I've used PayPal for years, and I'm convinced that they fill a
very real need on the Internet. If anything, they need to do a better
job of supporting users outside the US and making their services
available to the worldwide audience on the World Wide Web.
They also need to beef up security.
As I discovered on Tuesday, someone using the email address
lilbb@spils.com (a free email service) managed to hack my password
and add his/her email address at about 3:40 p.m. Central Time on
Sunday. This individual then removed my email addresses, blocking me
from access to my business account.
Fortunately, I usually have less than $100 in my PayPal account. I
try to keep enough there to cover some hosting and access fees that I
pay with my PayPal debit card.
Unfortunately, that PayPal account is also linked to my business
checking account. On the up side, this means I can send funds via
PayPal even if I don't have enough in my PayPal account. PayPal will
simply do an electronic funds transfer from my Fifth
Third bank account, and then forward the funds to the
recipient.
So all it takes for someone to clear out my business account is
guessing my password, adding their email address, and then removing
my access to the account before I have a chance to respond. And
that's exactly what happened.
lilbb then proceeded to clean me out with a $418 and a $1,026
transaction. Another $1,844.70 was attempted, but those funds didn't
clear due to insufficient funds.
We've sent out a warning to others, suggesting anyone who uses
PayPal reconsider their current password. We thought ours was good,
since it wasn't a dictionary word, but that wasn't enough. We
recommend using upper case and lower case letters along with numbers
and punctuation - all allowed by PayPal - to create a more secure
password.
We've also sent email to spils.com about the hack, but we have no
idea how helpful they may be. We're also enlisting the assistance of
Web savvy users, asking them to check their site logs - if their
logs track user IDs, they may be able to help us track down
lilbb.
We sure hope so, and also that the money can be recovered. We've
just lost the funds needed to pay our bills.
Where Next?
We're going to think long and hard about using PayPal in the
future. The system simply isn't secure enough if all it takes is
hacking a password to rob someone blind.
If we do decide to continue using PayPal, we will be smart about
it and set up a completely separate checking account linked to our
PayPal account. That way if someone should hack our account again,
our potential loss could be greatly reduced by keeping that account
balance very, very low.
We strongly urge the folks at PayPal to beef up security. It's
very convenient to be able to add more email addresses to an account
with a single password, but it also creates the potential for
situations like this.
PayPal needs to provide more security, such as requiring use of a
code emailed to an address already on the account before allowing use
of any new email address. That simple step would have eliminated our
problem.
PayPal should also flag suspicious behavior, such as a lightly
used account suddenly being used for several transactions totaling
over $3,300. Credit card companies do that kind of thing; PayPal
should also.
That said, PayPal has been very helpful in locking the account.
I've already filed affidavits electronically about this mess. The
only disappointment is that PayPal's investigators have yet to call
me back. It's been two days, I'm out $1,500 or so, and they need to
do better on callbacks.
Do I recommend against using PayPal? No, or at least not yet. The
service is very convenient. Users need to be much more aware of the
pitfalls. Make sure your password is obscure, and don't keep much
money in the bank account linked to your PayPal account.
Dan Knight has been using Macs since 1986,
sold Macs for several years, supported them for many more years, and
has been publishing Low End Mac since April 1997. If you find Dan's articles helpful, please consider making a donation to his tip jar.
Recent Mac Musings
MacDrought: 4 Months with No New Macs, 08.27.
The most recent Mac update was over four months ago, and the Mac mini has been unchanged for over a year.
The iMac Legacy: After the G3, 08.15.
The G3 iMac influenced the whole industry, but Apple continued to move forward with innovative designs using G4, G5, and Intel processors.
The iMac Legacy: The G3 Era, 08.15.
10 years ago today, the original iMac went on sale. One of the most popular lines of computers ever, the G3 iMac would be Apple staples for nearly five years.
The Mac App Store, 08.13.
Just as Apple now sells iPhone apps through the iTunes Store, it could (and should) do the same with Mac software.
Mac of the Day: PowerBook 190cs, Aug. 1995 - The last 680x0-based PowerBook could take a PowerPC upgrade.
List of the Day: The iPod List The iPod List is a forum to discuss the iPod, it's accessories, the iTunes Store, iTunes, and related topics.
August 28 in LEM history: 95: PowerBook Duo 2300 - 00: Gaming on older Power Macs - 01: AppleShare on Linux - From Beebs and Acorns to Macs - 02: Sleep of Death, - Think smarter? - It's the software, stupid - 06: PowerBook 5300 reminiscence - You might be a Mac fanatic if... - Hiding complexity behind elegant simplicity
Recent Content on Low End Mac
10 Mac Browsers Compared, Simon Royal, Mac Spectrum, 08.28.
A look at Internet Explorer, Radon, Opera, Safari, Shiira, iCab, Firefox, Netscape Navigator, Flock, and Camino running in Leopard.
Clone and Boot: Another Advantage of the Mac OS, Kev Kitchens, Kitchens Sync, 08.28.
Unlike Windows, Apple makes it possible to clone a bootable drive (Classic Mac OS or OS X) and use it with another supported Mac.
Best MacBook Deals, Low End Mac Deals, 08.28.
Used 1.83 GHz, $799; 2.0 black, $875; refurb 2.1 GHz, $899; 2.4, $1,099; black, $1,299; new 2.1, $1,019 after rebate; 22, $1,094; 2.4, $1,219 a/r; black, $1,394 a/r.
Best iMac G5 Deals, Low End Mac Deals, 08.28.
Used 17" 1.6 GHz Combo, $499; 1.8 SuperDrive, $530; 2.0, $600; 1.9 iSight, $625; 20" 1.8 GHz, $580; 2.0, $650; 2.1 iSight, $700.
Best classic Mac OS Deals, Low End Mac Deals, 08.28.
System 6, $10; 7.1, $12; 7.5.1, $4; Mac OS 7.6, $13; 8.0, $13; 8.1, $48; 8.5, $25; 8.6, $20; 9.0, $20; 9.2.2, $20; more.
CrossOver Strikes Out, Frank Fox, Stop the Noiz, 08.27.
Running Windows apps on a Mac without paying for Windows is great in theory, but actually getting Windows software working is another story.
Best Intel iMac Deals, Low End Mac Deals, 08.27.
Used 17" 1.83 GHz, $625; 20", $599; 2.16, $749; 24", $950; refurb 20" 2.4, $999; 2.66, $1,299; 24" 2.4, $1,299; 2.8, $1,549; new 3.06, $2,094 after rebate; more.
Best 15" PowerBook G4 Deals, Low End Mac Deals, 08.27.
Used 1.25 GHz Combo, $600; SuperDrive, $650; 1.33 Combo, $640; 1.5, $680; SD, $725; 1.67, $730; hi-res, $800.
Best Time Capsule and AirPort Deals, Low End Mac Deals, 08.27.
500 GB Time Capsule, $294; 1 TB, $468; AirPort Extreme Card, $39; 802.11n Base Station, $166; 802.11g AirPort Express, $60; 802.11n, $98.
Purposeful Reincarnation for Old Macs, Phil Herlihy, The Usefulness Equation, 08.26.
The key is to avoid spending more on upgrades than the final use of the machine can justify.
Best Power Mac G5 Deals, Low End Mac Deals, 08.26.
Used 1.6 GHz single SuperDrive, C$499; 1.8, $569; dual, $675, 2.0, $800; 2.3, C$899; 2.5, C$1,199; 2.7, $1,225; 2.5 Quad, $1,500.
Best 17" MacBook Pro Deals, Low End Mac Deals, 08.26.
Used 2.16 GHz Core Duo, $1,330; 2.33 C2D, $1,689; refurb, 2.4, $1,899; new, $2,099; 2.5, $2,558 after rebate; 2.6 Santa Rosa, $2,399 a/r; more.
Best iPod shuffle Deals, Low End Mac Deals, 08.26.
Refurb 3G 1 GB, $39; new 3G, $45; refurb 2 GB, $59; new, $68.
Our advertising is handled by BackBeat Media. For detailed
price quotes and advertising information, please
contactat BackBeat Media (646-546-5194). This number
is for advertising only.
