A PayPal Security Analysis 1

Executive Summary

In order to examine the liabilities of PayPal, a brief examination of the

company is needed. Based in San Jose, California, PayPal is an online e-commerce
company that allows for its users to send and receive money over the internet from
anybody with an e-mail address. Any recipient of PayPal finds can then transfer
those funds into their bank account, request a check from PayPal, or use a
previously issued PayPal debit card to make a cash withdraw at countless ATMs
around the world. In examining PayPal’s security concerns, liabilities exist in both
the company’s Vulnerability Disclosure Policy - which can be relieved by redefining
elements within the policy and allowing for a 48 hour advance notice to current
customers - as well as its website integrated shopping cart – a software malfunction
that will require program rewrites to prevent future elements of fraud.

Company Overview

Recent PayPal data indicates that the total value of all transactions for the
first quarter of 2009 exceeded 16 Billion dollars (PayPal, 2009a). With such a large
amount of cash being moved about a virtual environment, security is deemed the
number one priority for information technology professionals at the company. While
every company in the age of internet expansion is at risk to some degree, PayPal is
a prime target for thieves due to their vast volume of business, their high amount of
daily transactions, and their policies that govern the set-up and maintenance of
their accounts. With 201 million worldwide accounts and 2009 revenues that totaled
$631 million in the first quarter, PayPal is a target in both foreign and domestic
markets and needs to carefully and continually update its international currency
exchange rates in or to avoid major losses through laundering and exchange
schemes (PayPal, 2009a).

Products

PayPal offers users across the globe the chance to send money to anyone
with a valid email address for virtually any purpose. Users may send money directly
to an email, or those requesting funds can send their buyer a PayPal invoice. PayPal
issues Mastercard backed ATM/Debit Check cards to users who wish to withdraw
deposited funds directly from ATMs around the world. The company offers website
 A PayPal Security Analysis 2

integrated shopping carts as well a web integration tools without the need of a third
party processor. PayPal also provides phone and internet based customer service as
well as an internal dispute process aimed at resolving transaction issues that may
be initiated by either a transaction’s buyer or seller. Recently, the company began
offering a virtual credit card terminal that allows PayPal account holders to accept
credit cards orders over the phone

Critical Business Process

PayPal employees monitor and collect fees charged for each transaction the
company provides. Sellers pay a small fee, typically .30 cents plus 2.5 percent of
the transaction (PayPal, 2009b). PayPal officials must also monitor dispute cases in
which a buyer believe they have received a wrong, damaged, or misrepresented
item. This process involves both phone and chat messages in which buyers and
sellers argue their cases before a PayPal arbitrator who then decides on whether or
not to offer a buyer a refund (PayPal, 2009c). PayPal workers must also respond to
security concerns brought forth by their clients, such as vulnerabilities discovered
by users of their Virtual Terminal or PayPal Shopping Cart

Local and Networks Diagram Wide Area

Business Applications
 A PayPal Security Analysis 3

PayPal stands alone in the information technology sector as being one of the
largest companies to rely solely on Linux based web servers. PayPal runs three
thousand Linux-based, single rack servers which host the company’s web
presentation layer, user interfaces, and middleware (Hochmuth, 2007). Thousands
of systems communicate via the PayPal network through 4 large Sun Solaris boxes
which run an Oracle database that stores all customer data processed by the
servers (Hochmuth, 2007). A custom made database links the networks
components.

Security Vulnerabilities – Policy

A policy vulnerability related to PayPal deals with their Security Vulnerability

Disclosure policy. The policy effectively regulates the process through which PayPal
will alert accounts holders to newly discovered security risks, phishing scams, and
SSL based fraudulent links. The policy also outlines procedures for alerting clients in
the event that the server will be shut down for any period of time. The policy is very
open-ended and includes words such as “reasonable amount of time” and “fair
estimate” (PayPal, 2009d). Both statements are very open to interpretation, and
given the global span of PayPal and the number of users a security breech could
affect, a 24 hour notice may not be an effective notice of service interruption. Many
businesses are web based and rely solely on payment processors to handle their
monetary transactions. Given that PayPal is one of the largest processor, the
number of transactions lost to a business could be disastrous if there is inadequate
advance notice. Additionally, a 24 hour notice given to accounts holders in advance
of public release of security compromises may not be adequate enough time to
allow for a business to take its own measures to boost security. Any public
announcement of a newly patch loophole of freshly discovered break in security
would quickly lead to jump in hacking attempt at the point of weakness. Such issues
pose great risk for PayPal, as the biggest companies tend to show the greatest
number of weaknesses, and as such, hackers and scammers are constantly
targeting PayPal. PayPal could be susceptible to a class action lawsuit if they
remove their server for an extended period of time, providing a notice that they feel
is effective yet is generally viewed as inappropriate

Solution – Policy Vulnerabilities

 A PayPal Security Analysis 4

One key solution to the vulnerability of the Security Vulnerability Disclosure

policy would be to rewrite the policy, placing concrete figures on the hours of
advance notice considered “reasonable.” Additionally, PayPal should alert account
holders to any uncovered security risk once they have tested any patch repeatedly.
PayPal needs to consider the fact that anyone with an email address can open an
account, and it is plausible to assume scammers have done so simply to receive
account based messages from PayPal in regards to recent patches. By increasing
the time between account notification emails and public disclosure, not only will
PayPal’s clients have time to secure their web based businesses and have any
patches presented by the company to be independently analyzed, but the added
time will allow PayPal to continually test any fixes in light of what is sure to be
renewed attacks on their system once discover of the leak is presented on internet
forums and chat boxes.

Security Vulnerabilities – Software

An issue that arise with PayPal software delves into both their integrated web
shopping carts and their PayPal invoice system and the method used to notify
sellers of a completed transaction. In either case, a total for goods or services is
presented to the buyer via the seller. The invoice or cart checkout provides boxes
for buyers to enter either their own PayPal information for payment or provides
buyers a forum through which to enter their credit card number, shipping address,
and contact information. Once complete, PayPal sends an email or SMS message to
the buyer stating payment has been made to the seller’s account. Sellers use this
confirmation message as clearance to ship any items sold. A major security concern
within this process deals with an issue that, unlike most shopping carts or online
invoices, allows PayPal to accept the transaction and send out confirmation of
payment emails to sellers regardless of the amount actually tendered. For example,
a buyer who purchases ten, $100 items would see a total bill of $1000. However, if
the buyer were to tender just $200, PayPal software would still send messages to
the sellers account stating a deposit had been made into their PayPal account and
list the buyers email and physical address. Without close monitoring, companies are
at risk for shipping items which have not been fully paid for. With the rapid
expansion being experienced by PayPal - an average of a 10% increase in total
 A PayPal Security Analysis 5

transaction value and a 13% increase in the number of new accounts for the
previous five quarters dating to the first quarter of 2008 (PayPal, 2009a)- the risk of
such vulnerability will only continue to grow. Individuals may be able to use this
method to obtain items they only partially paid for, scamming the same business
repeatedly once they find a seller who does not include a thorough review of the
PayPal backed transaction. PayPal uses its tight security, ease of use, and
reputation as one of the most secure payment processors to maintain its
competitive advantage. Should such a breech in software security continue, sellers
may be inclined to switch to a more secure processor that only allows for a
transaction to be completed and confirmation messages relayed to the seller once
the total amount due is submitted.

Solution – Software Issue

PayPal may increase software security by either altering their current cart structure
based on the more secure “Go Cart” payment processing program or allow for the
third party software developer to integrate a portion of their secure payment
network into PayPal’s infrastructure. The addition of “Go Cart” to the PayPal
network would be a cost effective solution that would not only increase the number
of users who process payments using the Blasco Systems, Inc. shopping cart
(thereby providing Blasco with an increase in fees associated with processed
payment) but will provide for a more secure PayPal experience in light of the
oncoming growth of the company. A “Go Cart” integration will only allow buyers to
complete a transaction once the full purchase price is remitted, and any emails or
SMS messages sent to buyers through the Blasco software’s system arrive with the
dollar amount and shipping address displayed in lieu of an email address, a piece of
information considered secondary when compared to the transaction amount. The
integration of additional processing software will give more flexibility to the
consumers, and a total integration will still allow all transactions to take place within
PayPal much in the same way that automated registers provide customers the
option to check out the same items at the same supermarket as do the traditional
human operated cash registers.