Thursday, March 12, 2009

Online payment services

I feel like I have to share information concerning computer and internet-related security when I get it because it's an interest of mine, and because so many people are now affected by what's going on online.

I have used PayPal for over 9 years - initially because it was easy and convenient for eBay purchases, and now because many sites use it. PayPal (or at least the concept of a third party service like PayPal in general) is a GREAT online security concept for financial transactions. Instead of giving every site you buy something from your credit card number, you give one site (PayPal) your credit card number, and the other sites get the money you authorize PayPal to give them, and that's all. Reducing the number of places your credit card number is stored is a very good thing.

Additionally, because many sites still don't take PayPal directly, PayPal now offers one-time credit card numbers - meaning they will give you a one-use number that you can use to buy something online at a site that, to the site you're buying from, works just like a Visa or Mastercard or whatever, but once it's used once it expires - so, even if the number got out or someone else tried to use it, it wouldn't work. Great idea.

PayPal has also started into further trying to lock down user accounts by offering them a one-time password-generating token (back-ended by Verisign), so that when you log in, you not only have to know our password, but your "token" (either a keychain dongle or a credit card sized thing) gives you a six-digit number you have to type in as well, and it's different every 30 seconds - so only your token and PayPal know what the number is - so even if someone got your userid AND password, they still couldn't log into your account. Cool, huh?

BUT....here are all the down sides (you knew this was coming, otherwise why would I be posting this?) Credit Card companies like Visa and MasterCard are extremely good at, and are required by law to give buyers complete buying fraud protection. If you buy something with a credit card online, and don't get it, or the site was fraudulent, or whatever, the card company takes care of it. Period. They may ask you for more information or investigate, but it's off your hands. And they also have pretty sophisticated mechanisms for detecting if something fraudulent is going on. Ever buy something and then get called by your card company verifying that you actually bought it? I have and I know many people that have - in most cases it's something big or out of your usual buying pattern, or you've travelled somewhere and are using the card there. (scary that they can figure all this out, but also cool!)

PayPal, on the other hand, is not as strictly required by law to do all this stuff, is not as motivated (legally, and because they really don't have any serious competition). They do back purchasers 100%, but as I've now found out first-hand, the process is much longer and drawn out, and I'm not yet sure there's a guarantee that it's going to work - I am in the middle of a month-long dispute over something I bought on eBay and never received - even though eBay themselves told me the listing was fraudulent. I will probably get my money back. I hope.

PayPal's security key option (the keychain dongle or credit card shaped thing), while a fantastic security feature on the surface (I've read about it and know the internal workings and it's really cool and a solid security algorithm) is not as "secure" as I originally thought - not because of the technology itself, but because PayPal does not strictly enforce its use. Yes, you may need to log in without it - if you legitimately lost it or don't have it with you or wahtever - but they make it WAY too easy - all you have to do is call a number and tell them your last name and last 4 digits of the credit card you have registered, and they deactivate it - so all you then need is your password. So really, it's worthless. I was really disappointed when I found this out. I'd at least like to have the option to say "NO, never let me log in without this thing" and suffer the inconvenience later. At least I know someone can't log in as me.

So...I guess I'm back to not having a strong recommendation :) Be careful and be aware.

No comments: