Give the Bad Guys your PayPal Account?
Posted by Craig H on 20 May 2010
I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.
There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:
That’s a screen shot of the dialogue the user sees after the application invokes the payment API. To authorise the transaction, they are supposed to type in their PayPal account name and password. Here’s the problem: How does the user know that this dialogue has come from the PayPal service, and isn’t just being drawn on screen by malware, that will upload that user name and password to be used by criminals?
Oh, but surely it must be OK, because there’s a tiny picture of a padlock! Is there some law that prevents malware drawing pictures of padlocks? You have got to be kidding…
Here’s my rule of thumb for typing in financial account passwords to applications: If you didn’t download that application directly from the bank or other institution that holds the account, then DON’T DO IT.