PDA

View Full Version : Security on Paypal and donations to EFF



Fluxcapacitor
10-28-2002, 06:54 PM
I have been meaning to send a donation to EFF for some time now, and with the outstanding effort from the dev team, I felt inspired to finally follow through. I did however read recently on /. about the Abiword fund being robbed, which left me a bit concerned.

/. story:

http://slashdot.org/article.pl?sid=02/10/27/042226&mode=thread&tid=98

What is this community's viewpoint on the Abiword situation and Paypal in general?

Are there other methods of donating to EFF and giving credit to the SEQ project ?

Thanks to all on the Dev-Team and the contributors who make SEQ run.

Ratt
10-28-2002, 11:37 PM
Yea, I read that too... and it had me somewhat concerned. I'm thinking about switching over to www.c2it.com ... however, I fucking HATE City Bank, which is why I haven't done it yet. So I'm weighing the options between going with a more secure company that I hate, or sticking with insecure Pay Pal.

If anyone knows any OTHER alternatives, please let me know.

grimjack
10-29-2002, 03:11 AM
I read this just after making an account and donating heh. Hopfully with all the bad publicity paypal will get with the program.

Pyzjn
10-29-2002, 04:36 AM
Lol me too Grimjack.

/em crosses fingers

ThePowerTool
10-30-2002, 11:30 AM
Don't think for a moment there is anything secure about financial transactions over the Internet other than that which is nominally available to you when you are considered a mote in the universe of transactions.

This is an area where I have a great deal of expertise; banks, merchants, consumers, and the financial transactions that take place over the internet as well as the security involved.

Problem Summary
Since you are reading this here, you have a clue. You know what PKI is and the security it can provide. Visa and MasterCard released a standard format many years ago for secure financial transactions over the internet. The name of the protocol was SET for Secure Electronic Transaction. It did a number of very important things for the industry. It provided support for all of the different types of data financial institutions (banks) needed to complete a transaction. It provided real security for consumers by protecting their transactions, accounts, and funds. It provided protection for merchants; no installation mistakes exposing consumer information, no risk of charge-backs from banks (some merchants pay $30 - $40 million a month in charge-back fees because of illegal cc transactions). You would think everyone would be happy with this.

What happened? Because SET was based upon a PKI infrastructure requiring an exchange between consumer, merchant, and issuing bank (the bank the consumer received the cc from), it was necessary for consumers to install an electronic wallet to complete a transaction. The wallet would generate the private keys and store the public keys of the merchants and financial institutions a consumer would do business with. Consumers would have to download a wallet to use this safe transaction format.

I'm betting you are all guessing where this is going. It is a lot easier to type in your credit card number on the WWW than to download, install, and use a wallet. Consumers didn't buy in. Merchants are willing to deal with the risk associated with their business rather than forcing consumers to do something more secure than just typing in their cc numbers... even if that risk is $30-40M a month. Yes, there are merchants today that return $30 - 40M a month to banks because of bad charge cards and fraud. Finally, banks still think they have differentiation because of their code. Yes, it is true. Banks have this insane concept that people believe they are better because of the way they code their back-end systems and that they are not compatible with other banks except via "black-boxes."

Merchants wouldn't use it because it cost more money to implement. Banks wouldn't enforce it because they didn't want to alienate their customers. We all lose. Consumers lose the most because the price of Internet-related losses from fraud and bad ccs is passed to the consumer.

There are no secure online banks or transactions. We use SEQ which decrypts data intended for a client. Granted, we are curious about viewing our own clients. Imagine and relate this to the encrypted data that banks send to their customers. Now you have a better picture of how safe you are. If you've viewed it on a secure web browser, you've made it available to anyone that singles you out.

http://www.c2it.com says they are safe and secure. They say they protect your financial data. Take a look at this clip from their privacy document available on their site using the link at the bottom of any page:

Personal Information We Collect and May Disclose

The personal information we collect about you comes from the following sources:

Information we receive from you at enrollment or on other forms, such as name, address, social security number and telephone number,

Information about your transactions with us, our affiliates, or nonaffiliated third parties, such as your c2it transactions, account balances, payment history, and account activity,

Information we receive from a consumer reporting agency, such as your credit bureau reports and other information relating to your credit worthiness, and

Information we receive about you from other sources, such as your employer and other third parties.

What exactly are they protecting? Themselves.

I type my credit card in on WWW sites. I do this knowing my risk. I also minimize my risk by avoiding doing this except in extreme cases. I probably enter my cc information once a year or less.

Your privacy and security was killed quietly in the night by merchants and banks whose main goal is to facilitate your expenditures and take your money.

If you're worried about PayPal, you should be. Probably no more or less than you would worry about any other financial transaction or instrument on the internet.

The risk is ultimately yours because of the way consumers act in such an irresponsible manner. The good news is you are not likely to be singled out. You can hide in the masses.

dum1
10-30-2002, 12:46 PM
well there are some good alternatives, at least one I know of, they are just not very well know YET

I use these folks

http://www.checkfree.com/

they have been b2b only, now they are also p2p(person to person)

they are the guts behind many of the big banks online payments, I have been using them to pay all my bills online and as of lately I can send payments to people, all you need is their email address(they have to have an account) and you send them the payment. No credit card is required, you just have to have an account, which is free now, and a checking account to link that to.

they back up everything, its all guaranteed(unlike paypal), the only time you give infomation is when you are signed up and all that stays on their servers, no need to transfer vital info across the net any other time.

its the future I predict
:p

dum1

jeffo
10-30-2002, 04:25 PM
nice post Tool, too bad its not going to be read much here, but really that must have took some work to compose. Well written and all true.

-Jeff

Chemo
11-02-2002, 08:11 AM
OK I have not seen this post till now, as of yesterday I made a donation to EFF/SEQ through PayPal, now this has me worried that, did it go to our cause in a aid to help keep the people that have put much hard work in to this program "SEQ" and to get that little penquin to show that I support this board and thier work:eek:


"EDIT" I checked and all is cool, just was a little concerned:D

Cam69
11-02-2002, 01:37 PM
Paypal recently locked my account (they won't even tell me why), then withdrawed my last deposite made FROM my bank account back to the Paypal account...and after my sending the information to unrestrict they have failed to do so.

I personally will never, ever, ever use them again.

This is after a year half of use and 10k+ in transactions.

Paypal=evil.
/nod

Phoned the techsupport line or some such, was told after 6months since the last transaction they send the account balance as a check, so not going to bother with them anymore. Will just wait for my check. ;d



Anyway, much respect to the SEQ coder(s).

Hawkeyez
11-02-2002, 01:50 PM
that totally sucks... should i cancel my card and get new one issued and just consider money donated to seq fund a loss??

thanks

bonkersbobcat
11-02-2002, 11:44 PM
Originally posted by Hawkeyez
that totally sucks... should i cancel my card and get new one issued and just consider money donated to seq fund a loss??
Wait a minute... Did anyone say that any SEQ donations were gone? I don't think so. What was said was there was concern with Paypal over what happened to another project, who had funds removed. Note that on this other project the funds were probably removed because someone logged into the account and removed them. We don't know if it was actually a security breach at PayPal or if someone just guessed the account and password.

I am not saying that PayPal is a good company, but lets not make statements or decisions without knowing all the facts first hand.

Ratt
11-03-2002, 11:01 AM
There is nothing wrong with the SEQ PayPal account.