[ISN] Beware PayPal's‘"Virtual" Loophole

From: InfoSec News (isnat_private)
Date: Tue Sep 03 2002 - 23:51:32 PDT

  • Next message: InfoSec News: "[ISN] Cisco Warns of Flaws in VPN 3000 Series"

    CHICAGO (Exclusive) - PayPal is an online company that conducts gobs
    of online transactions every day. Problem is, it's those "virtual"  
    deals that seem most susceptible to fraud, ePrairie has discovered.
    To understand the potential loophole, it'd help to first understand
    PayPal's practices to prevent fraud. The company, which says it has
    been remarkably effective at foiling fraud compared to other Internet
    sites, has what it calls a "seller protection policy".
    This essentially means that the Mountain View, Calif.-based company
    will fight on behalf of sellers when buyers commit various forms of
    fraud in an attempt to retrieve the seller's deserved receivables. But
    the policy has at least one big exception: it doesn't cover "virtual"  
    For an online company that makes most of its revenue through online
    auctions, PayPal says only a small majority of its customers conduct
    these kinds of transactions. Just one example is an individual who
    paid for banner ad space, signed a contract and then told his credit
    card company that he didn't authorize such payment.
    While that case is still being fought, the gist is that the product or
    service provided isn't tangible and can't be touched or tracked by
    online systems, and PayPal therefore doesn't want part in it.
    A PayPal spokeswoman said she's well aware that "online fraud is
    rampant" and "preventing it has been tough." She added that the
    company has a fraud team of 150 people devoted to identifying,
    tracking and preventing fraud, but when it comes to online goods,
    that's "as tough as it gets."
    Without becoming an escrow service (holding funds until both parties
    agree), she says that PayPal doesn't have a way of verifying the
    consent of both parties. She also dismisses the issue as one that's
    not very big and says the company hasn't had enough complaints to
    warrant spending the required time and resources to prevent virtual
    If the transaction's not virtual, PayPal does seem to have in place
    lots of seller safety measures.
    For example, sellers are not held liable as long as they have a
    "verified" business or "premier" account, they ship to the buyer's
    "confirmed" address, they ship the product within seven days of
    receiving payment, and they can provide "reasonable proof of shipment
    that can be tracked online." Also, the product must be “tangible,” the
    seller must have accepted a single payment from one PayPal account,
    and the seller must have shipped to a domestic buyer at a U.S.  
    PayPal has developed its own "buyer complaint" process so buyers who
    feel a fake credit card has been used for payment needn't file a
    "chargeback," which is a motion to a credit card company that
    initiates an investigation that spans 75 business days.
    During that period, PayPal recognizes that its allegedly innocent
    sellers often feel frustrated that they can only sit back and wait. At
    least if you're a seller who has provided a virtual service, now you
    know the wait's unnecessary.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 02:07:00 PDT