PayPal president's credit card got hacked on a UK visit, the victim revealed on Twitter. David Marcus said that an unidentified criminal used a skimming device and his credit card was cloned before "tons" of fraudulent transaction were made. The senior executive of the eBay-owned payment processing firm made sure to score a …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 12th February 2014 10:45 GMT Anonymous Coward

Bollocks?!

This almost smells like a setup to me to get PayPal better into the picture.

I don't know how this works in other countries, but over here in Holland I honestly wouldn't describe PayPal as a secure means for electronic payment. FAR from it.

The problem: In the old days I did have a Paypal account, even favoured it. Simply because I could transfer money onto that account without having to set up any connection. No stored creditcard profile, no stored bank account information; nothing. So basically it was truly my "Internet piggy bank".

I made sure that it had an amount which I could use to do stuff, while also making sure that it was never an amount which would hurt me should I suddenly lose it. Best of both worlds.

Nowadays this isn't an option anymore. If I open an account Paypal demands that I either link a credit card onto it or worse: grant them access to do automatic withdrawals from my bank account. I can no longer tell my bank to transfer money; instead I tell Paypal to take it out for me.

Hopefully I don't have to tell you why I immediately cleared out my account and removed it the very day when they started using this approach? It's simple really: should something does go wrong with my account, either due to weak passwords (unlikely) or other issues at Paypal themselves I get to suffer to the fullest extend. Because the bad guys would now have access to everything I got. And we all know that fixing the damage after it has been done is a lot harder than preventing said damage to begin with.

Fortunately there are other parties (Multisafepay comes to mind) who do understand the need for this kind of separation. At the very least to give us customers a feeling of security; separating "internet cash" from the "real cash".

Heck; PayPal has even stooped to a level where you can no longer make payments without having a PayPal account. Of course; only if you're from the Netherlands. If you're from the US you don't have this kind of limitation.

So even if I do make some false assumptions up there (like this news being staged) I hope you can see the reason for my cynicism here.

20 0
1. Wednesday 12th February 2014 12:04 GMT Anonymous Coward
  
  Re: Bollocks?!
  
  > Heck; PayPal has even stooped to a level where you
  
  > can no longer make payments without having a PayPal
  
  > account. Of course; only if you're from the Netherlands.
  
  > If you're from the US you don't have this kind of limitation.
  
  You can but it's up to the seller to tick a box. If they claim to have done so though complain to your consumer protection agency whatever about this. It worked for me here in Slovenia after I filed a complaint I rarely hit upon a seller that I'll get a create an account only payment option. Usually a pay and optionally create is what I'll hit.
  
  I'm using moneybookers/skrill myself. The prepay mastercard they give out works. I need to wire money to them. So it works for my use. And yes I only load what I need/have plnanned usually a week or so before I need it(just because you know... banks take an age to transfer bits around)...
  
  0 0
2. Wednesday 12th February 2014 14:53 GMT Anonymous Coward
  
  Re: Bollocks?!
  
  "or worse: grant them access to do automatic withdrawals from my bank account"
  
  ...and even worse than that, they quietly introduced the ability for merchants to set up repeating payments in your PayPal account, which siphon money from your real bank account without any further authorisation.
  
  I as a long term PayPal account holder was completely unaware of this - having used the standard yellow [Pay using PayPal] button on a website to pay for a 1-year membership for a drivers club here in the UK, was baffled when more money was taken from my account the following year despite my decision not to renew. Turns out that the standard [Pay using PayPal] button can also set up recurring subscriptions.
  
  WTF PayPal??
  
  My conversation with the PayPal 'customer service' rep didn't go very well either when trying to find out how a repeating subscription had come to be set up without my consent - they are totally unrepentant. PayPal considers the button on a 'merchant' website to be the property of the merchant apparently, despite that its an embedded link served from PayPal's servers - and they also think its partly your fault for not having read terms and conditions that the merchant is assumed to have made available to you.
  
  The fact that the embedded button for a recurring subscription looks identical to one for making a standalone payment is irrelevant in PayPal's eyes.
  
  They also view the transaction as being entirely between you and the merchant. The fact that the activity takes place in your _PayPal Account_ is also irrelevant to them.
  
  Once I got my money back from the club, I closed my PayPal account immediately - which I've had since PayPal were the new kid on the block.
  
  Scumbags.
  
  Mind you on the bright side - I spot a market opportunity for setting up an ethical online payments facility ...
  
  1 0
  1. Wednesday 12th February 2014 16:51 GMT myarse
    
    Re: Bollocks?!
    
    I had this happen from some Irish Facebook Aps company- I don't Facebook.
    
    I got an email saying that I was being charged 120 quid by Paypal, first thought it was a phishing scam, but checked only to find out some scam company I'd never heard of had put an auto renewing £120 charge on my account.
    
    I managed to get a chargeback and I know these scams are hard to combat but a quick Google found hundreds of complaints, going back several years, on Paypal's own forums about the same company doing the same thing. With no response, or action, from Paypal.
    
    Now if I was more suspicious I might wonder if Paypal do nothing about these things because they gain if the fraud works but lose nothing if it doesn't due to the time limits and barriers they put on chargebacks.
    
    1 0
3. Thursday 13th February 2014 08:40 GMT Anonymous Coward
  
  Re: Bollocks?!
  
  Frankly, I don't see the problem. My Paypal account never accepted "transferred-in" funds, it always told me it would charge my credit card directly instead if I actually tried "adding funds" to it. Which never was a problem for me since I used the same system as mentioned above from day one - only keep a small pool of money on that particular credit card (and it's actually a DEBIT one with no credit; you can't overcharge me that way). Incidentally, this is a double card (a "real" one plus an "internet-only", with easy transfers between them) but that's irrelevant as long as neither account is ever holding significant sums of money...
  
  Now, regarding PP's attitude towards customer support I wholeheartedly agree. Heavens forbid you run into any trouble at all with your PP account - if it does happen, trying to get through it will put your blackest nightmares to shame and chances are you won't be able to resolve the issue at all. It seems their motto can be summed roughly as "we just don't care, and when we do we make sure you'll regret it and won't get to appeal. We don't need you, there are plenty more customers where you came from".
  
  0 0
Wednesday 12th February 2014 10:47 GMT Tom 7

And if they'd used PayPal

they would have to put their prices up.

6 0
Wednesday 12th February 2014 11:33 GMT Graham Marsden

And of course...

... in the case of all those '"tons" of fraudulent transactions', the card issuer immediately snatched the money back from the retailers and gave it back to him before actually *checking* with the retailer to see if they were fraudulent in the first place...

... Oh, no, hang on, that's what PayPal does, isn't it?

7 0
1. Wednesday 12th February 2014 11:40 GMT Lee D
  
  Re: And of course...
  
  Er... I think you'll find they both do since the introduction of Chip & PIN when the liabilities clauses were changed.
  
  0 0
Wednesday 12th February 2014 11:36 GMT Anonymous Coward

UK businesses are primarily using chip and pin technology, so if the magstripe got skimmed he should easily be able to work out where (and therefore who) skimmed it.

2 0
1. Wednesday 12th February 2014 13:53 GMT Buzzword
  
  Any business where you hand your card over to somebody is vulnerable. When your friendly waiter takes your card and inserts it in the chip-and-pin terminal, you're unlikely to spot him surreptitiously scanning it through a dodgy mag-stripe reader hidden underneath. That's all it takes.
  
  The real question is where did the crims manage to use the information gleaned from the stripe? Pretty much everywhere requires chip-and-pin these days.
  
  1 0
  1. Wednesday 12th February 2014 14:11 GMT Anonymous Coward
    
    They use them in America. Visa and MasterCard are trying to impose chip and pin rollout in America, to much resistance.
    
    0 0
Wednesday 12th February 2014 11:59 GMT Eradicate all BB entrants

He is 100% correct ....

..... in that this type of scam cannot work on Paypal. That's because they introduced numerous other ways of helping miscreants defraud you of what is rightly yours (the easiest being the vendor wiping their Paypal account as they are typing out an email saying they will refund you) then walk away as they are not regulated by financial authorities.

Recently found out that due to using a card on it years ago which has expired I can not use the one off payment function some sites have as their sole payment offering because it's the same card number. Now the account is 'restricted', which means I have to be at home to wait for a fecking phone call, just so I can delete the damn card off of their systems.

Just a shame his bank didn't tell him to piss off and charge him for all the transactions, like his company has done to numerous people when they have issues.

4 0
Wednesday 12th February 2014 12:07 GMT Anonymous Coward

Hmmmmmm

Potentially compromised credit card terminal OR use PayPal?

Potentially compromised credit card terminal OR use PayPal?

Potentially compromised credit card terminal OR use PayPal?

....I'll take my chances with the credit card thanks.

6 0
Wednesday 12th February 2014 12:39 GMT TRT

Tripping the hack scam-plastic

A pay-paler shade of blight?

0 0
1. Thursday 13th February 2014 09:44 GMT Anonymous Coward
  
  Tripping the hack scam-plastic
  
  Fantastic!
  
  0 0
Wednesday 12th February 2014 12:47 GMT Anonymous Coward

score a marketing point

perhaps this was all there was to it - no scam, no credit card skimmed? After all, he could cheerfully refuse to verify the story in any way, claiming that, given the sorry affair, he's not prepared to divulge ANY further details. But hey, the story's probably already all over the news. Nothing like free advertising by the end of financial year, eh?

3 0
Wednesday 12th February 2014 12:59 GMT Irongut

Pics or it didn't happen.

Sounds like a marketing ply to me.

1 0
Wednesday 12th February 2014 13:45 GMT Tromos

...cloned by UK crooks.

Makes you proud to be British.

1 0
1. Wednesday 12th February 2014 20:00 GMT Trainee grumpy old ****
  
  Re: ...cloned by UK crooks.
  
  I'm sure one of our magnificent "news" papers will find that it was an illegal immigrant wot done it.
  
  1 0
Wednesday 12th February 2014 13:59 GMT johnaaronrose

Why magnetic stripe?

The obvious question: why do banks still put magnetic stripes on debit & credit cards? Given that all ATMs (though I know that they have not, because when I demagnetised the magnetic strip on my debit card, it didn't work on some ATMs) & merchants have converted to Chip & Pin in Britain, why? I asked my bank why & I was fobbed off. I've also looked at ATM security websites and they give no answers. Can anybody cast any light on this?

0 0
1. Wednesday 12th February 2014 14:13 GMT Anonymous Coward
  
  Re: Why magnetic stripe?
  
  Various foreign countries haven't implemented chip and pin yet, so magstripe is still needed.
  
  0 0
  1. Wednesday 12th February 2014 15:09 GMT johnaaronrose
    
    Re: Why magnetic stripe?
    
    I realise that. However, we should be able to get cards which can be only used for Chip & Pin (i.e. no magnetic stripe). It's rather pointless having a relatively secure id system on a card when there's a very insecure one!
    
    0 0
    1. Wednesday 12th February 2014 17:12 GMT Anonymous Coward
      
      Re: Why magnetic stripe?
      
      Visa have such a card - VPay - EMV card with no mag stripe - its up to your bank to decide whether to use them.
      
      0 0
      1. Wednesday 12th February 2014 21:57 GMT Frankee Llonnygog
        
        Re: Why magnetic stripe?
        
        You can always run a magnet over the strip if you're sure you'll never need to use it
        
        0 0
Wednesday 12th February 2014 14:40 GMT Firvulag

Paypal was not secure a few years ago.

I had a super secure password yet over £200 was charged to my credit card for an identity lookup service (192.com) which I had never used. When I searched it appears to me that I was not the only one and the attack was inside paypal not via a password compromise.

After Paypal's woeful response I got the money back (via my credit card provider) and cleared out my details. I now never store any details with them and will certainly never validate my account against my current account.

Id rather take my chance with skimmers

a) you can check for them to some extent

b) you don't involve paypal t&c

1 0
Wednesday 12th February 2014 15:31 GMT Ross K

"My card (with EMV chip) got skimmed while in the UK. Ton of fraudulent txns. Wouldn't have happened if merchant accepted PayPal,"

Maybe the merchant doesn't like paying 3.4%+20p on each transaction, or having his Paypal account frozen for some arbitrary reason?

1 0
Wednesday 12th February 2014 17:03 GMT 7-zark-7

Sub headline

Excellent sub headline Reg. Not read the article yet just thought i'd congratulate you first.

1 0
1. Wednesday 12th February 2014 23:10 GMT Vociferous
  
  Re: Sub headline
  
  This. So verily this.
  
  0 0
Wednesday 12th February 2014 17:09 GMT Midnight

He's right about that.

"My card (with EMV chip) got skimmed while in the UK. Ton of fraudulent txns. Wouldn't have happened if merchant accepted PayPal"

Indeed. PayPal would have pocketed the money long before any lesser thieves could have gotten to it.

0 0
Thursday 13th February 2014 01:52 GMT Anonymous Coward

Re: Wouldn't have happened if merchant accepted PayPal

What would have happened instead is that I would have walked out of the shop empty-handed because PayPal would have locked, suspended or otherwise denied me access to my funds in my account the name of "my safety" and whatever other colossal Godzilla dung.

Kinda a small little bit of detail missing eh Mr Marcie?

0 0
Thursday 13th February 2014 05:16 GMT JCitizen

Yeah - if only Chip-N-Pin!!!

I get SOOOoo tired of hearing that!! - VISA is supposedly forcing the issue in North America so my rant is probably a waste of time, but for the expense of converting the entire quadrant of our globe we get something that has already been hacked - several times. Is it REALLY worth it??

February 2008

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf

February 2010

http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html

February 2010

http://news.bbc.co.uk/2/hi/science/nature/8511710.stm

September 2012

http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf

Video summary of above report

http://www.bbc.co.uk/news/technology-19559124

I hope we are smarter than that and adopt something like a combination of MagnePrint®, which cannot be replayed, and whose infrastructure is basically already there with slightly different hardware POS tech, and also Pass Window, which is a much cheaper, but highly scalable 3rd factor authentication technology.

0 0