Gone in 60 Nanoseconds

Over the last week or so, you have undoubtedly read of the frightening incident wherein the publisher of this site, Dan Knight, had his business PayPal account hijacked and cleaned out - and his bank account along with it. For those of us who regularly transact business on the Internet, this is a chilling story. Perhaps even more troubling is the fact that Dan took all the precautions and did everything right, but Low End Mac still got robbed.

PayPal is essentially a bank in every aspect except the one that matters: legally. It is an electronic clearinghouse, used primarily by buyers and sellers exchanging funds in online auctions. Buyers can use a credit card at PayPal to pay for their purchases, and PayPal sends the money on to the seller, less a small service charge.

This enables sellers to accept credit card payments without going through the hassle of setting up a merchant account with a bank. It is especially helpful to the low-volume, occasional auction seller.

Since it is not officially classified as a bank, PayPal is not subject to most banking regulations. These non-applicable regulations would otherwise offer consumers a measure of protection from fraudulent transactions. While PayPal is very convenient and fills a very important niche in the online community, it is not without its hazards.

Logging in to a PayPal account requires two items: the email address registered to the account and the password. Once logged in, the user has free reign to change the account information in any way, including changing the email address. In Dan's case, the thief correctly guessed the account's email address [it's posted on the site to facilitate donations - dk] and password. Once in, he changed the email address to his own and started transferring money to himself. When the PayPal account ran out of funds, PayPal automatically debited Cobweb Publishing's linked bank account until it, too, was emptied.

In order to be "verified" with PayPal, you have to provide a valid bank account. This account is linked to your PayPal account, enabling money to be transferred between the bank and PayPal. Although it is not strictly required, failing to provide this information severely restricts your use of PayPal.

With none of the government-mandated safeguards of a bank or credit card in place, Cobweb Publishing, the publisher of Low End Mac, is out somewhere in the neighborhood of $1,500. Unlike a credit card, where questionable transactions are usually reversed until everything is sorted out, Cobweb Publishing has lost use of their own money until they can prove fraud. Conceivably, the money could be gone for good. Guilty until proven innocent.

Here are some precautions that all PayPal users should take:

1. Set up an email account that is used only for PayPal. Although this is far from foolproof, it will at least give a potential thief another hoop to jump through.
2. Choose a password that contains letters, numbers, and symbols (!,#%&, etc.). Don't use words found in the dictionary. Password-cracking programs will figure those out in minutes. The harder the password is to guess, the better. As Dan's case illustrates, however, this is still no guarantee.
3. Don't link your bank account with PayPal unless it is absolutely necessary. If you have to, open a separate account for just this purpose, and never leave more than a minimum balance in the account. To transfer funds, move money into the account and then immediately out through PayPal. When you receive funds, withdraw them immediately upon receipt. After reading of Dan's unfortunate adventure, I went to PayPal and removed my bank account. Until I can open a new account devoted solely to PayPal, I will remain an "unverified" member of the PayPal community.

This incident gives us an opportunity to remind you of other precautions that should be taken in online commerce in general:

1. Always pay with a credit card. You receive your greatest degree of fraud protection when using a credit card. Many banks offer Visa or MasterCard debit cards. These cards function as regular, run-of-the-mill credit cards - with one important exception. When you make a charge, the money is automatically drafted from your bank account. You receive no monthly bill other than your bank statement. These cards, when used with your (hopefully) secret PIN, also function as ATM cards. As with PayPal, these cards are oh so convenient. Also like PayPal, they carry their own hidden pitfalls.

It is important to know that, even when used as a credit card, these debit cards do not carry the same level of consumer protection. If your Visa or MasterCard debit card is used fraudulently, you will likely be in the same boat as Dan Knight and Cobweb Publishing. Until and unless you can prove fraud to the bank's satisfaction, you lose the money in question.

I recently had occasion to experience this personally. Kay and I received our bank statement and noticed two different charges from the same store, totaling almost $300. Satisfied that neither of us had made the charges, we contacted the store at which the charges were made. We learned that the merchandise had been mail-ordered by and shipped to someone in our small town. I theorized that the customer was someone who also used our small bank. Credit cards issued by smaller banks usually come from a block of numbers. It is not unusual to have all of the credit cards from these banks have the same numbers except for the last four or five. My thought was that two numbers had been transposed on the order, making the credit card number correspond to our own. After further investigation with both the merchant and our bank, my theory was confirmed. After almost two weeks, we got our $300 returned.

It was alarming that this merchant had done no credit card verification. If he had, he would have immediately known there was a problem, since the name and address of the customer did not match those registered to the credit card. Fortunately we were in a position where losing $300 for two weeks did not put us in a bind. Many people are not. Caveat emptor.

2. If you must use a debit card, use it as a credit card (as opposed to an ATM card) whenever possible. Many stores and point-of-sale devices, after swiping a debit card, will ask whether you want to use the card as "credit," "debit" or "EBT." Always choose credit.

Again, I want to emphasize that treating your debit card like a credit card does not necessarily confer upon you the same protection as if you had whipped out the American Express, but there are several reasons for using it as such. It is just common sense not to expose your PIN to prying eyes anymore than is absolutely necessary. Your debit card + your PIN = unfettered access to your bank account(s) by a criminal, who will be able to collect his spoils in cash without having to go through any third parties.

The other reasons relate to the different way the transaction is handled from the point of sale until it reaches your bank account. I will not publicly discuss those reasons here so that I don't accidentally educate any aspiring criminals, but trust me on this. Don't use your debit card if you don't have to; if you have to, use it as a credit card whenever possible.

3. Don't pay by check, money order, or cash. If something goes wrong, you will have little or no recourse. A deal is a deal is a deal, and in this case it is also final.

4. Don't enter your credit card information on an unsecure Web page or send it via email. All browsers have some sort of lock and key icon, usually in the lower left or right-hand corners, which will show you if the Web page you are on is secure or not. On Internet Explorer for Mac, a small gold closed lock will appear in the lower left-hand corner of the frame of the browser, immediately to the left of the globe icon, whenever you enter a secure page. As for email, the only form of communication less secure is walking down the street with a megaphone.

The vast majority of Web pages are not secure. Don't panic, however. Unless you are entering sensitive information into the page, there is no reason for it to be secure. On most websites, the only secure page is the one where you place your order.

5. Don't give your credit card or bank information to solicitors who call on you. If you did not originate the call for the purpose of placing an order, don't volunteer any financial information.

6. Every reputable website has a general disclaimer that no one from their company will ever contact you and ask for your password, and they mean it.

There is an old joke about a man that comes into a computer shop and tells the technician that he is worried about hackers, viruses, and spies. He directs the shop to make his computer "absolutely secure." The technician removes the floppy drive, CD-ROM, modem, network card, keyboard, and mouse, and then hands the computer back.

Making something absolutely secure will usually have the unintended side effect of rendering it useless. This is certainly the case with online commerce. While it cannot be completely secure and without risk, by taking a few precautions you greatly reduce this risk.