Mac Musings

PayPal Insecurity

Daniel Knight - 2002.08.08 -

I've used PayPal for years, and I'm convinced that they fill a very real need on the Internet. If anything, they need to do a better job of supporting users outside the US and making their services available to the worldwide audience on the World Wide Web.

They also need to beef up security.

As I discovered on Tuesday, someone using the email address lilbb@spils.com (a free email service) managed to hack my password and add his/her email address at about 3:40 p.m. Central Time on Sunday. This individual then removed my email addresses, blocking me from access to my business account.

Fortunately, I usually have less than $100 in my PayPal account. I try to keep enough there to cover some hosting and access fees that I pay with my PayPal debit card.

Unfortunately, that PayPal account is also linked to my business checking account. On the up side, this means I can send funds via PayPal even if I don't have enough in my PayPal account. PayPal will simply do an electronic funds transfer from my Fifth Third bank account, and then forward the funds to the recipient.

So all it takes for someone to clear out my business account is guessing my password, adding their email address, and then removing my access to the account before I have a chance to respond. And that's exactly what happened.

lilbb then proceeded to clean me out with a $418 and a $1,026 transaction. Another $1,844.70 was attempted, but those funds didn't clear due to insufficient funds.

We've sent out a warning to others, suggesting anyone who uses PayPal reconsider their current password. We thought ours was good, since it wasn't a dictionary word, but that wasn't enough. We recommend using upper case and lower case letters along with numbers and punctuation - all allowed by PayPal - to create a more secure password.

We've also sent email to spils.com about the hack, but we have no idea how helpful they may be. We're also enlisting the assistance of Web savvy users, asking them to check their site logs - if their logs track user IDs, they may be able to help us track down lilbb.

We sure hope so, and also that the money can be recovered. We've just lost the funds needed to pay our bills.

Where Next?

We're going to think long and hard about using PayPal in the future. The system simply isn't secure enough if all it takes is hacking a password to rob someone blind.

If we do decide to continue using PayPal, we will be smart about it and set up a completely separate checking account linked to our PayPal account. That way if someone should hack our account again, our potential loss could be greatly reduced by keeping that account balance very, very low.

We strongly urge the folks at PayPal to beef up security. It's very convenient to be able to add more email addresses to an account with a single password, but it also creates the potential for situations like this.

PayPal needs to provide more security, such as requiring use of a code emailed to an address already on the account before allowing use of any new email address. That simple step would have eliminated our problem.

PayPal should also flag suspicious behavior, such as a lightly used account suddenly being used for several transactions totaling over $3,300. Credit card companies do that kind of thing; PayPal should also.

That said, PayPal has been very helpful in locking the account. I've already filed affidavits electronically about this mess. The only disappointment is that PayPal's investigators have yet to call me back. It's been two days, I'm out $1,500 or so, and they need to do better on callbacks.

Do I recommend against using PayPal? No, or at least not yet. The service is very convenient. Users need to be much more aware of the pitfalls. Make sure your password is obscure, and don't keep much money in the bank account linked to your PayPal account.