Mac Musings

PayPal Insecurity

Dan Knight - 2002.08.08 - Tip Jar

I've used PayPal for years, and I'm convinced that they fill a very real need on the Internet. If anything, they need to do a better job of supporting users outside the US and making their services available to the worldwide audience on the World Wide Web.

They also need to beef up security.

As I discovered on Tuesday, someone using the email address lilbb@spils.com (a free email service) managed to hack my password and add his/her email address at about 3:40 p.m. Central Time on Sunday. This individual then removed my email addresses, blocking me from access to my business account.

Fortunately, I usually have less than $100 in my PayPal account. I try to keep enough there to cover some hosting and access fees that I pay with my PayPal debit card.

Unfortunately, that PayPal account is also linked to my business checking account. On the up side, this means I can send funds via PayPal even if I don't have enough in my PayPal account. PayPal will simply do an electronic funds transfer from my Fifth Third bank account, and then forward the funds to the recipient.

So all it takes for someone to clear out my business account is guessing my password, adding their email address, and then removing my access to the account before I have a chance to respond. And that's exactly what happened.

lilbb then proceeded to clean me out with a $418 and a $1,026 transaction. Another $1,844.70 was attempted, but those funds didn't clear due to insufficient funds.

We've sent out a warning to others, suggesting anyone who uses PayPal reconsider their current password. We thought ours was good, since it wasn't a dictionary word, but that wasn't enough. We recommend using upper case and lower case letters along with numbers and punctuation - all allowed by PayPal - to create a more secure password.

We've also sent email to spils.com about the hack, but we have no idea how helpful they may be. We're also enlisting the assistance of Web savvy users, asking them to check their site logs - if their logs track user IDs, they may be able to help us track down lilbb.

We sure hope so, and also that the money can be recovered. We've just lost the funds needed to pay our bills.

Where Next?

We're going to think long and hard about using PayPal in the future. The system simply isn't secure enough if all it takes is hacking a password to rob someone blind.

If we do decide to continue using PayPal, we will be smart about it and set up a completely separate checking account linked to our PayPal account. That way if someone should hack our account again, our potential loss could be greatly reduced by keeping that account balance very, very low.

We strongly urge the folks at PayPal to beef up security. It's very convenient to be able to add more email addresses to an account with a single password, but it also creates the potential for situations like this.

PayPal needs to provide more security, such as requiring use of a code emailed to an address already on the account before allowing use of any new email address. That simple step would have eliminated our problem.

PayPal should also flag suspicious behavior, such as a lightly used account suddenly being used for several transactions totaling over $3,300. Credit card companies do that kind of thing; PayPal should also.

That said, PayPal has been very helpful in locking the account. I've already filed affidavits electronically about this mess. The only disappointment is that PayPal's investigators have yet to call me back. It's been two days, I'm out $1,500 or so, and they need to do better on callbacks.

Do I recommend against using PayPal? No, or at least not yet. The service is very convenient. Users need to be much more aware of the pitfalls. Make sure your password is obscure, and don't keep much money in the bank account linked to your PayPal account.

Join us on Facebook, follow us on Twitter or Google+, or subscribe to our RSS news feed

Dan Knight has been using Macs since 1986, sold Macs for several years, supported them for many more years, and has been publishing Low End Mac since April 1997. If you find Dan's articles helpful, please consider making a donation to his tip jar.

Links for the Day

Recent Content

About LEM Support Usage Privacy Contact

Custom Search

Follow Low End Mac on Twitter
Join Low End Mac on Facebook

Favorite Sites

MacSurfer
Cult of Mac
Shrine of Apple
MacInTouch
MyAppleMenu
InfoMac
The Mac Observer
Accelerate Your Mac
RetroMacCast
The Vintage Mac Museum
Deal Brothers
DealMac
Mac2Sell
Mac Driver Museum
JAG's House
System 6 Heaven
System 7 Today
the pickle's Low-End Mac FAQ

Affiliates

Amazon.com
The iTunes Store
PC Connection Express
Macgo Blu-ray Player
Parallels Desktop for Mac
eBay

Low End Mac's Amazon.com store

Advertise

Open Link