PayPal Security Holes Expose Customer Card Data, Personal Details

mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."

PayPal is not a bank

[DaTrueDave]

And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.

Re:PayPal is not a bank

[HerculesMO]

But the problem is that they operate like one. And as such, should be regulated as one.

Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.

Re:PayPal is not a bank

[Kenja]

They only operate like one when the users treat them like one, the same can be said for the corner store that offers a credit tab. I use Pay Pal, but never keep money in them, or do direct bank transfers to them, or accept their offers of credit.

Re:PayPal is not a bank

[firex726]

Yep, they want all the functionality of a bank, but none of the regulation.

Irresponsible disclosure

[Hatta]

If this bug has been known since July your failure to publically announce it has left thousands of people vulnerable for months. That is irresponsible disclosure. Responsible disclosure is immediate disclosure. Period.

Re:PayPal is not a bank

[fredprado]

But the fact that people can do that means they provide all the services of a bank, even if you choose not to use them, and therefore should be regulated as one.

Re:Irresponsible disclosure

[X0563511]

Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)

Re:PayPal is not a bank

[udachny]

Why would you want to break something that works for its purpose?

Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?

Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.

Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?

Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)

So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.

You and government of Argentina [slashdot.org] have something in common.

That exact same information

[s0nicfreak]

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date). Heck anyone walking down the street can get my address, can see previous purchases if I have my curtains open, and could use my address to find my phone number. I'd be much more worried about someone waking up to my mailbox and opening my bank statement, but only because then they're right at my door (and could come in and attack me), rather than who-knows-where viewing it on the internet. But why fear that information getting out at all? My bank account has protections against use by unauthorized people, and if I had a real credit card it would as well (personally I use prepaid credit cards which don't have such protections, but I only put on what I'm going to use). I have at least half a brain and don't leave money in paypal. So I'm not sure exactly the fear here. Paypal can't even be used for adult services, so it's not like someone is going to print out your fleshlight purchases and send it to your boss/wife/etc..

If Paypal were regulated like a bank, all similar services would be as well, and that would just raise the bar of entry and ensure no competitor ever puts up a fight against paypal. It would also eventually ensure that people that can't get a bank account or credit card for whatever reason, can't do online transactions. (I'm sorry but I am willing to take peoples' money even if they overdrew their account when they were a broke college student and ended up in Chexsystems.) Paypal sucks, but personally I NEED what it does, as do MANY other people - so either it needs to keep doing it or someone else has to start doing it better. If someone could start a service doing what it does but with all the regulations of a bank, they'd be doing it.

If you're victimized by this

[NoNonAlphaCharsHere]

You can always file a class action lawsuit. Oh. Wait.

Re:That exact same information

[sunderland56]

Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.

Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.

Re:PayPal is not a bank

[tibit]

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.

The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.

Re:PayPal is not a bank

[dkleinsc]

That's why I'm of the view that we need to introduce "duck-typing" (if it walks like a duck, etc) to regulatory systems:

Instead of saying "If you are a bank, you must protect depositors by doing XYZ", say "If you have any kind of customer deposit account, you must protect depositors by doing XYZ". It's about regulation based on behavior rather than regulation based on classification, preventing the old "We're not a bank, we're a money transfer system / mortgage brokerage / ..."

Re:Irresponsible disclosure

[wbr1]

They had to wait to disclose till they changed their TOS to stop class action suits. Simple.

Re:PayPal is not a bank

[theendlessnow]

If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.