Friday, February 14, 2014

PayPal President's Credit Card Hacked for Shopping Spree

PayPal President David Marcus reports that his credit card details were stolen and the information was used to finance a fraudulent spending spree.

Marcus said the card was probably "skimmed" at the hotel he was staying at, or at a merchant he visited, during a recent trip to the U.K.

"They then cloned it and went on a shopping spree,"  he wrote on Twitter.

Marcus noted that his credit card had EMV chip technology, a more secure system currently in use in Europe. But that didn't stop the data from being stolen and used for a "ton of fraudulent" transactions.

Marcus said the breach would not have happened if the merchant had accepted PayPal as a form of payment. PayPal says it does not share card or bank account details with merchants when shoppers use the service to buy something.

PayPal is likely to be the leader in transactions in the future, not Bitcoin. It is not for nothing that billionaire Carl Ichan has accumulated a position in Ebay and is calling on Ebay to spin-off its PayPal subsidiary into a separate publicly traded company. There is super growth ahead for PayPal and it's growth would be much easier for Wall Street to recognize and participate in as a separately trading company than as just a part of slower growing Ebay.

(Via USA Today)


  1. Paypal is a pain in the ass to sign up for. It's a nuisance to use and in general just makes for a bad user experience. It won't be the future of anything.

    The solution is to start building chip readers for the new cards into computers and have banks give away the cheap readers (they're like $5 wholesale) to their customers that do secure online transactions with a usb dongle on your computer.

    By doing this, and eliminating the chip and signature crap that BOA and Citi are going to implement has a half measure and having Visa/MC require CHIP+PIN (i.e. not government enforced) like the banks did in Canada (without government regulation!) you could eliminate essentially ALL card fraud. Only a firmware level attack on the CHIP and PIN reader or an attack at the actual processor would actually succeed because even a keylogger to get the PIN wouldn't matter. Oh, and the other side benefit of CHIP+PIN is that it uses AES encryption instead of Triple-DES which is a joke.... Target says that the PINs were encrypted on debit cards... ya they were, but a single computer can crack Triple-DES in a matter of months.

    The technology is there to end this and most of the rest of the world uses it. The reason why it didn't help him this time is because it was not CHIP + PIN transaction.

    The only security that is actually secure in any meaningful way is 2 factor authentication. Until you have that, the credit card company is a joke in the US.

    But then goes along with a completely insecure ACH and Wire system too. It's absolutely insane how little these systems do to combat fraud. If you have routing + bank account # + person's name you can pull any amount out of their account you want. Their only security system is that you have to be a bank to do it, but that's easy to fudge.

    And then there is my personal favorite when I called my bank to get Target transactions blocked: Oh we have sophisticated anti-fraud measures in place, you needn't worry. Bull sh*t. Their anti-fraud measures comprise of the sum total of a velocity check that resets at the end of the day and week. NOTHING ELSE. At best, if you put a travel advisory on your account they might have someone look at transactions out of area, but even that is a joke.

  2. Wenzel, I'm curious to know your opinion on this report on the smart cards that could possibly be introduced here.

    To me while it does sound like a good idea, it seems just another avenue for Big Brother to travel in

    1. CHIP+PIN is secure. The chip is powered by the PIN terminal and encrypts the data to be sent (i.e. the entire transaction including all meta-data like name, address, birthdate, Card#, expiry etc.... basically the track 1 data on the magstripe) using the PIN and the number step (a pseudo random number that the CHIP and the bank know what the next one will be but no one else does) It then sends this encrypted data over the wire to the processor who passes the data on to the bank to decrypt (highly trusted processors can decrypt it themselves, but there are 5 in the whole US that will be trusted).

      The encryption used is AES 256 bit. This constitutes a double shared secret where both the encrypting party and the receiver must know the secret to decrypt it.

      This takes Debit Cards to the next level by encrypting the entire communication, not just the PIN data and ensures that even if the card is stolen, the PIN hasn't been compromised and visa-versa. The only way that this data can be compromised is by attacking the firmware in the pin terminal directly at such a low level that it isn't technically feasible in any large scale. (and no one has actually been able to do so even though it is technically feesible in almost 25 years of this system being on the market because even if they hack the terminal they aren't into the chip on the card that encrypts with both the PIN and the pseudo random number that the terminal itself never has access to.)

      BOA and CITI are being stupid and going with CHIP + signature. IE instead of using the PIN to encrypt the communication they're going to rely on a regular signature capture, and encrypt that and the track data using the shared pseudo random step code. This is similar to RSA SecurID. The problem is that no one implements RSA SecurID without also having a shared secret password AND THE NUMBER GENERATOR USED BY DEFAULT (AND IN ALL CREDIT CARDS) WAS THE ONE THAT WAS BUILT BROKEN BY THE NSA AND THUS ENTIRELY PREDICTABLE!!!!

      Hence BOA and CITI are effectively undermining the entire system for their customers. Worse, if someone gets your card, they can do anything they want with it and buy anything they want with it, because there is no shared secret between you and the bank. Whereas PIN means that even if you lose your card, it doesn't matter because they don't have the PIN.

      Once CHIP + PIN is implemented by everyone (BOA and CITI will do it as soon as their data is hacked which won't take long) card fraud and theft will drop by somewhere in the neighborhood of 80-85% based on other parts of the world that have implemented it.

      The government need not do anything or get involved because VISA, MC, Amex et. al. are losing a pile of cash all of the time so it's in their interest to force this and then they'll no doubt pocket the profit instead of cutting their card processing fees on the merchant.

      This in no way gives the government more power. It gives everyone that uses credit cards and debit cards FAR MORE security and it's almost criminal that they've delayed by almost 25 years in implementing this.

  3. The PayPal requirement is the only thing keeping me from signing up for the EPJ Daily Alert.

    1. You can email Wenzel and he will give you instructions on how to subscribe by check. That's what I did.

    2. This post is pretty hilariously spaced in between many articles hating the simple, cheap, effective, and if only some care is applied, riskless to both parties solution to this problem and the CEO's problem as well; all rolled into one beautiful new technology, Bitcoins. Yay!

      Cue the rage.

  4. Chip + PIN will be mandatory in Australia later this year ...

  5. PayPal’s David Marcus on Credit Card Security …

    “Marcus noted that his credit card had EMV chip technology [can’t then have been a “PreyPal”-branded card], a more secure system currently in use in Europe. But that didn't stop the data from being stolen and used for a "ton of fraudulent" transactions, according to the PayPal chief.”

    Marcus’ credit card would probably be a MasterCard (as are the PayPal-branded DEBIT cards); all the “over-branded” cards of non-licensed, non-financial organisations are either MasterCards or Visas as they are the only major payments operators whose systems have the necessary dynamic linking to the *licensed” financial institutions of the world, where prudent consumers store their funds; even the clunky “PreyPal” relies on them, in the main …

    Regardless, following the alleged “skimming” or whatever of his credit card, the material question would be, was Marcus “out of pocket”—like so many payees via “PreyPal” so frequently find themselves—or was he fully indemnified by MasterCard’s fraud detection systems/policies?

    Then, I wonder if this story actually has any truth to it or is it simply another fiction created in the fertile minds of the gnomes hard at work in the eBay Dept of Spin? After all, Johnny Ho has stated that NFC/EMV stands for “Not For Commerce”, and that “PreyPal” is “the only safe way to pay” … and, surely, Johnny Ho would know better than the two elephants in the room, MasterCard and Visa—after all …

    "Even though people think I'm an expert at technological innovation, my own instinct for technology was frozen in place in 1982." - John Donahoe (26 Sep 2007) ...

    Ah, there it is …

    “PayPal's Marcus did not waste an opportunity to tout his company's security benefits, saying the breach would not have happened if the merchant had accepted PayPal as a form of payment. PayPal says it does not share card or bank account details with merchants when shoppers use the service to buy something.” …

    “Obfuscating card data online, on mobile, and now more and more offline remains one of PayPal's strongest value props, …”

    Fortunately, we can also always tell when an eBay or "PreyPal" spokesperson is “obfuscating”—their lips are moving ...

    Regardless, the newly launched digital wallets now available from MasterCard and Visa will soon enough relegate the clunky “PreyPal” back mostly to its effectively mandated place on the atrophying eBay marketplace …

    eBay / PayPal / Donahoe / Marcus: Dead Men Walking ...