Security Problems at PayPal:Geändert am 22 August 2008
Foreign account data accessible to everyone
The PayPal service telephone number allows an ordinary user to query the current balance of his PayPal account and ask to see the most recent entries and transfers. But the automated system has serious security flaws as members of »Falle Internet« (www.falle-internet.de), a German web portal dealing with Internet fraud discovered. Due to insufficient verification it is possible to access foreign accounts and query the account in the same way as the account owner.
»All financial and personal data is secured by encryption and stored on secured server«. This is one of PayPal´s marketing statements used to convince potential customers that PayPal is a payment system with outstanding security. But the apparently encrypted and secured data can easily accessed by making a phone call. If the PayPal telephone system doesn´t recognize the caller´s telephone number the automated system asks for the submitted phone number and the last four digits of the submitted bank account, outside of Germany it also could be the last four digits of a credit or debit card. A PIN number, a password or other security questions that could identify the owner of an account is not required.
Just by using this information the accounts of several thousand eBay shops and other commercial users could be compromised. By German law, all commercial websites must have an imprint with contact details including a telephone number easily accessible. Many shops also publish their bank account number in order to speed up transactions for their customers. It is very likely that this information is also used for the PayPal account, not many people have a dedicated phone number or bank account just for PayPal.
But not only commercial users are affected; the account security of private users is also under threat. Nearly every seller provides a buyer with contact details and a bank account number for direct bank transfer or other bank account information. This and other public information like entries from telephone directories have the unintended consequence of giving access to detailed PayPal account information like current balance and the last transactions including the name of the trading partner. Personal financial data are one of the most private and personal data, for a company it is regarded as confidential business information. With disclosing the details of a transaction it is possible to gather list of all the customer names.
»Falle Internet« informed the security department of eBay Germany four weeks ago and told them about the security problems at eBay´s subsidiary PayPal. »It had been treated as most urgent and important«, but the security gap is still there.
Fraudsters could use this security gap to identify accounts which are especially profitable to attack and target them with phishing emails or virus attacks. Email addresses for these attacks are most likely found together with phone number in the contact details fro the shop.
These attacks are supported by PayPals´s own behaviour: most of the emails provide URL links and ask to login into the PayPal web site. Especially receipts for every transfer are sent that way, a dangerous way that had been abandoned by German Banks years ago.
Once a criminal gained illegal access to account he can spend it as he likes, e.g. by buying easy to sell valuable goods. PayPal has no additional security measures in place to verify single transactions, another minimum standard for online banking. In principle, the original security gap still exists, but it is harder to exploit it.
eBay was made aware of this security problem four weeks ago but took no visible counter measures until the initial report was published by »Falle Internet« on 19th August. Only after it caught attention by the German press PayPal decided to react and switch off the automated access and use a call centre instead. But recent research by »Falle Internet« showed that this provides much weaker security. Using just the published name, email address and the knowledge of the last four digits of the bank account number it was possible to get detailed information on a PayPal account.
»Falle Internet« recommends to use a dedicated email address for PayPal and change it in regular intervals since this address is also used to login into PayPal. This email address, like every other personal information should be kept secret. Another recommendation is to remove all the funds from the account and leave as little as possible just in case the account is compromised.
If possible, use a dedicated phone number and bank account for PayPal and keep this information secret. If this is not possible, monitor your account closely or don´t use PayPal at all.