When a secured site is not so secure By John Dickinson, Special to ZDNet, January 29, 2002

COMMENTARY--You probably won't find a bigger fan of PayPal than me. The company's financial intermediation service allows secure Internet transactions between strangers--such as eBay vendors and buyers--without an exchange of private financial information, such as credit card numbers. I think that's an excellent service.

PayPal is now in the process of expanding their services and going public (their original IPO plan got scrapped due to the terrorist attacks on September 11th). But that's not why the company suddenly became so interesting to me. It became interesting to me when I recently discovered that someone had broken into my PayPal account. Imagine my surprise when I realized someone was moving money from my bank into my PayPal account and spending it on services and goods from PayPal partners. And oddly enough, the bad guys had also broken into someone else's account and moved money from there into my PayPal account.

Fortunately for me, and possibly someday for you, PayPal's security team was on top of things even before I was. I received a full refund and the unauthorized transactions are in the process of being reversed. But, unfortunately for everybody who does business on the Internet, the method used by the bad guys seems pretty low tech, and that demonstrates a frightening breach in Internet vendor security schemes.

It's conceivable that the bad guys used a spy ware program that tracked my keystrokes to follow me around and capture the password information I used to access PayPal. So, on fellow ZDNet commentator David Coursey's recommendation, I bought a copy of SpyCop and checked my systems, but found nothing troublesome in that department. But that doesn't mean that spy programs aren't a good method for bad guys to use to get your password information, it just means that it didn't happen to me...yet.

What apparently did happen was described to me by one of the customer service people I talked with at PayPal. According to him, it is very dangerous to click on a PayPal link found in an e-mail or on another Web site, possibly including legitimate vendors using PayPal for transactions. Why is that dangerous? Because even a legitimate-looking PayPal logo link can contain links to another program that hijacks your PayPal session. The hijacker program can then follow you as you log on to PayPal and capture your logon information.

How can that happen at a secured site such as PayPal's? According to security guru Vance Bjorn at Digital Persona, the program probably simulated the PayPal login page, and may have even presented me with a secure page, although not secured by PayPal. Is it hard to create such a program? I talked to a couple of Web programmers and, no, it's actually pretty easy. Can PayPal's firewall prevent such a program from operating? No, because the program is merely watching your computer as it sends out keystrokes, not invading theirs. Can your firewall or NAT prevent it? No, and for pretty much the same reason. Could such a program be used to follow you into other places on the Internet where you use password information to log on, such as Internet vendors or your bank? Sure, that's easy too.

What's to prevent such a simple invasion of your privacy and your pocket? Encrypted passwords would help, but there would have to be industry agreement on encryption schemes for use in payment systems. Digital Persona has been trying for years to promote encrypted biometric passwords using their U.are.U fingerprint recognition devices and software, and other biometric devices could be similarly used, so long as there is a standardized encryption scheme. But for the moment there is not. According to Bjorn, the easiest thing to do is take a moment and make sure that there is security lock icon at the bottom of your browser window, then take another moment to click on it and make sure that you're dealing with PayPal's secure page and not someone else.

I'm not the first victim to have had my pockets picked by bad guys hijacking PayPal sessions. There are a couple of Web sites devoted to picking apart PayPal's security and their entire method of doing business, although some of them are merely rant boards. But this particular security problem has been seen before and reported on some of the more legitimate boards, and it will undoubtedly be seen and reported again.

To help prevent that I'll give you the security advice PayPal folks gave to me: If you are going to use the PayPal service, DO NOT use a link provided by someone else, even if it looks like a legitimate PayPal link. It's better to do the work and use your browser's address line and type "https://www.paypal.com/." Then log on and get to your transaction information manually (copy/paste and drag-and-drop still work fine for inputting eBay item numbers). I'll take that advice, and even take it one step further in the future and not use links to any Internet vendors where I do business. Until we have standard encryption schemes for passwords, possibly backed up by biometric devices, so should you.

John Dickinson has worked in the computer industry for more than 30 years in positions ranging from systems analyst and software engineer to editor, writer, critic and industry analyst. His most recent engagement was at eMachines, where he managed the company's Internet and software business units.