Security Review: PayPal
PayPal, along with other services like Ebay, is an online tool used to transfer money that most are familiar with. Web payment services are a major conveinence, but come with a number of significant risks. Services like PayPal can allow merchants to support payment over the internet without the necessity of having their own payment infrastructure, at a relatively small fee. Online shopping and payment for products and services of all kinds is very conveinent for users as well.
Assets of PayPal:
- Users Account Information: A users account information must be kept secure from potential adversaries in order to keep their funds secure. Ideally, if a users account is stolen, potential damages to bank account funds should be minimized and the intrusion should be detected quickly.
- Integrity of Purchases: A user should be confident that if they make a purchase, the seller will come through with whatever product or service advertised. In the case of a transaction in which the seller does not provide the good or service, the user should be able to receive a refund, and the seller should be dealt with accordingly.
Possible Adversaries:
- Credit Card / Identity Thieves: Malicious individuals who attempt to steal a users account in order to transfer money out of it.
- Malicious Buyers / Sellers: Individuals or companies who attempt to hoax others to giving them money without returning a service.
Weaknesses / Defenses:
- Phishing Attacks: Phishing would seem to be the number one problem with most online transaction systems, primarily because it works quite well. One phishing attack in particular that I have received was an e-mail saying that a fradulent purchase had been made with my account and that I needed to provide account information in order to verify that I in fact, did not make such a purchase. One defense that has been used by PayPal is the concept of a Security Key (a review of the Key here: http://www.brighthub.com/computing/smb-security/reviews/12797.aspx), that generates a key that you must use with your login, appending it to the password. This may help, but the key is only 6 digits long, which is not very secure, and a phishing attack could still get the user to enter in this security key, though hopefully it wouldn’t work on a second login.
- Bogus Sales: A malicious seller could make bogus sales in which a promised service or product is not returned in exchange for payment. PayPal can catch onto these when a buyer reports them, but in the event that the sales were made from an account that was stolen and the money has already been withdrawn by the bogus seller, the burden of payment would fall upon the legitimate owner of the account. One possible defense that may already be in use is e-mail confirmation to the original account whenever a sale is made. This would likely improve the reporting speed of a bogus sale as a buyer may have to wait a while to know that a product has not been shipped.
Overall, PayPal has a fairly good reputation for getting rid of bogus buyers and sellars that attempt to use the service and being able to detect and resolve cases of fraud. The main thing that users of PayPal should be aware of is phishing attacks, and making sure they are able to recognize illegitimate requests for their account information, as stolen accounts are usually the cause for most security breaches.