This action might not be possible to undo. Are you sure you want to continue?
. Based in San Jose, California, PayPal is an online e-commerce company that allows for its users to send and receive money over the internet from anybody with an e-mail address. Any recipient of PayPal finds can then transfer those funds into their bank account, request a check from PayPal, or use a previously issued PayPal debit card to make a cash withdraw at countless ATMs around the world. In examining PayPal’s security concerns, liabilities exist in both the company’s Vulnerability Disclosure Policy - which can be relieved by redefining elements within the policy and allowing for a 48 hour advance notice to current customers - as well as its website integrated shopping cart – a software malfunction that will require program rewrites to prevent future elements of fraud. Company Overview Recent PayPal data indicates that the total value of all transactions for the first quarter of 2009 exceeded 16 Billion dollars (PayPal, 2009a). With such a large amount of cash being moved about a virtual environment, security is deemed the number one priority for information technology professionals at the company. While every company in the age of internet expansion is at risk to some degree, PayPal is a prime target for thieves due to their vast volume of business, their high amount of daily transactions, and their policies that govern the set-up and maintenance of their accounts. With 201 million worldwide accounts and 2009 revenues that totaled $631 million in the first quarter, PayPal is a target in both foreign and domestic markets and needs to carefully and continually update its international currency exchange rates in or to avoid major losses through laundering and exchange schemes (PayPal, 2009a). Products PayPal offers users across the globe the chance to send money to anyone with a valid email address for virtually any purpose. Users may send money directly to an email, or those requesting funds can send their buyer a PayPal invoice. PayPal issues Mastercard backed ATM/Debit Check cards to users who wish to withdraw deposited funds directly from ATMs around the world. The company offers website
This process involves both phone and chat messages in which buyers and sellers argue their cases before a PayPal arbitrator who then decides on whether or not to offer a buyer a refund (PayPal. such as vulnerabilities discovered by users of their Virtual Terminal or PayPal Shopping Cart Local and Networks Diagram Wide Area Business Applications .A PayPal Security Analysis 2 integrated shopping carts as well a web integration tools without the need of a third party processor. 2009c). 2009b). the company began offering a virtual credit card terminal that allows PayPal account holders to accept credit cards orders over the phone Critical Business Process PayPal employees monitor and collect fees charged for each transaction the company provides. or misrepresented item.5 percent of the transaction (PayPal.30 cents plus 2. Recently. Sellers pay a small fee. PayPal officials must also monitor dispute cases in which a buyer believe they have received a wrong. damaged. PayPal workers must also respond to security concerns brought forth by their clients. typically . PayPal also provides phone and internet based customer service as well as an internal dispute process aimed at resolving transaction issues that may be initiated by either a transaction’s buyer or seller.
Such issues pose great risk for PayPal. a 24 hour notice given to accounts holders in advance of public release of security compromises may not be adequate enough time to allow for a business to take its own measures to boost security. user interfaces. PayPal could be susceptible to a class action lawsuit if they remove their server for an extended period of time. a 24 hour notice may not be an effective notice of service interruption. and middleware (Hochmuth. The policy also outlines procedures for alerting clients in the event that the server will be shut down for any period of time. single rack servers which host the company’s web presentation layer. The policy is very open-ended and includes words such as “reasonable amount of time” and “fair estimate” (PayPal. 2007). 2007). and SSL based fraudulent links.A PayPal Security Analysis 3 PayPal stands alone in the information technology sector as being one of the largest companies to rely solely on Linux based web servers. Any public announcement of a newly patch loophole of freshly discovered break in security would quickly lead to jump in hacking attempt at the point of weakness. A custom made database links the networks components. Security Vulnerabilities – Policy A policy vulnerability related to PayPal deals with their Security Vulnerability Disclosure policy. providing a notice that they feel is effective yet is generally viewed as inappropriate Solution – Policy Vulnerabilities . The policy effectively regulates the process through which PayPal will alert accounts holders to newly discovered security risks. Thousands of systems communicate via the PayPal network through 4 large Sun Solaris boxes which run an Oracle database that stores all customer data processed by the servers (Hochmuth. and given the global span of PayPal and the number of users a security breech could affect. phishing scams. PayPal runs three thousand Linux-based. Both statements are very open to interpretation. 2009d). as the biggest companies tend to show the greatest number of weaknesses. Many businesses are web based and rely solely on payment processors to handle their monetary transactions. Additionally. Given that PayPal is one of the largest processor. hackers and scammers are constantly targeting PayPal. and as such. the number of transactions lost to a business could be disastrous if there is inadequate advance notice.
but the added time will allow PayPal to continually test any fixes in light of what is sure to be renewed attacks on their system once discover of the leak is presented on internet forums and chat boxes. a buyer who purchases ten. shipping address. In either case. PayPal sends an email or SMS message to the buyer stating payment has been made to the seller’s account. companies are at risk for shipping items which have not been fully paid for. Once complete. Security Vulnerabilities – Software An issue that arise with PayPal software delves into both their integrated web shopping carts and their PayPal invoice system and the method used to notify sellers of a completed transaction. Without close monitoring. However. placing concrete figures on the hours of advance notice considered “reasonable.an average of a 10% increase in total . and it is plausible to assume scammers have done so simply to receive account based messages from PayPal in regards to recent patches. $100 items would see a total bill of $1000. PayPal needs to consider the fact that anyone with an email address can open an account. A major security concern within this process deals with an issue that. PayPal software would still send messages to the sellers account stating a deposit had been made into their PayPal account and list the buyers email and physical address. not only will PayPal’s clients have time to secure their web based businesses and have any patches presented by the company to be independently analyzed. With the rapid expansion being experienced by PayPal . The invoice or cart checkout provides boxes for buyers to enter either their own PayPal information for payment or provides buyers a forum through which to enter their credit card number.” Additionally. allows PayPal to accept the transaction and send out confirmation of payment emails to sellers regardless of the amount actually tendered. Sellers use this confirmation message as clearance to ship any items sold.A PayPal Security Analysis 4 One key solution to the vulnerability of the Security Vulnerability Disclosure policy would be to rewrite the policy. PayPal should alert account holders to any uncovered security risk once they have tested any patch repeatedly. By increasing the time between account notification emails and public disclosure. and contact information. if the buyer were to tender just $200. unlike most shopping carts or online invoices. For example. a total for goods or services is presented to the buyer via the seller.
sellers may be inclined to switch to a more secure processor that only allows for a transaction to be completed and confirmation messages relayed to the seller once the total amount due is submitted. Inc. Solution – Software Issue PayPal may increase software security by either altering their current cart structure based on the more secure “Go Cart” payment processing program or allow for the third party software developer to integrate a portion of their secure payment network into PayPal’s infrastructure. shopping cart (thereby providing Blasco with an increase in fees associated with processed payment) but will provide for a more secure PayPal experience in light of the oncoming growth of the company. A “Go Cart” integration will only allow buyers to complete a transaction once the full purchase price is remitted. Should such a breech in software security continue. and reputation as one of the most secure payment processors to maintain its competitive advantage.A PayPal Security Analysis 5 transaction value and a 13% increase in the number of new accounts for the previous five quarters dating to the first quarter of 2008 (PayPal. . 2009a). scamming the same business repeatedly once they find a seller who does not include a thorough review of the PayPal backed transaction. and a total integration will still allow all transactions to take place within PayPal much in the same way that automated registers provide customers the option to check out the same items at the same supermarket as do the traditional human operated cash registers. ease of use.the risk of such vulnerability will only continue to grow. PayPal uses its tight security. The addition of “Go Cart” to the PayPal network would be a cost effective solution that would not only increase the number of users who process payments using the Blasco Systems. a piece of information considered secondary when compared to the transaction amount. The integration of additional processing software will give more flexibility to the consumers. Individuals may be able to use this method to obtain items they only partially paid for. and any emails or SMS messages sent to buyers through the Blasco software’s system arrive with the dollar amount and shipping address displayed in lieu of an email address.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.