has always seemed to me that an individual bank (say chase or citi) could launch such a program themselves and offer a free reader with a new account and a 1.5% rebate on all swiped and PIN verified online purchases. this would seem like an interesting way to compete for business.
    the fact that it has not happened makes me suspect there is some stipulation in the MC/Visa agreements that prohibits it. (though i have no actual information to that effect)

  • Doug

    Warren, your missive reminds me a lot of a government official having one bad experience with, say, a healthcare bill, who then wants to condemn, if not outright punish, the entire system (usually with his flawless, free, and magic "universal healthcare" system).

    For most of us, Paypal works just fine. This is not to say that I won't get bit in the future. But you have to admit that Paypal is an enormously popular and successful enterprise.

    If you're true to your principles, you'll opt out of Paypal and go with something more to your liking. If you can do better, and you think your way is a superior solution, why not get out of this lousy camping business and start up a company of your own rather than bitch about it?

    But why should I pay a penalty for your frustrations?

  • DKH

    morganovich, I have a question regarding the system you discussed:

    "it would be easy and inexpensive to distribute readers for a PC that would allow a card swipe (and likely add PIN)..."

    It strikes me that this system would be susceptible to hacking, such that software could be written to simulate the card reader signal, and thus the card would not have to be present for swiping. Was this issue considered or is it not an issue? Maybe the hardware would encrypt the signal?

    These may be naive questions since I'm just a chemical engineer with some knowledge of programming, rather than a computer or electrical engineer or programmer who actually knows something. Just trying to understand how this really prevents fraud.

  • ArtD0dger

    Paypal is indeed a disgrace. When I was defrauded on eBay last year, they had me ship the faulty merchandise back to the seller at my expense, apparently without even attempting to recover my original payment from him (and their "insurance" did not cover my costs). When I complained that a policy of giving the crook both the money AND the merchandise was absolutely insane, I detected the same weary, resigned tone that you describe in the customer service drone.

    It doesn't take much googling to discover that problems with Paypal are widespread.

  • ErikTheRed

    I've run a small Internet retail business, and based on stories like this we didn't even bother with PayPal. It's simply not that big a deal to set up credit card processing for Visa / MC / AmEx / Discover.

  • morganovich

    DKH-

    there are a large number of existing PKI (public key infrastructure) encryption/certification technologies available. they are not terribly computationally intensive to use (particularly elliptical curve algorithms) but are very, very difficult to break in even moderate strength. to break a 1024 bit ECC PKI in a relevant timeframe, you need to be the NSA.

    wiki has a decent primer on PKI:

    http://en.wikipedia.org/wiki/Public_key_infrastructure

    and since when are people "just chemical engineers"?

    i'm "just a fund manager/venture capitalist", so hardly a hacker/EE. i just run into stuff like this a great deal and have a vested interest in trying to figure out how the pieces fit together.

  • DaveK

    Over here in Belgium, my bank issues me a little gizmo that I use for online credit card payments and for online banking. When I conduct a transaction, I have to put the card into my gizmo, enter a "challenge" string of numbers that from the bank (a different challenge for each transaction), then my PIN. The gizmo provides a "response" to the challenge, I enter that as an electronic signature for the transaction. It works pretty slick, though a little tedious. And difficult to hack... you need to have the gizmo, the card, an account number (not the same as the bank account number), the card number, and the PIN. My guess is that the gizmo costs a couple of bucks, but adds lots more than that to the security of online transactions.

  • morganovich

    in response to your question:

    there are a large number of existing PKI (public key infrastructure) encryption/certification technologies available. they are not terribly computationally intensive to use (particularly elliptical curve algorithms) but are very, very difficult to break in even moderate strength. to break a 1024 bit ECC PKI in a relevant timeframe, you need to be the NSA.

    wiki has a decent primer on PKI:

    http://en.wikipedia.org/wiki/Public_key_infrastructure

    and since when are people "just chemical engineers"?

    i'm "just a fund manager/venture capitalist", so hardly a hacker/EE. i just run into stuff like this a great deal and have a vested interest in trying to figure out how the pieces fit together.

  • DKH

    Yea, I get how encryption works; my question relates to whether it is possible to defeat the requirement that a card be present, for example by simulating the hardware through software. How can a bank guarantee that any hardware it issues is present and actually used during the transaction, thus allowing the bank to apply a lower fraud risk premium to the transaction?

  • Jim Collins

    From what I've seen lately there is no security benefit in having the physical credit card at the point of purchase. It used to be that the cashier physically handled the card, now at most places I just swipe the card through the reader and the cashier never sees the card. I can buy blank cards and a reader/writer for just a few hundred dollars. All that's needed is access to the original card. There was just an arrest for this at a gas station in my area. We still have a full service gas station and the attendant was taking people's cards and running them through the reader when he took them into the station to run them through to pay for the gas.

  • http://thelibertypapers.org/ Brad Warbiany

    Doug,

    "But why should I pay a penalty for your frustrations?"

    I don't recall Warren suggesting, anywhere in this post, that anyone should be penalized.

  • A Stoner

    Exact same thing happened to me. I logged onto paypal from work and they locked my account, but only for about a half hour. But they also delayed payment to several of the people I bought things from. I had to call in to let them know that all the activity was legitmate. Took about an hour.

  • morganovich

    dkh-

    but the exact same thing is true of any point of sale terminal that takes credit cards.

    there is no perfectly secure system.

    it's just more secure than simply requiring someone to have you card number. with simple data entry, you waiter could easily use your card after copying down the numbers.

    with a physical authentication system, he would also need to be a very sophisticated computer user.