PayPal recently began to sell a so called PayPal Security Key to protect PayPal users from phishing attacks. The system works by protecting the login to the account not only with a username and password but also a security key that is generated on the fly on an external device. Attackers who are able to steal PayPal login information would need physical access to the security key to be able to log into the account at a later time.

It is not a 100% perfect solution as attackers are still able to circumvent the security key if they have additional information related to the PayPal user’s account. It still is a viable protection in most cases. PayPal is hosting a security center on their website that is informing and educating users about security risks and how to reduce them and prevent attacks.

Probably the best way of fighting most attacks and all phishing attacks is to always open the PayPal website directly instead of clicking on links that are supposed to lead there. Another security method is to use a password manager to store the PayPal login information. Many password managers, such as Last Pass, can fill out the login form and log in the user automatically in configured accounts. This can be a very effective method of detecting fake websites as the password manager will not fill out the login information automatically on these websites.

Related posts

• PayPal Now Offering Mobile Security Key (2)
• Update on my PayPal Story (8)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• Unauthorized Payment Done With My PayPal Account (50)
• Send a Fax to unsubscribe from paypals newsletter (4)

A new widget has been recently added to Gmail labs that increases email security by offering phishing protection for the two services PayPal and eBay. Emails send by these two services are authenticated by the widget and an authentication icon is displayed in the Gmail interface so that the user can see at first glance that the emails are coming from the original source.

The main advantage of this added layer of phishing protection is that emails that claim to be from either PayPal or eBay but are not will now be deleted before they reach the user’s email account meaning that they will not appear in the spam folder either. Google is hoping to add additional services in the future to increase the reach of the additional email security layer.

Users can add the new phishing protection by logging into their Gmail account, clicking on the Settings link in the top right corner, switching to the Labs tab and enabling the Authentication icon for verified senders widget.

Related posts

• New Google Mail Security Vulnerability Emerges (4)
• How to defeat Phishing (4)
• Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing Mails (1)
• Truemark Email Identification (5)
• Tracking Gmail Account Usage (2)

Nope, I needed to send some ID and utility bills. The process was fairly simple, I took a photo of my phone bill, my AmEx report and both sides of my National ID. In the Paypal documentation they say a phone bill is not ok, but since my apartment is not on my name I don’t pay bills per se. Nevertheless, I sent these all off.

After some mucking about (the form was not the best), Paypal accepted these documents and this, as a lot of government and verification processes puzzles me a bit. I mean I could’ve Photoshopped all that right? Unless they actually checked with my government and bank and carrier service, which I’m sure they didn’t, they replied in like 2 days, they can’t be really sure.

My reasoning is that someone like me would have to go to more trouble to prove his identity and location truthfully, than a money launderer would have to go to to forge this stuff. If I didn’t have a camera I would’ve had to spend about $30 to photocopy, print, scan and so on. A money launderer may have to pay $1,000 for a good forgery, but hey, he has a printing press right, money comes easily.

The point is, that all I proved is that I have an internet connection and probably an ID. Is this a process that is supposed to deter people on the wrong side of the law? I doubt if it does, it did deter me though, my account was even frozen for a while!

Related posts

• PayPal to Block Unsafe Browsers (6)
• Ingenious PayPal mimicing spam (8)
• Yahoo marks dangerous search results (4)
• Wordpress Remote Admin Password Reset Vulnerability (13)
• Wireless Hotspot Hacks (1)

The key is an electronic device that generates a six digit key every 30 seconds. That key is needed to login into PayPal. The device can be ordered from within the PayPal interface or from VeriSign directly. It works at all websites that make use of the key including eBay and PayPal.

PayPal has introduced the mobile security key recently. It makes use of the same principle with the difference that the security key is generated by an official server and send to the user’s cell phone instead.

This offers a few advantages like increased mobility and no waiting time till the device arrives. It does however mean that the user is charged for every SMS send by his cell phone provider. Merchants who log into PayPal several times a day might want to use the hardware solution primarily to save costs.

Users who want to order a mobile security key can do that once they are logged into PayPal. The option becomes available after the PayPal login. A click on the Security link in the top right corner of the website will load a new page with a link named Security Key.

A click on that link will display two options: To order a security key device or a SMS security key.

Related posts

• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• Update on my PayPal Story (8)
• PayPal Login (1)
• Unauthorized Payment Done With My PayPal Account (50)
• Send a Fax to unsubscribe from paypals newsletter (4)

The VeriSign Identity Protection device can be used to add another layer of security to the login process. The PayPal Security Key mentions only eBay and PayPal and I’m not sure if it works with the other websites and services that the VeriSign Identity Protection key works with.

The key is a little device that displays a six digit security code when a button is pressed. That code is active for 30 seconds after which it disappears again. The device has to be activated on the website that you want to use it for by entering the serial number of the device and two six digit codes.

Once a device has been linked to an account it has to be used to log into the account by pressing the button and entering the six digit code after the password on that website or by entering the login credentials normally and the six digit code on the next page where it is requested before the user can proceed.

The real benefit of this key is obviously that an attacker who is getting hold of your login credentials cannot login into the account if he does not have access to the active six digit code.

PayPal seems to heavily subsidize the key. If you order the security key at PayPal you receive a blueish-gray device for roughly 5€ while the VeriSign key is delivered in dark red for the price of $30. As I said I’m not sure if the PayPal key works with other services as well.

The VeriSign website offers two additional devices. One is the so called VIP Security Card (for $48), a credit-card sized device that seems to offer the same functionality and the SanDisk U3 TrustedSignins
which works with SanDisk U3 devices but does not seem to come with additional charges.

This is definitely a step into the right direction and I strongly suggest to everyone using eBay and PayPal regularly to get one of those security devices to add another layer of protection to their account.

Related posts

• PayPal Now Offering Mobile Security Key (2)
• Update on my PayPal Story (8)
• PayPal Login (1)
• Online Paypal Fee Calculator (3)
• How to defeat Phishing (4)

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

I was contacted at the same day by Steve Ragan from The Tech Herald who published an interview about the case on the website. That interview seemed to have sparked the interest of PayPal because I was shortly after contacted by their CISO who wanted to transfer my case to a specialized team, he called it unusual e-crimes investigations team. That was a pleasant surprise and I had hopes that I would finally find out how the money was transferred.

Unfortunately though I have not heard back yet and I’m not sure if I ever will. I know that some big companies are rather slow when working on cases but it has been two weeks and no reply since.

Last but not least Steve contacted me again telling me that the guys at VeriSign would like to send me one of those PayPal Security Key after they have heard the story which is really nice of them. Unfortunately though I have ordered one already which has not arrived yet. It’s also been two weeks since then and I’m beginning to see a pattern here. So VeriSign nice, PayPal not so nice. I will keep you updated if I’m ever contacted again by PayPal about this matter.

Update:

I received both the PayPal Security Key and the VeriSign ID Protection key shortly after finishing the article. Will write about those soon.

Related posts

• Unauthorized Payment Done With My PayPal Account (50)
• PayPal Now Offering Mobile Security Key (2)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• PayPal Login (1)
• Send a Fax to unsubscribe from paypals newsletter (4)

PayPal and eBay finally made the decision to sign all emails originating from their servers including the international versions which means that it is possible to eliminate PayPal and eBay phishing emails before they even reach the inbox or spam folder. The system was tested for a few weeks silently and only a few users did notice according to the official Gmail blog.

Now any email that claims to come from “paypal.com” or “ebay.com” (and their international versions) is authenticated by Gmail and — here comes the important part — rejected if it fails to verify as actually coming from PayPal or eBay. That’s right: you won’t even see the phishing message in your spam folder. Gmail just won’t accept it at all. Conversely, if you get an message in Gmail where the “From” says “@paypal.com” or “@ebay.com,” then you’ll know it actually came from PayPal or eBay. It’s email the way it should be.

Sounds like a dream come true and could pose an end to phishing if more companies, and mail providers, would jump on the bandwagon of signed emails. Companies that come to my mind first are financial companies and other online stores. I still would not blindly trust any email from PayPal or eBay that would arrive in my inbox but it definitely is a step in the right direction. The best way to handle it is to visit the websites manually and perform the eBay or PayPal login there.

Related posts

• How to defeat Phishing (4)
• Gmail Increases Email Security With Phishing Protection (7)
• Yahoo Mail, Search And Messenger Upgrades (2)
• Why I’m Still Using A Software Email Client (17)
• Gmail Enables Mail And Contact Import For All Gmail Accounts (11)

Imagine my surprise when I discovered that a payment for all the money in the PayPal account has been made at 23:35:35 PDT to Santrex Internet Services. I was not awake at that time which could only mean that someone else managed to make the transaction. The question is how.

I contacted PayPal and filed for unauthorized payment and did contact the “seller” as well who replied telling me that someone did buy Virtual Servers from the money. I’m pretty sure that I will get the money back the question however is how someone was able to make that transaction in first place.

The possibility is there that someone was able to get my password for PayPal somehow and made the transaction that way. I’m not sure if there is a possibility to make a transaction from PayPal without logging into the account. It does not look this way.

I checked my system with latest anti-virus software and found nothing. I also checked the PayPal account settings and changed the passwords there. I will change all passwords for all sites just to make sure that someone did not get them all.

The strange thing is that the payment was only made for the amount that I had lying around in my account. Anyone ever heard of something like that ? The real question is how he was able to get into my account as it is unlikely that transactions could have been made without my PayPal login data.

Related posts

• Update on my PayPal Story (8)
• Send a Fax to unsubscribe from paypals newsletter (4)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• PayPal to Block Unsafe Browsers (6)
• PayPal Now Offering Mobile Security Key (2)

That’s what PayPal (thanks Lee for the email) mentioned in a Whitepaper and I have to agree with it. There is virtually no reason why someone would still use Internet Explorer 3 or 4 to surf the Internet for example. Those browsers probably have so many known security holes and lack so many security features that it’s highly likely that the browser will get successfully attacked eventually.

This still does not take care of the user who is working with the computer which is in my opinion the greatest security risk of them all. I always like to say that if you do not understand basic security concepts, for instance the ability to differentiate between http and https websites, then you should not be doing security related stuff on the Internet including banking but also eBay, Amazon or PayPal.

The battle against Phishing is something that companies cannot win alone. Companies cannot do anything about a user who cannot differentiate between fake and original websites. Systems like Extended Validation SSL Certificates which highlight the address bar in green will surely help those users in the long run.

What should not happen though is the exclusion of a browser simply because it is being used by a smaller community. Say Safari for Mac. When I worked at one of the biggest German financial corporations I always had to tell Mac users that their browser was not officially supported. Security is not an excuse to lock out some users with more “exotic” browsers.

Related posts

• Ingenious PayPal mimicing spam (8)
• Web of Trust: collaborative online security (7)
• Truemark Email Identification (5)
• Securing Your Web Browser (0)
• Paypal anti-laundering safety regulations (13)

The best way for all users would be if PayPal would display those fees before you make the transaction so that you can check them before sending the money. They do not display them however and a service like the PayPal Fee Calculator comes in handy to determine the fees that you have to pay.

You select the country and currency where the payment is coming from and send to, the monthly sales volume and some optional settings like 2.5% conversion fee, Credit Card fees or eChecks. A user can then calculate the fees if he would receive money or if he would send money to another user.

Once a fee is calculated you can take a look at the fee breakdown to see how the fee has been calculated. A currency converter is as well on the website to help you out with that as well.

via Donation Coder Forum

Related posts

• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• How to defeat Phishing (4)
• Gmail Increases Email Security With Phishing Protection (7)
• Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing Mails (1)
• Ebay bans Google Checkout (9)

Virtual mail accounts can be created in many online mail accounts including Gmail and Yahoo Mail. If you wanted to create such a virtual mail account in Gmail you would simply change the email address at the site where you are registered at to youraddress+added@gmail.com. To give you an example, you could use the email ghacks+paypalcom@gmail.com as your main email in PayPal.

You would then set a filter in Gmail to filter all messages send to this email. Now, whenever an email from PayPal arrives that was not send to this virtual email address you can be sure that it is a phishing email. To be effective you need to hide this email from everyone, even the people who send or receive money. This is done by using a second email for this purpose that is not your default email in PayPal.

This system works fine if the service accepts email addresses with plus signs. Most websites need only one virtual email address, your bank for instance, eBay and every other website where the email is not visible to contacts.

Related posts

• Truemark Email Identification (5)
• Gmail Increases Email Security With Phishing Protection (7)
• Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing Mails (1)
• Yahoo Mail, Search And Messenger Upgrades (2)
• Ingenious PayPal mimicing spam (8)

This email confirms that you have sent an eBay payment of $47.85 USD to hineswhittier@yahoo.com for an eBay item using PayPal.

If you look at the email, it does look like a PayPal email at first glance. There are differences, but who can really recall an invoice at first glance? I have to say, that despite my “mental training” to be really cautious, I almost clicked on the link. My first thought was, maybe someone hacked my account. I don’t have a load of money on there, but I do have over $48, so if they did hack it, it would make sense to only send that small amount. If you read a bit further, here’s what you see, and this is what arose my suspicion.

Note: If you haven’t authorized this charge ,click the link below to dispute transaction and get full refund (Encrypted Link )
*SSL connection: PayPal automatically encrypts your confidential information in transit from your computer to ours using the Secure Sockets Layer protocol (SSL) with an encryption key length of 128-bits (the highest level commercially available)

First of all, yeah right, I click dispute, and I get all my money back, how nice of PayPal, not even to look into it. Second of all, I don’t think 128 bit SSL is the highest available. Third of all, and this was right before I almost clicked, the link contained inside (I have removed it now) goes to a very non-PayPal page. I mean it goes to some Japanese, even spam-sounding website. By the way, 3 of the five links in the email went to the same page. I just stopped there and then and forgot about it. Upon an even closer inspection though you can see the comma error in the first line, and also the faulty bracket spacing after “Encrypted Link”.

Whenever you receive something that seems like spam, always remember to check these things, they can tell you it is spam, or at least keep you from clicking away wildly. Click on the pic if you want to see the email, it’s in gif format, so no need to worry about links and things.

Update: I have forwarded the email to spoof [at@] paypal [dot.] com, if you receive anything like this, please help them out too.

Related posts

• Truemark Email Identification (5)
• PayPal to Block Unsafe Browsers (6)
• New Phishing Mail Tactics (3)
• How to defeat Phishing (4)
• 20 Minute Guide to Pc Security (0)

Do you have an account at JP Morgan Chase Bank ? If not delete the message immediately. Users from outside the United States should delete it as well especially if they only have bank accounts in their native language which is not English. It becomes a little bit complicated if you are a customer of that bank.

If you do read the mail completely you soon realize that the mail body does not contain a single word about JP Morgan Chase Bank anymore but only about PayPal. The mail ends with ‘Sincerely, PayPal Account Review Department’

Those factors are only indicators that something is wrong. Take a look at the only link in that email, it does show a PayPal url, but is it really one ? If you hover the mouse over the link the destination of that link is shown in the status bar of Thunderbird.

The link is pointing to a Swiss website and not to paypal.

If you visit that link which should not be a problem if you use Opera or Firefox you come to a website that looks like PayPal. Now it is beginning to get interesting, lets take a look at that website and find out about the differences to the original PayPal website and how one would be able to spot them.

• The websites look different. This is a good indicator that something is wrong.
• The Phishing website does not use the https protocol and it does not show a PayPal url
• The Verisign logo at the bottom is blurred at the Phishing website
• Username and Password are not automatically filled in if you saved them

The bold indicator is the most important one. If the phishing website would use https you could check the certificate by clicking on the yellow lock to receive further information.

Phishers however mostly rely on users who believe what they see, if it looks like PayPal it must be PayPal.

Related posts

• Update on my PayPal Story (8)
• Unauthorized Payment Done With My PayPal Account (50)
• Send a Fax to unsubscribe from paypals newsletter (4)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• PayPal to Block Unsafe Browsers (6)

Ebay changed its Safe Policy this week adding Google Checkout to its list of online payment methods not permitted on eBay. Take a look at their updated policy to see for yourself that Google Checkout is among the payment services that are not accepted by Ebay.

My first thought was that Ebay was trying to prevent that a serious competitor would compete with Ebays own service Paypal. This could be but I found something that might give them at least a justification to ban Google Checkout for now.

Ebay uses several factors to determine wether a payment service will be permitted. One of those factors is “whether the payment service has a substantial historical track record of providing safe and reliable financial and/or banking related services (new services without such a track record generally cannot be promoted on eBay)”

Google has of course such a track record with Adwords and Google Video but of course not with Google Payment. This could mean that they will evaluate google checkout again at a later date and probably add it to their list of accepted payments services then.

I think that Ebay should leave it to its users how they finish the transaction. It´s none of Ebays business in my opinion to interfere.

What do you think ?

Related posts

• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• Online Paypal Fee Calculator (3)
• How to defeat Phishing (4)
• Gmail Increases Email Security With Phishing Protection (7)
• Gmail And Yahoo Mail Users Now Protected Against eBay And PayPal Phishing Mails (1)

He then contacts paypal customer support and they tell him to fax a valid photo id, a bank statement, a credit card statement and proof of address (phone or utility bill). All for a unsubscription of a newsletter ? Did someone else have problems with paypal or other companies like that ? This sounds unbelievable to me..

Related posts

• Update on my PayPal Story (8)
• Unauthorized Payment Done With My PayPal Account (50)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• PayPal to Block Unsafe Browsers (6)
• PayPal Now Offering Mobile Security Key (2)