Pay Pal is a service that allows a person to send and receive payments online. Through Pay Pal, one can shop online, send money to another account (with international transfer capabilities), request money, and fundraise. Two of the most attractive features of Pay Pal are its convenience and security. For example, once the user signs up for their accounts using his name, address, email address, and telephone number, he can store his payment information on his Pay Pal account. When paying for a purchase online, the user chooses Pay Pal as the payment method, then logs into his Pay Pal account using his username and password. Thus, the retailer never sees the user’s bank or credit card information. Pay Pal offers the user an option to put funds into his Pay Pal account so that purchases or transfers simply come out of his existing balance. Otherwise, the user can link his credit or debit card so his bank account is used to cover the purchase or transfer.
Pay Pal’s executive team should be concerned with all three goals of security. Confidentiality is important because the Pay Pal system is full of sensitive data, especially financial information. Each user’s account should be protected in such a way that keeps the information private to unauthorized eyes. This can be done by using a secure website that properly protects the millions of accounts from hackers. Integrity can be protected by giving the user the ability to change the appropriate inputs (contact, login, and card/bank information, payment amounts, payment acceptance, etc.). In terms of availability, Pay Pal must ensure that the users can access their accounts whenever they need to make a purchase or deal with a money transfer. The account should be available only to the people the user authorizes. For people looking to create an account, the site itself should be available at all times.
A hacker trying to exploit the Pay Pal system will attempt to defeat the three security goals above. By solving the decryption key or finding a way around the site and account protection, a hacker can disclose all the account and financial information stored in the Pay Pal database. Once the attacker obtains credit card numbers, he can use those accounts for his benefit. The hacker can also change the user inputs; perhaps the most appealing one is the ability to control how much money goes to a particular user account (the attacker, for example). The ability for the hacker to alter the login details and email address can deny the owner access to his account. This would result in the hacker in control of the account owner’s Pay Pal account, which is linked to his bank account.
I believe the most notable weakness is not with the Pay Pal system, but rather that users are not properly protecting their accounts. Hackers have their methods of guessing passwords, and if users choose a simple, easy-to-guess password, their accounts can easily be accessed by anyone who tries. Another method of attack is sending out phony emails trying to obtain account information from the users themselves. We have seen this method before (Monster job accounts, bank information, etc), so unfortunately it could be effective, especially if users are not careful.
Pay Pal prides itself in its secure system: it implements anti-fraud technology and protects payments by using an encrypted site. However, Pay Pal did experience an outage within the last week. The site was down for an hour and a half, and problems persisted a few hours after. Pay Pal has not provided a reason for the outage yet, but intends to share what went wrong at a later time. It will be interesting to see what exactly happened. Perhaps the system is not as invincible as it claims to be.
As mentioned earlier, the Pay Pal database contains much sensitive information. There are 87 million active Pay Pal accounts, and we can assume that most of those accounts are linked to credit or debit card accounts. Based on the asset’s high value alone, I think there will likely be many attempted attacks on the system. The vulnerabilities lie with the user, not necessarily with the entire database. Therefore, I think there is a high risk of few accounts being compromised, but I do not foresee a successful attack that compromises the entire Pay Pal system given the emphasis on security and protecting user information.
I would recommend a risk mitigation strategy to the Pay Pal executive team. It seems like management values information security, so as long as it continues to keep up with the most up-to-date protection measures, the system will be protected from hackers. I also suggest that there should be guidelines on creating strong passwords to prevent attackers from guessing user passwords. Along these same lines, there should be constant reminders, as banks do, that there is no reason to give login information through an email. This reduces the chance that users inadvertently disclose their information to unwanted parties.
Sunday, October 31, 2010
Subscribe to:
Post Comments (Atom)
Posts
I agree with the problems listed and how sensitive the information is. In looking into the Pay Pal website it is clear they are trying to alert their customers and users to possible threats. Pay pal has several tactics such as their own, personal, email header that is almost impossible to duplicate. They also never attach anything to their emails and will never asked for personal information. These can help in identifying possible scams but are probably not enough for some non tech savvy users. With so much delicate information, the security must be top notch and VERY, VERY user sensitive.
ReplyDeleteI agree with the two previous posters that one should always be aware of the risks and threats associated with sharing sensitive information with a website. But at the same time, I think that PayPal is a great tool. I have used PayPal in the past and will continue to use PayPal. Partnered with Ebay, it is a great way to conduct transactions over the internet. I have always felt safe using it, but at the same time I realize that I need to constantly be aware.
ReplyDeleteAs the two other posters have mentioned, password protection and identifying phishing attempts are two things that can make PayPal completely safe for users. I think that it is important to always use upper and lower case letters, numbers, and a symbol to make your password as strong as possible. Kflynn5 also mentioned good advice to stop phishing - "(PayPal) will never attach anything to their emails and will never ask for personal information"... especially via email.
In contrast to PayPal, sites like Amazon.com have the option of storing a users credit card information on their site for future purchases. This means that whenever a transaction occurs, the data has been stored by the site. When a user makes another transaction, their data is automatically loaded into the necessary fields. The pressure is put fully on Amazon.com, and not on a 3rd party site like PayPal. This puts Amazon at risk while eBay can transfer the risk to PayPal. As a common Amazon user, it is convenient for my credit card and billing information to automatically show up. It is both Amazon and PayPal's job to do as much as they can to protect their user's data, however, it should also be the responsibility of the users to have passwords that are not easily hacked. Like other posters have commented on, having passwords with capital letters and symbols makes it more difficult to hack this important data. Data is never 100% safe, but through my experience, PayPal and sites like Amazon.com do an outstanding job of protecting their user's data.
ReplyDelete