AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Sat Aug 23 2008 13:13:16

PayPal Germany Responds to Security Concerns

By: Ina Steiner

Sponsored Link

A fraud-watchdog group based in Germany found what it called security flaws in PayPal Germany's automated phone service. Falle-Internet.de described how fraudsters might use the system to identify accounts that are especially profitable in order to attack and target them with phishing emails or virus attacks.

PayPal said it shut down the service in Germany, and it provided the following statement in response to AuctionBytes inquiries:

PayPal's highest priority is the security of its payment service and our customers' financial information. While our automated phone-based system allows customers to check their account balance and recent transactions, it does not allow callers to initiate transactions or move funds and no financial information is shared using this system. In addition, the system can only be accessed if the caller knows specific account information - such as the phone number and bank account/credit card numbers - that are registered to the PayPal account.

We have shut down this service in Germany. Customers in Germany can still contact PayPal customer service agents by phone to obtain account transaction history and balance information. When doing so, our agents require far more information than the automated system to confirm the caller's identity before providing account information.




Comments (8) | Permalink

Readers Comments

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by:

Sat Aug 23 15:37:49 2008

As a German eBay and PayPal user, I'd like to add my two cents to this.

First of all, the requirements to log in and check one's accounts balance were a) the telephone number and b) the last four digits of one's bank account.

It is important to understand that in Germany, bank account numbers can be cosidered public available information. We do a lot of bank transfers since it's a) for free, b) fast (same day) and c) secure.

Someone having our bank account number normally cannot harm us in any way - wait, he could send us some money. ;-)

This is why *every* eBay seller (or at least 99.99%) gives his bank account info to his customers. In fact, nearly everybody on eBay has stored this information so his buyers can access it automatically (a specifically German feature of eBay called "Ɯberweisung+").

PayPals statement is - and I am really sorry to say so - a great lie. The "far more information" you now have to provide if you want to access account balance and transaction (including name of your transaction partners and details like amount and date of transaction) are your MAIL ADDRESS and your POSTAL ADDRESS.

PayPal does not seem to be aware of German laws - which obligate *all business sellers* to publish these exact information (and btw. their phone number, too) in *every eBay item description*, their online stores etc.

You might check this by opening eBay.de and browsing an arbitrary buisiness seller's items. Scroll down to "Impressum" and find anything you need to access the seller's PayPal account. Keep in mind that bank data can be easily obtained by "test buying" (which often isn't even necessary because many sellers have their bank account numbers in their item descriptions).

To keep long things short: For German users, this *still unfixed security hole* is comparable to an American gaining access to your credit card bill by knowing your license plate and the car type you drive.

It's one big scandal!

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by:

Sat Aug 23 15:56:21 2008

(Sorry for messing up your blog, it seems I somehow struggeled with your "preview" feature.

Just delete redundant comments, the last one ist the final version *g*.)

I just wanted to add that this issue was extensively tested - no rumors, just facts.

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by: Malte Huhu

Sat Aug 23 19:46:03 2008

Is Malte Frerk still Paypal's Germany Boss ?

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by: Bavarian

Sat Aug 23 19:48:30 2008

It is not a scandal ! It is: So Ein Scheiss !

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by: what a mess

Sun Aug 24 07:52:18 2008

ANOTHER reason to leave ebay & paypal.

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by: Giovanni

Mon Aug 25 00:29:26 2008

I have found a website which has been selling hacked Paypal accounts since August 2007.
You can search the proper terms to find more about the site I mentioned if you wish.

My guess is there is more than one hole.

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by:

Tue Aug 26 08:14:24 2008

The latest test had some "surprising" results. This time, one didn't have to state one's address at all.

But far more concerning: Even users of the "PayPal Security Key" are affected!

The _explicit_ question whether the generated security token should be mentioned was answered by the CS employee: "You don't have to, you already verified yourself by telling me your name, email and last four digits of your bank account."

Terrific!

@giovanni: This is just phishing. Ever noticed that almost *every* PP email contains clickable links? This is a practice abandoned long ago by every single bank and most other established online services.

At PP, a user gets used to clicking links in emails. You don't have to wonder why approximately three to fivethousand PP phishing sites are found (yes, *found*) per month.

PayPal Germany Responds to Security Concerns   PayPal Germany Responds to Security Concerns

by: waiting to be suspended

Tue Aug 26 08:28:14 2008

This is our answer to bad buyers when we can't leave negative feedback & they try to steal from us:
I'll see you in hell, u prick.
You were given ample time to return the magazine on your bogus claim. Of course you didnt do it since it was sent FAST, secure, in better condition as stated and we left good feedback for you also.
I have asked paypal and ebay to suspend you for filing a false claim and causing our paypal account to have a freeze. Yes, they do weird stuff like that. This is why sellers are leaving ebay in droves.
idiot.



Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.