PayPal Security Holes Expose Customer Card Data, Personal Details 87
mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."
PayPal is not a bank (Score:5, Insightful)
And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.
Re:PayPal is not a bank (Score:5, Insightful)
But the problem is that they operate like one. And as such, should be regulated as one.
Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.
Re:PayPal is not a bank (Score:5, Insightful)
Re:PayPal is not a bank (Score:5, Insightful)
Yep, they want all the functionality of a bank, but none of the regulation.
Irresponsible disclosure (Score:4, Insightful)
If this bug has been known since July your failure to publically announce it has left thousands of people vulnerable for months. That is irresponsible disclosure. Responsible disclosure is immediate disclosure. Period.
Re:PayPal is not a bank (Score:5, Insightful)
Re:Irresponsible disclosure (Score:5, Insightful)
Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)
Re:PayPal is not a bank (Score:4, Insightful)
Why would you want to break something that works for its purpose?
Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?
Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?
I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.
You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.
Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?
Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)
So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.
You and government of Argentina [slashdot.org] have something in common.
That exact same information (Score:4, Insightful)
If Paypal were regulated like a bank, all similar services would be as well, and that would just raise the bar of entry and ensure no competitor ever puts up a fight against paypal. It would also eventually ensure that people that can't get a bank account or credit card for whatever reason, can't do online transactions. (I'm sorry but I am willing to take peoples' money even if they overdrew their account when they were a broke college student and ended up in Chexsystems.) Paypal sucks, but personally I NEED what it does, as do MANY other people - so either it needs to keep doing it or someone else has to start doing it better. If someone could start a service doing what it does but with all the regulations of a bank, they'd be doing it.
If you're victimized by this (Score:5, Insightful)
Re:That exact same information (Score:5, Insightful)
Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.
Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.
Re:PayPal is not a bank (Score:5, Insightful)
Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.
The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.
Re:PayPal is not a bank (Score:4, Insightful)
That's why I'm of the view that we need to introduce "duck-typing" (if it walks like a duck, etc) to regulatory systems:
Instead of saying "If you are a bank, you must protect depositors by doing XYZ", say "If you have any kind of customer deposit account, you must protect depositors by doing XYZ". It's about regulation based on behavior rather than regulation based on classification, preventing the old "We're not a bank, we're a money transfer system / mortgage brokerage / ..."
Re:Irresponsible disclosure (Score:4, Insightful)
Re:PayPal is not a bank (Score:5, Insightful)
If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.