Over the last week or so, you have undoubtedly read of the frightening incident wherein the
publisher of this site, Dan Knight, had his business PayPal
account hijacked and cleaned out - and his bank account along with it.
For those of us who regularly transact business on the Internet, this
is a chilling story. Perhaps even more troubling is the fact that Dan
took all the precautions and did everything right, but Low End Mac
still got robbed.
PayPal is essentially a bank in every aspect except the one that
matters: legally. It is an electronic clearinghouse, used primarily by
buyers and sellers exchanging funds in online auctions. Buyers can use
a credit card at PayPal to pay for their purchases, and PayPal sends
the money on to the seller, less a small service charge.
This enables sellers to accept credit card payments without going
through the hassle of setting up a merchant account with a bank. It is
especially helpful to the low-volume, occasional auction seller.
Since it is not officially classified as a bank, PayPal is not
subject to most banking regulations. These non-applicable regulations
would otherwise offer consumers a measure of protection from fraudulent
transactions. While PayPal is very convenient and fills a very
important niche in the online community, it is not without its
hazards.
Logging in to a PayPal account requires two items: the email address
registered to the account and the password. Once logged in, the user
has free reign to change the account information in any way, including
changing the email address. In Dan's case, the thief correctly guessed
the account's email address [it's posted on the site to facilitate
donations - dk] and password. Once in, he changed the email address to
his own and started transferring money to himself. When the PayPal
account ran out of funds, PayPal automatically debited Cobweb
Publishing's linked bank account until it, too, was emptied.
In order to be "verified" with PayPal, you have to provide a
valid bank account. This account is linked to your PayPal account,
enabling money to be transferred between the bank and PayPal. Although
it is not strictly required, failing to provide this information
severely restricts your use of PayPal.
With none of the government-mandated safeguards of a bank or credit
card in place, Cobweb Publishing, the publisher of Low End Mac, is out
somewhere in the neighborhood of $1,500. Unlike a credit card, where
questionable transactions are usually reversed until everything is
sorted out, Cobweb Publishing has lost use of their own money until
they can prove fraud. Conceivably, the money could be gone for good.
Guilty until proven innocent.
Here are some precautions that all PayPal users should take:
- Set up an email account that is used only for PayPal.
Although this is far from foolproof, it will at least give a potential
thief another hoop to jump through.
- Choose a password that contains letters, numbers, and
symbols (!,#%&, etc.). Don't use words found in the dictionary.
Password-cracking programs will figure those out in minutes. The harder
the password is to guess, the better. As Dan's case illustrates,
however, this is still no guarantee.
- Don't link your bank account with PayPal unless it is absolutely
necessary. If you have to, open a separate account for just this
purpose, and never leave more than a minimum balance in the account. To
transfer funds, move money into the account and then immediately out
through PayPal. When you receive funds, withdraw them immediately upon
receipt. After reading of Dan's unfortunate adventure, I went to PayPal
and removed my bank account. Until I can open a new account devoted
solely to PayPal, I will remain an "unverified" member of the PayPal
community.
This incident gives us an opportunity to remind you of other
precautions that should be taken in online commerce in general:
1. Always pay with a credit card. You receive your greatest degree
of fraud protection when using a credit card. Many banks offer Visa or
MasterCard debit cards. These cards function as regular,
run-of-the-mill credit cards - with one important exception. When you
make a charge, the money is automatically drafted from your bank
account. You receive no monthly bill other than your bank statement.
These cards, when used with your (hopefully) secret PIN, also function
as ATM cards. As with PayPal, these cards are oh so convenient. Also
like PayPal, they carry their own hidden pitfalls.
It is important to know that, even when used as a credit card, these
debit cards do not carry the same level of consumer protection.
If your Visa or MasterCard debit card is used fraudulently, you will
likely be in the same boat as Dan Knight and Cobweb Publishing. Until
and unless you can prove fraud to the bank's satisfaction, you lose the
money in question.
I recently had occasion to experience this personally. Kay and I
received our bank statement and noticed two different charges from the
same store, totaling almost $300. Satisfied that neither of us had made
the charges, we contacted the store at which the charges were made. We
learned that the merchandise had been mail-ordered by and shipped to
someone in our small town. I theorized that the customer was someone
who also used our small bank. Credit cards issued by smaller banks
usually come from a block of numbers. It is not unusual to have all of
the credit cards from these banks have the same numbers except for the
last four or five. My thought was that two numbers had been transposed
on the order, making the credit card number correspond to our own.
After further investigation with both the merchant and our bank, my
theory was confirmed. After almost two weeks, we got our $300
returned.
It was alarming that this merchant had done no credit card
verification. If he had, he would have immediately known there was a
problem, since the name and address of the customer did not match those
registered to the credit card. Fortunately we were in a position where
losing $300 for two weeks did not put us in a bind. Many people are
not. Caveat emptor.
2. If you must use a debit card, use it as a credit card (as
opposed to an ATM card) whenever possible. Many stores and
point-of-sale devices, after swiping a debit card, will ask whether you
want to use the card as "credit," "debit" or "EBT." Always choose
credit.
Again, I want to emphasize that treating your debit card like a
credit card does not necessarily confer upon you the same protection as
if you had whipped out the American Express, but there are several
reasons for using it as such. It is just common sense not to expose
your PIN to prying eyes anymore than is absolutely necessary. Your
debit card + your PIN = unfettered access to your bank account(s) by a
criminal, who will be able to collect his spoils in cash without having
to go through any third parties.
The other reasons relate to the different way the transaction is
handled from the point of sale until it reaches your bank account. I
will not publicly discuss those reasons here so that I don't
accidentally educate any aspiring criminals, but trust me on this.
Don't use your debit card if you don't have to; if you have to, use it
as a credit card whenever possible.
3. Don't pay by check, money order, or cash. If something goes
wrong, you will have little or no recourse. A deal is a deal is a deal,
and in this case it is also final.
4. Don't enter your credit card information on an unsecure Web page
or send it via email. All browsers have some sort of lock and key icon,
usually in the lower left or right-hand corners, which will show you if
the Web page you are on is secure or not. On Internet Explorer for Mac,
a small gold closed lock will appear in the lower left-hand corner of
the frame of the browser, immediately to the left of the globe icon,
whenever you enter a secure page. As for email, the only form of
communication less secure is walking down the street with a
megaphone.
The vast majority of Web pages are not secure. Don't panic, however.
Unless you are entering sensitive information into the page, there is
no reason for it to be secure. On most websites, the only secure page
is the one where you place your order.
5. Don't give your credit card or bank information to solicitors who
call on you. If you did not originate the call for the purpose of
placing an order, don't volunteer any financial information.
6. Every reputable website has a general disclaimer that no one from
their company will ever contact you and ask for your password, and they
mean it.
There is an old joke about a man that comes into a computer shop and
tells the technician that he is worried about hackers, viruses, and
spies. He directs the shop to make his computer "absolutely secure."
The technician removes the floppy drive, CD-ROM, modem, network card,
keyboard, and mouse, and then hands the computer back.
Making something absolutely secure will usually have the unintended
side effect of rendering it useless. This is certainly the case with
online commerce. While it cannot be completely secure and without risk,
by taking a few precautions you greatly reduce this risk.
