I recently attended a conference and trade show, and made a purchase. The
vendor takes Paypal, so to make my payment she turned her laptop to me, and
suggested I login to my Paypal account and make the payment right then and
there. I did so, and it was very convenient.` Later, I told my spouse and was
told that it’s some kind of incredibly dangerous thing to do. Is it really that
bad? If so, why? And what should I have done instead?
Yes, it really is that bad.
Why? Pretty simple really: you may have just given that vendor total access
to your Paypal account.
Become a Patron of Ask Leo! and go ad-free!
I want to be really, really clear about two issues:
I’m a huge fan of Paypal, and I use it a lot. But caution is
I’m not accusing any vendor of anything. The vast majority
are honest people of integrity.
All of this actually applies to any banking or even any other type of
private account that you access using a web browser. And remember that Paypal
is, basically, a banking account.
There are three basic ways that logging into a personal banking account on
anyone else’s computer can turn into a total disaster.
Spyware – since it’s a computer you don’t control, you have
no idea whether or not there is spyware on that machine recording
every keystroke entered and sending it to hacker overseas. You would be
amazed at how many people don’t run anti-spyware software at all. I
know I’m continually amazed based simply on the problem reports I get here at
Ask Leo! And spyware doesn’t have to be obvious – in fact, the most dangerous
type tries to hide as best it can. The result is that the owner of the
computer, your quite honest vendor, may have no idea that their computer is
anti-spyware software at all.”
Unintentionally remembered information – one of the most
common questions I get relates to how much information the browser remembers
for you which it then offers back up to you as you type something in later.
Form fields in particular – the very fields you enter your banking account ID
and passwords into – are frequently remembered automatically – often
including the password. That means someone could possibly walk back up to
that computer, start typing and see your user name, select it, and be
able to login to your account with your password.
Malice – it’s quite possible, even fairly easy, to
purposely install software or set up browser features to record your user name
and password automatically. Like I said, I don’t mean to impugn you or your
vendor, and I’m certainly not accusing anyone of anything, but unless you trust
them absolutely, this should always be in the back of your mind. Particularly
at trade shows where people often travel in from far distances, never to be
seen again after the show.
Things get worse if you’re the vendor. Even if you’re the model of integrity
and perfection – by allowing people to log in to their accounts on your machine
you’re almost asking for trouble.
What kind of trouble? Temporary account suspension, and even false
Paypal’s fraud detection looks for a large number of account logins from the
same computer. That’s often a sign of fraud – hackers who’ve stolen a number of
Paypal account IDs will often then use their a single computer to then transfer
funds to their own account from each stolen account. When Paypal sees a large
number of transactions from different accounts on the same computer it sends up
all sorts of red flags, and they temporarily suspend the receiving account
while the situation is investigated. This is a good thing. It’s an
important way for Paypal to prevent or reduce fraud. But if that happens to
you, you can be blocked from receiving more payments, as well a withdrawing any
of your money, until the investigation completes.
Even worse, someone could, after using your computer to access their account
accuse you of stealing their account information. And you’d be hard pressed to
prove them wrong. Yes, with the appropriate help from the service such as
Paypal you should be able to do so, but the time and effort to do so, plus the
likelihood of your own account being suspended during the investigation, make
even being right a potentially long and painful process.
So, vendor or customer, what do you do instead?
Well, clearly, don’t login to Paypal, or whatever else, on someone
else’s computer, or let others login to yours, unless you’re positive
you understand all the issues involved and have that all important level of
If appropriate, Paypal, in particular, has a service that will allow you to
make payments by mobile phone.
Otherwise, if as a customer you’re not carrying your own computer that you
do trust, I can only recommend falling back on traditional payment
methods: cash, credit cards and written checks.