PayPal Security Holes Expose Customer Card Data, Personal Details

mask.of.sanity writes "Dangerous website flaws have been discovered in PayPal that grant attackers access to customer credit card data, account balances and purchase histories. The holes still exist. One was publicly disclosed after a failed effort in July to responsibly disclose them under PayPal's bug bounty program. PayPal is working to close the holes."

PayPal is not a bank

[DaTrueDave]

And it's unfortunate that people sometimes consider it as safe as one. It's more like giving money to a trusted acquaintance to pay somebody for you. And about as reliable.

Re:PayPal is not a bank

[HerculesMO]

But the problem is that they operate like one. And as such, should be regulated as one.

Right now there is no recourse if people want to get their money out/back/etc, and if they were a normal bank they'd have to provide a method to extract money and some regulations around their "review" process.

Re:PayPal is not a bank

[Kenja]

They only operate like one when the users treat them like one, the same can be said for the corner store that offers a credit tab. I use Pay Pal, but never keep money in them, or do direct bank transfers to them, or accept their offers of credit.

Re:PayPal is not a bank

[fredprado]

But the fact that people can do that means they provide all the services of a bank, even if you choose not to use them, and therefore should be regulated as one.

Re:

[phorm]

None of that will help you much if your credit-card # has been lifted from Paypal, which is unfortunate as credit-card was the safest way to deal with them (the horror stories of those with direct-linked bank accounts are numerous)

Re:PayPal is not a bank

[firex726]

Yep, they want all the functionality of a bank, but none of the regulation.

Re:PayPal is not a bank

[Kenja]

Yep, they want all the functionality of a bank, but none of the regulation.

So they want to be a bank! <zing!>

Re:PayPal is not a bank

[theendlessnow]

If paypal we're regulated like a bank, I'd get charged $10 a month for NOT using it.

Re:PayPal is not a bank

[udachny]

Why would you want to break something that works for its purpose?

Let me rephrase the question: if you think your money is safer in a 'regulated bank', why would you put it into PayPal?

Again: if you think PayPal is not a safe 'bank' (and it's not a bank, it's a transfer mechanism, they don't give out business loans), then why would you have any significant amount of money sitting in it?

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

You want to take that and apply all the banking rules to it, do you know what it would do to the transaction cost? I mean in USA alone there are over 100,000 financial regulations, rules, laws that banks and other financial institutions must comply with. Here you have something slightly different, you can use it for what it is, nobody is forcing you to use it as a bank.

Eventually people like you start crying: oh, it is similar to a bank, we must regulate it, otherwise it will ..... do what? Hand out Federally 'insured' loans to home buyers that can't afford the purchase?

Wait a second, isn't that what happened with the 'normal', regulated banks? (*and they are highly regulated by the state, just Patriot Act alone turned the banks into a spying application for CIA, DHS and FBI*)

So you want to destroy PayPal's ability to operate, because you want to enforce the existing banking rules upon them, whose side are you on? Clearly you are not on the side of people who use PayPal on daily basis for tiny transactions and find the service extremely useful.

You and government of Argentina [slashdot.org] have something in common.

Re:

[tlhIngan]

I suppose the "Paypal is not a bank" loophole is to allow anyone to actually receive money from credit card payments without a merchant account.

Otherwise two random people needing to pay each other will have to do so via cash, money order, cheque or other transfer mechanism. Most of those ways involve the postal service in some form - which while I'm sure USPS would be happy, it goes against the whole "internet shopping" thing where you can buy stuff without having to trudge down to the store.

And I'm fairly

Re:

[udachny]

OK, why is it a 'loophole'?

A bank is a place you would bring your money to for storage, maybe you open a savings account, which means you want your money to be invested (of-course given the fake FDIC insurance, the banks don't even care to hold your money before you can withdraw from your so called 'savings' account, so you know the money is really fake because it doesn't really make any difference to the bank that supposedly it's being loaned out, so you can get a portion of the interest that the bank coll

Re:PayPal is not a bank

[tibit]

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare. Go read ebay's financial reports, they own PayPal. PayPal's profit margins make regular banks look silly, and it's not due to lack of regulation. Nobody would bank in a bank that has fee structure of PayPal. But then there are no alternatives to PayPal, so if they were regulated like a bank it wouldn't change a thing for the worse for anyone, except that people's lives wouldn't be ruined if some outsourced guy in their "customer support", who has no clue about U.S. culture and customs, gets suspicious about a transaction that got flagged.

The whole "don't keep money in PayPal" spiel is stupid, you obviously don't have a fucking clue what you talk about. If PayPal decides you owe them, or they want to hold on to some of your money, they'll do it no matter what your account balance is. You just end up with negative balance that's due and payable now, and if you happen to have a linked checking account (like you need to not to face silly transaction limits), they'll gladly take the money out from there whether you like it or not. If your checking happens to be dry (anyone sane has a separate account for use with paypal), you'll be slammed with NSF fees from both ends, and you'll still owe PayPal, and it will show up on your credit report very quickly. Basically PayPal can screw you, and unless you have plenty of money for lawyers, there is absolutely no recourse. Even if you have money for lawyers, you'll only recover your costs if you manage to extract punitive damages. Otherwise you'll pay $50k for lawyers to recover what, 10% or less of it? Banking on being awarded attorney costs just because you were the one who was wronged is naive as well.

Re:

[udachny]

Are you a shill for the political elite, who, I am sure, want to regulate every single thing and creature under the Sun, so they can impose their own costs and controls over everybody?

I don't see transaction costs of PayPal being 'ridiculously high' at all, I like their service. In fact there [wmtransfer.com] ARE [ukash.com] alternatives [bitcoin.org] (and more [wikipedia.org]), and I do not like them.

If you do not like their transaction costs, why are you using them? Nobody is FORCING you to use them, right? It's not like somebody is standing with a gun to your

Re:

[tibit]

Sweetheart, I don't know where you live, but if you're on eBay, you either accept paypal or you don't do business. That's all there's to it. Sure nobody is forcing me to use them, just as nobody is forcing me to go to work, or to do business on eBay. But then you'd be bitching I'm living off gov't handouts, right? So, you see, the reality is that if you want access to the unique marketplace that eBay is (there's nothing else that remotely compares to it), you have to use paypal. That's the end of this story

Re:

[udachny]

Honey, nobody gives a hoot about your business model. You are so quick to jump on PayPal, you want it to be a bank? So which bank exactly do you want PayPal to be, bank of America? Citi? HSBC? They are ready to take over that business and handle it with such care, that you'll be out of business in no time.

Maybe you want the same rules are regulations and taxes and laws apply to your eBay store as there are IRL rules and taxes and laws and regulations that apply to Brick and Mortar stores? How quickly woul

Re:

[bitingduck]

Are you a shill or are you serious?! The transaction cost on PayPal is ridiculously high as it is. I'm sure it can cover compliance with banking rules, with plenty left to spare.

They're one of the few places you can get different rates for micropayments (less than $10) on cc processing, which does make them less expensive for some types of transaction. Most of mine are less than $5, so I need that. But for regular cc processing they're comparable to regular banks/merchant accounts. Other than that, you're probably pretty accurate.

Re:

[phorm]

But then there are no alternatives to PayPal

Actually, there are. Google wallet is one example.
Unfortunately, paypal is the de-facto (often only, and required) payment provider for eBay. How they've avoided anti-trust on this I'm not user (or a class-action for that matter, considering that ebay's shown exchange-rate differs greatly from what paypal actually ends up with).

Re:

[tgd]

I use PayPal for what I find it convenient for - transfer of small payments. Sometimes I buy something online and pay through PayPal, that's what it is for AFAIC, I don't use it for anything else.

On top of that, it makes a very handy point of abstraction between my credit cards, and shifty or untrustworthy sellers. Unlike my credit card information, PayPal payments leave the transaction details in PayPal's systems, not some fly by night's systems. And (most importantly, in my experience) PayPal makes it trivial to stop and permanently block recurring payments. Normal credit cards can't do that -- once a recurring payment is set up, even if your expiration date or security code changes, they can stil

Re:

[udachny]

Precisely, I wouldn't buy almost anything online if I always had to give my CC number to every merchant, this way PayPal knows my credit card, and I know it knows it, but the other people will have to deal with PayPal not with my credit card. In fact I very rarely buy anything online unless I can proxy the payment through PayPal (and in some cases WebMoney, but that's for a slightly different purpose).

Re:PayPal is not a bank

[dkleinsc]

That's why I'm of the view that we need to introduce "duck-typing" (if it walks like a duck, etc) to regulatory systems:

Instead of saying "If you are a bank, you must protect depositors by doing XYZ", say "If you have any kind of customer deposit account, you must protect depositors by doing XYZ". It's about regulation based on behavior rather than regulation based on classification, preventing the old "We're not a bank, we're a money transfer system / mortgage brokerage / ..."

Re:

[defaria]

Regulation is not the solution - Wall Street has lots of regulations - they also have Bernie Madoff.

And what the hell are you talking about that people have "no recourse if people want to get their money out/back/etc"!?!? There are already plenty of laws about property and ownership of all kinds of things as well as plain ole money. There's also laws about fraud, etc. People have a much recourse with getting their money back from Paypal as from any other business or store for that matter. People have no rec

Re:

[AdamWill]

Wall Street *had* lots of regulations.

Then Bush got elected (okay, to be fair, Clinton was hardly a big regulator either), and cut all the regulations, because they were just unnecessary government interference and red tape, needlessly restricting the efficient movement of capital.

Witness: the result.

Re:

[AdamWill]

(channels a slashdot libertarian)

Not to worry, the free market will take care of that for you. Competing payment sites will emerge, offer better security and customer protection, and eat PayPal's lunch. Everything will be fine!

(stops channelling slashdot libertarian)

Notice how that hasn't happened.

Re:PayPal is not a bank - it is in Europe!

[stiggle]

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

Re:

[ccguy]

Paypal Europe is a Luxembourg based Bank and regulated in the EU as such.

I keep hearing this. Maybe they should be regulated like one, but they definitely don't behave any different over here than they do over the US. I have an account in both places (I'm Spanish but used to live in the US) so I know quite well.

Paypal STILL abuses all they want. Just the other day, I applied for a *debit* card in my US account. It was denied instantly (possibly because I did it via a Spanish IP address). My account is now under supervision, and they want proof of SSN (which I had already sent

Re:

[niado]

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

Actual banks perform similar activities to prevent ID theft, which is currently rampant. Several times I have had my debit card (through a bank) frozen due to sudden account activity in another US state, not even overseas. Usually thi

Re:

[ccguy]

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

How the fuck is asking me to send someone I don't know at all a scanned copy of a picture ID *help* protect my ID? You really have it backwards.

Re:

[niado]

This behavior is primarily to protect against ID theft. They work under the assumption that if someone performs account actions in a country foreign from their home address, it's reasonably likely they are not actually there and someone has stolen their account information.

How the fuck is asking me to send someone I don't know at all a scanned copy of a picture ID *help* protect my ID? You really have it backwards.

Picture ID is generally used as a cursory method of proving your identity. If you let someone take care of your money but aren't comfortable with them having your picture ID, then you will need to find someone besides paypal, as they aren't in the business of money laundering.

Though I do agree that it would be better if they called you to check on a suspicious transaction. Banks do this, and usually don't require as many hoops to jump through as paypal does, oddly enough.

Which doesn't actually help much

[Anonymous Brave Guy]

Unfortunately, given the standard of regulation of banks in the relevant jurisdiction, that doesn't mean very much at all. In practice, you would probably still have to take legal action against them in another country if they screwed you in one of their notorious surprise moves, such as freezing your account because you irritated some automated potential fraud algorithm with an imperfect heuristic.

Unless they locked up an account belonging to a business with serious transaction volumes (and by that point t

Re:

[mynamestolen]

Mod parent up! I stopped using paypal anyway when they cut of Julian Assange donations. Scum.

Re:

[aztracker1]

given that my actual bank password cannot be anything other than us letters and numbers, no special characters (at two banking institutions)... An incident where I had over a million dollars in my account (magically) for a couple days, another where a bank error cost me a few hundred, and another still when a merger lost a friend over 10K with no tracking ability... I don't trust banks all that much either.

Re:

[Pax681]

In Eorope os is regulated as a bank, see below for a quote from the wiki page ;) [wikipedia.org]

As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank.

regulatory link for Europe Here [wikipedia.org]
however they do take the piss as it happens even though they are based in an EU country they seem to get away with some odd procedures i don't think other banks do get away with

Re:

[slick7]

And about as reliable.

The only thing reliable is the banksters death grip on debt slavery. The safest place for money is your pocket, in a land of avarice.

Re:

[helix2301]

People need paypal to run there business imagine how they feel about this, paypal needs to step up there security team ASAP.

Re:

[sjames]

I wouldn't go that far, I don't know PayPal well enough to call them an acquaintance, much less a trusted one.

More like giving the money to a stranger who looks like he might not be homeless and jonesing and hoping for the best.

Irresponsible disclosure

[Hatta]

If this bug has been known since July your failure to publically announce it has left thousands of people vulnerable for months. That is irresponsible disclosure. Responsible disclosure is immediate disclosure. Period.

Re:Irresponsible disclosure

[X0563511]

Give them maybe a week to at least respond. Then go full public. Give them a chance (months is not just a "chance" so, you're still right on that count)

Re:

[Anonymous Coward]

Don't go public - sell the vulnerability on eBay to the highest bidder. It makes the public aware of the issue - without disclosing the details - and allows PayPal to keep the details a secret if they want to.

Re:

[AmiMoJo]

Give them an hour. That is long enough to confirm the problem and take their site offline until they can fix it. Otherwise people could be being robbed while PayPal ignore your email for a week. Reading this guy's description of how easy it was to find the flaw you would have to assume that others already knew about it.

In PayPal's case it is particularly important to act quickly because they are incredibly slow to react and have been hacked before. PayPal doesn't look after its customers, and won't act on y

Re:Irresponsible disclosure

[wbr1]

They had to wait to disclose till they changed their TOS to stop class action suits. Simple.

That exact same information

[s0nicfreak]

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date). Heck anyone walking down the street can get my address, can see previous purchases if I have my curtains open, and could use my address to find my phone number. I'd be much more worried about someone waking up to my mailbox and opening my bank statement, but only because then they're right at my door (and could come in and attack me), rather than who-knows-where viewing it on the internet. But why fear that information getting out at all? My bank account has protections against use by unauthorized people, and if I had a real credit card it would as well (personally I use prepaid credit cards which don't have such protections, but I only put on what I'm going to use). I have at least half a brain and don't leave money in paypal. So I'm not sure exactly the fear here. Paypal can't even be used for adult services, so it's not like someone is going to print out your fleshlight purchases and send it to your boss/wife/etc..

If Paypal were regulated like a bank, all similar services would be as well, and that would just raise the bar of entry and ensure no competitor ever puts up a fight against paypal. It would also eventually ensure that people that can't get a bank account or credit card for whatever reason, can't do online transactions. (I'm sorry but I am willing to take peoples' money even if they overdrew their account when they were a broke college student and ended up in Chexsystems.) Paypal sucks, but personally I NEED what it does, as do MANY other people - so either it needs to keep doing it or someone else has to start doing it better. If someone could start a service doing what it does but with all the regulations of a bank, they'd be doing it.

Re:That exact same information

[sunderland56]

Walking down your street and stealing your mail gets *one* account. Hacking PayPal gets millions.

Walking down your street also entails a physical presence in the USA, and makes you subject to federal laws (stealing mail is a federal crime). Hacking PayPal can be done from anywhere, with no need to ever be on American soil, or even in any country with an extradition treaty.

Re:

[s0nicfreak]

So you are saying the point is not the protection of your account, but the punishment of the person stealing your account? How is it "dangerous" for the person stealing your information to not be punished?

Re:

[dkleinsc]

The point is: The risks are higher, the payoff is less, and like any other law the incentive not to violate it is the risk of being punished.

Re:

[s0nicfreak]

But you're just explain to me why someone would be more willing to steal this information online; I'm asking what the danger is in this information being taken by someone, online or off.

Re:

[s0nicfreak]

(I apologize for the typos, I swear my keyboard is malfunctioning.)

Re:

[tibit]

Wait, people still get their bank statements in the mail?! What for, may I ask? Every bank out there offers paperless communications. It's silly not to use it.

Re:

[s0nicfreak]

Personally, two reasons. 1. We have savings accounts for our kids, and with the younger ones don't want to require them to view the statements online just yet.. 2. I run a home business, and when I'm figuring out financial things, doing my taxes etc. I just find it easier to deal with paper.

My inlaws get paper statements because they refuse to do any online banking, which is a good thing as they occasionally get viruses that would grab their banking info if they did...

Re:

[tibit]

What about just printing out the statements every month? It's surely more resource-conscious than having to ship two sheets of paper in an envelope every month, for every account? Heck, you can easily automate it, so that when the statements are available they'll just "magically" print out. That's how I do it.

Re:

[s0nicfreak]

Then I would have to pay for more printer ink. A small amount yes, but it adds up over time. As the mailman is already bringing me other mail and the bank is already printing out other statements, it takes no extra resources to print nor bring me mine.

I'd also have to ensure my printer is plugged in at print time if I automated it. I keep my printer unplugged until I'm using it. So printing it out would be extra work for me; a small amount, but still enough for me to prefer the convenience of the bank pri

Re:

[tibit]

I guess if you don't automate the "IT stuff" in your home, then it's surely less hassle to get paper stuff mailed in. At home I use a USB controlled powerstrip [pwrusb.com] and have tweaked my iMac's cups to turn the laser printer on and wait a bit before trying to use it, and then to turn it off if unused for 2 minutes. I have a little laserjet P1006 that has phenomenal start-up time and throughput for such a cheap, low-end device (usable in 15 seconds from cold start). I similarly turn off the time capsule when there

Re:

[s0nicfreak]

Anyone going through my mail could them post that info on the internet. You don't need a credit card to use paypal. You need paypal to ACCEPT paypal transactions, transactions from the many people in the world that can't/won't get a credit card, that can't get a bank account with a debit card that works as a credit card, or don't trust other online credit card processors. The amount of money it would take to use a processor with bank regulations would mean I would be making no profit.

Not the same if using temp credit card number ...

[perpenso]

could be gotten by opening up my bank statement. Address, account number, past purchases, account balance (though likely a couple of days out of date)

Its not the same info if you give paypal a temporary credit card number, the sort your bank gives you through their webpage. These numbers are aliases for your real number but you get to pick the max amount to be charged and the month the card expires in. Some of these numbers even lock to the first vendor to post a charge. So if "stolen" and there is money left on the alias a 3rd party can't post a charge.

Re:

[s0nicfreak]

Good point. If you use paypal like that, it would give out little more info than anyone walking down your street - or anyone looking at Google maps, for those of you yelling that it's different online for some reason - can already see.

If you're victimized by this

[NoNonAlphaCharsHere]

You can always file a class action lawsuit. Oh. Wait.

Re:

[Anonymous Coward]

You can always file a class action lawsuit. Oh. Wait.

IANAL, but couldn't we organize as many affected people as possible to simultaneously file individual Small Claims for their maximum value (now $10,000 here in California for individuals, $5,000 for business) all over the country? How many representatives do you think PayPal can (or is willing to) send to each and every court case? The majority of people will probably win on default.

PayPal can either pay a few million up front on a class action, or up to $10,000 per person individually. Personally, I'd r

Serious Concern over Partnership with Discover?

[fallen1]

Should this not cause everyone who has a PayPal account serious concern since Discover will be issuing cards to each person with a PayPal account? Will this card number be linked to your PayPal account AND visible in your PayPal account information?

While I don't think they have started issuing cards yet, this is still a current and future problem. IF they had started issuing cards and even if you had no money in your PayPal account, they could still attempt to use the Discover number, if known, and see what

PayPal should be a BankLite

[RobertLTux]

as long as they can Hold Funds (and basically say Not Going to Tell You Why So FOAD) they should either

1 be required to release funds by Court Order

or

2 be prosecuted under RICO laws (and any other banking fraud regs)

i wouldn't require them to hold to the entire stack of regs that a full Bank would but holding Millions of Dollars in funds for %random_reason% needs to stop NOW.

Ebay & Paypal pissed off a lot of people

[npetrov]

Many years ago I disclosed a vulnerability to Ebay to get any user's email.

It took 2-3 hours to talk to their tech support and convince them that this is a serious problem. I had to show multiple examples of telling them emails of users randomly picked by tech support. Eventually they closed the hole. Within 12 hours actually, which was not too bad.

Several years later, when I had some issues with Ebay, they did not want to take that help into account.

Ebay & Paypal had so many changes over th

Re:

[Lumpy]

It's why I dont use ebay any more. Their fees are insane and overall it's a bad deal for everyone involved.

Re:

[npetrov]

What is rather odd is that I did not buy or sell anything for several years after that incident. However, recently I have been buying a lot of stuff that costs $2-3 including shipping. It really beats me how this sales model makes sense to anyone.

PCI, anyone?

[dkleinsc]

If Visa, Mastercard, Amex etc are treating everyone fairly, it seems like PayPal would now be due for a major smackdown courtesy of the big-name credit card networks. I'm talking about a $10^9 order of magnitude smackdown. If I recall correctly, proper compliance means certifying a bunch of stuff under penalty of perjury, which means that PayPal is not only organizationally breaking the rules but may have individuals breaking the rules as well.

Of course, equally likely, these companies will be too worried about hurting their relationship with a big payment processor to actually do anything about it.

Re:

[evilviper]

Payment card companies can only push around the little guys. If Paypay is anything but incompetent, they have lawyers OBSESSING over those PCI-DSS requirements, and ensuring they meet them TO THE LETTER, with the minimum of effort. "Compensating controls" appear in the regs an awful lot, so you have a blank check to make-up your own pretend security methods. I know I worked for companies who did the same.

Grounds for a class action?

[macraig]

And this is precisely the sort of scenario that motivated me to take PayPal up on its unusual offer to "opt out" of its new recent adjustment to its service agreement that attempts to force customers to only use singular arbitration and prohibit class actions altogether. These news clauses are all the rage in service industries; all the corporate kids are dying to get one. Valve has one, AT&T has one, and now PayPal. I'm sure there are hundreds more I don't know about or mindlessly clicked-thru. Why PayPal chose to give customers the ability to reject that clause I can't figure, but I exercised it and this incident is demonstrative why. The rest of you have until December 31st IIRC to consider the same; you aren't likely to get this choice often.

As to why these clauses are a big fucking deal, the New York Times [nytimes.com] and TechDirt [techdirt.com] both published good analyses of the Supreme Court decision last year that inspired it and the inevitable effects. It's the same Court that gave us the Citizens United ruling and others that are almost slavishly favorable to business at the expense of the common good.

I wish I didn't need Paypal

[mfh]

I use Paypal all the time on websites because of the "devil you know" philosophy. I know them. They are pretty evil, but at least I know to what extent they are evil. I'd like to sell stuff through them but well they are just too tough to deal with to make it worthwhile.

They have interfered with commerce on almost every level. Their API is pretty antiquated and full of obfuscated settings. By now I should be able to sign up to a website, give them my info, upload a virtual product, and collect money from wh

Focus the discussion?

[Anonymous Coward]

Every time there's a thread on PayPal people inevitably diverge into demanding "PayPal be regulated like a bank" or "PayPal is making profit on my money sitting in account's balance" or "PayPal should do this and that"... So much noise from people who know so little about what things actually are and are just looking for scapegoat to blame.

- PayPal *is* regulated like a bank in some parts of the world
- PayPal is *not* a bank in US so it does not (and can not!!!) make money on the balances - WellsFargo (PayP

It's hard to take a "bounty program" seriously

[pterry]

that doesn't disclose how much it pays. All it says [paypal.com] is

PayPal security team will determine the bounty amount and all decisions are final.

Would you trust Paypal to reward you fairly?

They also generously offer

[pterry]

not to sue / prosecute you - if they conclude that your disclosure respects and meets all their guidelines. Oh and the program is "subject to change or to cancellation at any point without notice".

Shill Bidding Fraud on eBay

[PhilipCohen]

And, regretably, the ugly reality for consumers dealing with the eBafia/PreyPal complex ... “Shill Bidding Fraud on eBay: Case Study #5” ... http://bit.ly/N1nTlc [bit.ly]