Professional Documents
Culture Documents
Paypal Security
Paypal Security
Paypal Security
Executive Summary
Company Overview
Recent PayPal data indicates that the total value of all transactions for the
first quarter of 2009 exceeded 16 Billion dollars (PayPal, 2009a). With such a large
amount of cash being moved about a virtual environment, security is deemed the
number one priority for information technology professionals at the company. While
every company in the age of internet expansion is at risk to some degree, PayPal is
a prime target for thieves due to their vast volume of business, their high amount of
daily transactions, and their policies that govern the set-up and maintenance of
their accounts. With 201 million worldwide accounts and 2009 revenues that totaled
$631 million in the first quarter, PayPal is a target in both foreign and domestic
markets and needs to carefully and continually update its international currency
exchange rates in or to avoid major losses through laundering and exchange
schemes (PayPal, 2009a).
Products
PayPal offers users across the globe the chance to send money to anyone
with a valid email address for virtually any purpose. Users may send money directly
to an email, or those requesting funds can send their buyer a PayPal invoice. PayPal
issues Mastercard backed ATM/Debit Check cards to users who wish to withdraw
deposited funds directly from ATMs around the world. The company offers website
A PayPal Security Analysis 2
integrated shopping carts as well a web integration tools without the need of a third
party processor. PayPal also provides phone and internet based customer service as
well as an internal dispute process aimed at resolving transaction issues that may
be initiated by either a transaction’s buyer or seller. Recently, the company began
offering a virtual credit card terminal that allows PayPal account holders to accept
credit cards orders over the phone
PayPal employees monitor and collect fees charged for each transaction the
company provides. Sellers pay a small fee, typically .30 cents plus 2.5 percent of
the transaction (PayPal, 2009b). PayPal officials must also monitor dispute cases in
which a buyer believe they have received a wrong, damaged, or misrepresented
item. This process involves both phone and chat messages in which buyers and
sellers argue their cases before a PayPal arbitrator who then decides on whether or
not to offer a buyer a refund (PayPal, 2009c). PayPal workers must also respond to
security concerns brought forth by their clients, such as vulnerabilities discovered
by users of their Virtual Terminal or PayPal Shopping Cart
Business Applications
A PayPal Security Analysis 3
PayPal stands alone in the information technology sector as being one of the
largest companies to rely solely on Linux based web servers. PayPal runs three
thousand Linux-based, single rack servers which host the company’s web
presentation layer, user interfaces, and middleware (Hochmuth, 2007). Thousands
of systems communicate via the PayPal network through 4 large Sun Solaris boxes
which run an Oracle database that stores all customer data processed by the
servers (Hochmuth, 2007). A custom made database links the networks
components.
An issue that arise with PayPal software delves into both their integrated web
shopping carts and their PayPal invoice system and the method used to notify
sellers of a completed transaction. In either case, a total for goods or services is
presented to the buyer via the seller. The invoice or cart checkout provides boxes
for buyers to enter either their own PayPal information for payment or provides
buyers a forum through which to enter their credit card number, shipping address,
and contact information. Once complete, PayPal sends an email or SMS message to
the buyer stating payment has been made to the seller’s account. Sellers use this
confirmation message as clearance to ship any items sold. A major security concern
within this process deals with an issue that, unlike most shopping carts or online
invoices, allows PayPal to accept the transaction and send out confirmation of
payment emails to sellers regardless of the amount actually tendered. For example,
a buyer who purchases ten, $100 items would see a total bill of $1000. However, if
the buyer were to tender just $200, PayPal software would still send messages to
the sellers account stating a deposit had been made into their PayPal account and
list the buyers email and physical address. Without close monitoring, companies are
at risk for shipping items which have not been fully paid for. With the rapid
expansion being experienced by PayPal - an average of a 10% increase in total
A PayPal Security Analysis 5
transaction value and a 13% increase in the number of new accounts for the
previous five quarters dating to the first quarter of 2008 (PayPal, 2009a)- the risk of
such vulnerability will only continue to grow. Individuals may be able to use this
method to obtain items they only partially paid for, scamming the same business
repeatedly once they find a seller who does not include a thorough review of the
PayPal backed transaction. PayPal uses its tight security, ease of use, and
reputation as one of the most secure payment processors to maintain its
competitive advantage. Should such a breech in software security continue, sellers
may be inclined to switch to a more secure processor that only allows for a
transaction to be completed and confirmation messages relayed to the seller once
the total amount due is submitted.
PayPal may increase software security by either altering their current cart structure
based on the more secure “Go Cart” payment processing program or allow for the
third party software developer to integrate a portion of their secure payment
network into PayPal’s infrastructure. The addition of “Go Cart” to the PayPal
network would be a cost effective solution that would not only increase the number
of users who process payments using the Blasco Systems, Inc. shopping cart
(thereby providing Blasco with an increase in fees associated with processed
payment) but will provide for a more secure PayPal experience in light of the
oncoming growth of the company. A “Go Cart” integration will only allow buyers to
complete a transaction once the full purchase price is remitted, and any emails or
SMS messages sent to buyers through the Blasco software’s system arrive with the
dollar amount and shipping address displayed in lieu of an email address, a piece of
information considered secondary when compared to the transaction amount. The
integration of additional processing software will give more flexibility to the
consumers, and a total integration will still allow all transactions to take place within
PayPal much in the same way that automated registers provide customers the
option to check out the same items at the same supermarket as do the traditional
human operated cash registers.