I recently attended a conference and trade show, and made a purchase. The
vendor takes Paypal, so to make my payment she turned her laptop to me, and
suggested I login to my Paypal account and make the payment right then and
there. I did so, and it was very convenient.` Later, I told my spouse and was
told that it’s some kind of incredibly dangerous thing to do. Is it really that
bad? If so, why? And what should I have done instead?
Yes, it really is that bad.
Why? Pretty simple really: you may have just given that vendor total access
to your Paypal account.
Become a Patron of Ask Leo! and go ad-free!
I want to be really, really clear about two issues:
-
I’m a huge fan of Paypal, and I use it a lot. But caution is
required. -
I’m not accusing any vendor of anything. The vast majority
are honest people of integrity.
All of this actually applies to any banking or even any other type of
private account that you access using a web browser. And remember that Paypal
is, basically, a banking account.
There are three basic ways that logging into a personal banking account on
anyone else’s computer can turn into a total disaster.
Spyware – since it’s a computer you don’t control, you have
no idea whether or not there is spyware on that machine recording
every keystroke entered and sending it to hacker overseas. You would be
amazed at how many people don’t run anti-spyware software at all. I
know I’m continually amazed based simply on the problem reports I get here at
Ask Leo! And spyware doesn’t have to be obvious – in fact, the most dangerous
type tries to hide as best it can. The result is that the owner of the
computer, your quite honest vendor, may have no idea that their computer is
infected.
anti-spyware software at all.”
Unintentionally remembered information – one of the most
common questions I get relates to how much information the browser remembers
for you which it then offers back up to you as you type something in later.
Form fields in particular – the very fields you enter your banking account ID
and passwords into – are frequently remembered automatically – often
including the password. That means someone could possibly walk back up to
that computer, start typing and see your user name, select it, and be
able to login to your account with your password.
Malice – it’s quite possible, even fairly easy, to
purposely install software or set up browser features to record your user name
and password automatically. Like I said, I don’t mean to impugn you or your
vendor, and I’m certainly not accusing anyone of anything, but unless you trust
them absolutely, this should always be in the back of your mind. Particularly
at trade shows where people often travel in from far distances, never to be
seen again after the show.
Things get worse if you’re the vendor. Even if you’re the model of integrity
and perfection – by allowing people to log in to their accounts on your machine
you’re almost asking for trouble.
What kind of trouble? Temporary account suspension, and even false
accusations.
Paypal’s fraud detection looks for a large number of account logins from the
same computer. That’s often a sign of fraud – hackers who’ve stolen a number of
Paypal account IDs will often then use their a single computer to then transfer
funds to their own account from each stolen account. When Paypal sees a large
number of transactions from different accounts on the same computer it sends up
all sorts of red flags, and they temporarily suspend the receiving account
while the situation is investigated. This is a good thing. It’s an
important way for Paypal to prevent or reduce fraud. But if that happens to
you, you can be blocked from receiving more payments, as well a withdrawing any
of your money, until the investigation completes.
Even worse, someone could, after using your computer to access their account
accuse you of stealing their account information. And you’d be hard pressed to
prove them wrong. Yes, with the appropriate help from the service such as
Paypal you should be able to do so, but the time and effort to do so, plus the
likelihood of your own account being suspended during the investigation, make
even being right a potentially long and painful process.
So, vendor or customer, what do you do instead?
Well, clearly, don’t login to Paypal, or whatever else, on someone
else’s computer, or let others login to yours, unless you’re positive
you understand all the issues involved and have that all important level of
trust.
If appropriate, Paypal, in particular, has a service that will allow you to
make payments by mobile phone.
Otherwise, if as a customer you’re not carrying your own computer that you
do trust, I can only recommend falling back on traditional payment
methods: cash, credit cards and written checks.
Another issue is about risk: with regular merchant accounts, your transaction fee percentage is based on whether you process “physical transactions’ (e.g., card in hand) or just over the Internet. Since Paypal is designed just for the latter case, it might well violate the agreement with the credit card merchants [Visa, MasterCard, Discover, AmEx] to have it as a cheap Point of Sale device too.
If you get a ‘bad’ product, you can’t get your money back. You just a credit on Paypal.
This issue is really, really, REALLY, really simple, folks, and it’s just four words (already used) long:
“On Someone Else’s Computer”
That’s it, Jack. The issue isn’t about PayPal at all! It’s about using it on “Someone Else’s Computer”!
Like… “Duh!“ !?!!?!?!!!?! (Sheesh!)
In Other Words, folks, using PayPal at a conference or open market is just fine — just make sure to use your OWN computer when you do!
Once again: Like… “Duh!“
it would have been better if that vendor used a credit card processing system that interfaced with their paypal account such as usbswiper.com that way they could have processed credit card transactions easily and protected your privacy while still using their paypal account.