Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

Give the Bad Guys your PayPal Account?

Posted by Craig H on 20 May 2010

I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.

There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:

Mobile Payment screen shot

That’s a screen shot of the dialogue the user sees after the application invokes the payment API.  To authorise the transaction, they are supposed to type in their PayPal account name and password. Here’s the problem: How does the user know that this dialogue has come from the PayPal service, and isn’t just being drawn on screen by malware, that will upload that user name and password to be used by criminals?

Oh, but surely it must be OK, because there’s a tiny picture of a padlock! 😯 Is there some law that prevents malware drawing pictures of padlocks? You have got to be kidding…

Here’s my rule of thumb for typing in financial account passwords to applications: If you didn’t download that application directly from the bank or other institution that holds the account, then DON’T DO IT.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: