PayPal Security

October 26, 2011 E-Currency

A credit-card sized alternative to the keychain security token, the PayPal Keycard generates a temporary login code to authenticate the user.

PayPal Security

Security key
In early 2006, PayPal introduced an optional security key as an additional precaution against fraud. A user account tied to a security key has a modified login process: the account holder enters his or her login ID and password, as normal, but is then prompted to press the button on the security key and enter the six-digit number generated by it. For convenience, the user may append the six-digit to his or her password in the login screen. This way he or she is not prompted for it on another page. Using this method is required for some services, such as when using PayPal through the eBay application on iPhone.

This two-factor authentication is intended to make account compromise by a malicious third party without access to the physical security key difficult, although it does not prevent so-called Man in the Browser (MITB) attacks. However, the user (or malicious third party) can alternatively authenticate by providing the credit card or bank account number listed on his or her account. Thus, the PayPal’s implementation does not offer the security of true two-factor authentication.

The key currently costs US$29.95 for all users with no ongoing fees.The option of using a security key with one’s account is currently available only to users registered in Australia, Germany, Canada, the United Kingdom, and the United States.

MTAN
It is also possible to use a mobile phone to receive an MTAN (Mobile Transaction Authentication Number) via SMS. Like all security measures, there have been reports of vulnerabilities to older mobile handsets.

Regulation
In Europe, PayPal is registered as a bank in Luxembourg under the legal name PayPal (Europe) Sàrl et Cie SCA, a company regulated centrally by the Luxembourg bank authority, the Commission de Surveillance du Secteur Financier (CSSF)(note that all of the company’s European accounts were transferred to PayPal’s bank in Luxembourg on July 2, 2007.Prior to this move, PayPal had been registered in the UK as PayPal (Europe) Ltd, an entity which was licensed as an Electronic Money Issuer with the UK’s Financial Services Authority (FSA) from 2004. This ceased in 2007, when the company moved to Luxembourg.It is therefore not possible for UK customers to obtain legal redress from the company in the English, Scottish, or Northern Irish Courts.

In the US, although PayPal has an extensive User Agreement,PayPal is not directly regulated by the U.S. federal government, because it serves as a payment intermediary.PayPal is regulated as a money transmitter, 31 C.F.R. 1010.100(ff)(5). PayPal is also subject to state regulation, but state laws vary, as do their definitions of banks, narrow banks, money services businesses and money transmitters. The most analogous regulatory source of law for PayPal transactions comes from P2P payments using credit and debit cards. Ordinarily, a credit card transaction, specifically the relationship between the issuing bank and the cardholder, is governed by the Truth in Lending Act (TILA) 15 U.S.C. §§ 1601-1667f as implemented by Regulation Z, 12 C.F.R. 226, (TILA/Z). TILA/Z requires specific procedures for billing errors, dispute resolution and limits cardholder liability for unauthorized charges.Similarly, the legal relationship between a debit cardholder and the issuing bank is regulated by the Electronic Funds Transfer Act (EFTA) 15 U.S.C. §§ 1693-1693r, as implemented by Regulation E, 12 C.F.R. 205, (EFTA/E). EFTA/E is directed at consumer protection and provides strict error resolution procedures. However, because PayPal is a payment intermediary and not otherwise regulated directly, TILA/Z and EFTA/E do not operate exactly as written once the credit/debit card transaction occurs via PayPal. Basically, unless a PayPal transaction is funded with a credit card, the consumer has no recourse in the event of fraud by the seller.

In India, as of January 27, 2010, PayPal has no cross-border money transfer authorization. In The New York Times article “India’s Central Bank Stops Some PayPal Services”, Reserve Bank of India spokesman Alpana Killawalla stated: “Providers of cross-border money transfer service need prior authorization from the Reserve Bank under the Payment and Settlement Systems Act, PayPal does not have our authorization.”PayPal is not listed in the “Certificates of Authorisation issued by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007 for Setting up and Operating Payment System in India”

Fraud
If an unauthorized third party obtains and uses someone’s PayPal login information and completes a transaction using the accountholder’s debit or credit card, EFTA/E and TILA/Z make PayPal responsible for the breach. There are, of course, fact specific exceptions to this rule. One is if funds are illicitly withdrawn from a PayPal deposit account. In that situation, neither PayPal nor the bank is required to return the funds, because the agreement between a consumer and PayPal makes those types of transactions authorized.

PayPal account holders’ private information is marginally protected under one federal law. Since PayPal is a financial institution under the Gramm-Leach-Bliley Act (GLB), it cannot disclose its account holders’ non-public personal information to third parties unless account holders opt in to those disclosures.

If an account is subject to fraud or unauthorized use, PayPal puts the “Limited Access” designation on the account. At this point, the account holder must:

  •  Log in
  •  Reset their password
  •  Develop a set of security questions (based on the subjective and not fact — e.g. “What is your favorite ice cream?” not “What is your mother’s maiden name?”)
  •  Verify location by phone or by mail
  •  Provide a set of documents, including but not limited to, a copy of the user’s social security card and state ID, home utility bills, business licenses, and proof of original purchase of recently sold good

Phishing
PayPal presents anti-phishing advice on their website for identifying and reporting phishing. PayPal encourages consumers to report all phishing emails to them.

Criticism and limitations
The current (2011/07/29) PayPal user agreement is a 26 page long pdf document. If one buys an item from a PayPal merchant, one is agreeing to an additional layer of arbitration beyond the merchant himself. Thus even if the merchant has acted improperly, PayPal has not violated its own policy until the user has gone through an extra arbitration process with PayPal. According to their 34-page (single-spaced) user agreement, “If a sender of a payment files a Chargeback, the credit card issuer, not PayPal, will determine who wins the Chargeback,” which confirms that a user can employ the normal (legally mandated) dispute resolution process with his credit card issuer, instead of following PayPal’s procedures. A user who reads section 13.7 (on page 27) finds notice that the user may have chargeback rights independent of the dispute resolution procedure privileges granted by the PayPal UA. Section 14.1 is entitled “Contact PayPal First” indicates that in case of a dispute, the user must contact PayPal first.

In September 2005, Richard Kyanka, owner of the website Something Awful, set up an account to collect donations for Hurricane Katrina to be given to the Red Cross. Owing to the high rate at which donations were made, the account was automatically frozen, and Kyanka criticized the time and difficulty involved in getting PayPal’s customer service to unfreeze the account. In response to the concerns of Something Awful members over the charity used by PayPal, United Way, Kyanka finally opted to have the money refunded to the donors so that they could donate directly to their charities of choice, though PayPal did not refund exchange and handling fees for international donors.

In March 2008, Australian current affairs show Today Tonight aired a segment criticising PayPal, with regard to safety, freezing accounts and customer service.

Several PayPal gripe sites have been created complaining of problems such as the freezing of accounts of eCommerce stores if they experience rapid growth, preventing them from being able to pay suppliers and fulfill orders. One such site, Paypalsucks.com,ranked third on a Forbes Magazine listing of “Top Corporate Hate Web Sites” in 2005 based on “hostility” and “entertainment value” of web forum postings and other criteria.

In June 2008, the Australian Competition and Consumer Commission found that, “The evidence available does not support the view that PayPal is the most secure method of payment, or offers the best service for all transactions.”

In February 2010, PayPal stopped or reversed all “personal” transactions in or out of India without prior notice. Funds already transferred and transactions that had previously been “completed” were reversed leaving many vendor accounts over-drafted. Companies, contractors and service providers throughout India were left in debt to PayPal for services they had already provided when PayPal, without warning or consent, returned funds vendors had already received and withdrawn.

In spite of its international reach, PayPal has limited functionalites for multi-country users, most notably the impossibility to have bank accounts in several countries, or to have a shipping address in a different country than one’s bank account / credit card.

In March 2010, PayPal froze donations to Cryptome, seizing over $5300 of in-transit donations.PayPal refused to inform Cryptome of the reason for this action, claiming that to disclose why the donations had been confiscated would violate Cryptome’s own privacy.A week later, PayPal offered an apology, which was rejected by Cryptome founder John Young as “insulting and unacceptable”.

In September 2010, PayPal froze the account of Markus Persson, developer of independent video game Minecraft. His account contained around €600,000.

Also in September 2010, PayPal froze the account of the open-source revision control software TortoiseSVN. The lead developer compared the situation to a car shop that “decides not to do business with you anymore. … But then the shop owner tells you that they keep your car for half a year first because that’s their policy.”

In December 2010, PayPal permanently restricted an account used to raise funds for WikiLeaks citing it was in violation of the PayPal Acceptable Use Policy. At a conference in Paris, a PayPal VP, in response to an attendee’s question, stated the account was restricted after PayPal was allegedly pressured by the U.S. State Department.Afterwards, PayPal reiterated the decision was based on violation of PayPal’s Acceptable Use Policy. This was followed by cyber attack on the paypal.com website and a boycott of PayPal, in which some users closed their PayPal account in protest.

Litigation
In 2002, CertCo filed a suit against PayPal claiming patent infringement concerning the use of distributed computing systems that process micropayments, or small cash amounts. In April 2002, CertCo dropped the suit and stated that they had come to a settlement involving, “a non-consequential payment and mutual releases.”

In March 2002, two PayPal account holders separately sued the company for alleged violations of the Electronic Funds Transfer Act (EFTA) and California law. Most of the allegations concerned PayPal’s dispute resolution procedures. The two lawsuits were merged into one class action lawsuit (In re: PayPal litigation). An informal settlement was reached in November 2003, and a formal settlement was signed on June 11, 2004. The settlement requires that PayPal change its business practices (including changing its dispute resolution procedures to make them EFTA-compliant), as well as making a US$9.25 million payment to members of the class. PayPal denied any wrongdoing.

In May 2002, Tumbleweed Communications filed a lawsuit against PayPal (and later expanded it to include eBay) claiming that PayPal had violated its patents for sending personalized links through e-mail, which PayPal uses to alert its customers about financial transactions. In January 2004, the two parties came to an agreement, but didn’t disclose the financial terms of their licensing agreement.

In June 2003, Stamps.com filed a lawsuit against PayPal and eBay claiming breach of contract, breach of the implied covenants of good faith and fair dealing, and interference with contract, among other claims. In a 2002 license agreement, Stamps.com and PayPal agreed that Stamps.com technology would be made available to allow PayPal users to buy and print postage online from their PayPal accounts. Stamps.com claimed that PayPal did not live up to its contractual obligations and accused eBay of interfering with PayPal and Stamps.com’s agreement, hence Stamp.com’s reasoning for including eBay in the suit.

In August 2002, Craig Comb and two others filed a class action against PayPal in, Craig Comb, et al. v. PayPal, Inc.. They sued, alleging illegal misappropriation of customer accounts and detailed ghastly customer service experiences. Allegations included freezing deposited funds for up to 180 days until disputes were resolved by PayPal, and forcing customers to arbitrate their disputes under the American Arbitration Association’s guidelines (a costly procedure). The court ruled against PayPal, stating that “the User Agreement and arbitration clause are substantively unconscionable under California law,” noting their unjustifiable one-sidedness and explicit prohibition of class actions produces results that “shock the conscience” and indicate PayPal was “attempting to insulate itself contractually from any meaningful challenge to its alleged practices”.

In September 2002, Bank One Corporation sued Paypal for allegedly infringing its cardless payment system patents; the following year Paypal countersued, claiming that Bank One’s online bill-payment system was an infringement against PayPal’s online bill-payment patent, issued in 1998.The two companies agreed on a settlement in October 2003.

In November 2003, AT&T filed suit against eBay and PayPal claiming that their payment systems infringed an AT&T patent, filed in 1991 and granted in 1994.The case was settled out of court the following month, with the terms of the settlement undisclosed.

In March 2004, PayPal and New York state’s Attorney General, Eliot Spitzer, came to an agreement to require PayPal to disclose clients’ rights and liabilities more accurately and to pay $150,000 to the state of New York for penalties and the costs of the investigation.

In April 2007, one of two anti-trust lawsuits was filed against eBay/PayPal by Michael Malone of Texas. This suit claimed that the monopolistic relationship between eBay and PayPal violates United States anti-trust laws. In March 2010, Judge Jeremy Fogel entered summary judgement in favour of Paypal.

In June 2011, PayPal and Israel Credit Cards–Cal Ltd. were sued for NIS16 million. The claimants accused PayPal of deliberately failing to notify its customers that ICC-Cal was illegally charging them for currency conversion fees.

From Wikipedia, the free encyclopedia

Share

Related Posts

    • No Related Post

0 Comments

You can be the first one to leave a comment.

Leave a Comment


*
= 5 + 2

Designed by WPZOOM