ChannelAdvisor - Yes to PayPal, No to Google Checkout

ChannelAdvisor have been pondering when (not if) eBay should allow Google Checkout for payments. I don't hold with their argument that eBay dismiss it as an "unproven system" but view checkout as an e-wallet rather than an e-money payment system. They have fundamentally different ways of operating and e-wallets just don't offer the same levels of buyer protection that e-money providers such as PayPal and Nochex do.

Setting that aside as ChannelAdvisor appear to be championing Google Checkout I was looking forward to giving it a spin whilst signing up for the ChannelAdvisor Catalyst event to be held in London in April of this year. Strangely there were only two payment options offered - PayPal or Mastercard / Visa. No sign of Google Checkout.

I guess it goes to show that for the market at large it really is PayPal Preferred!

PayPal implements EV SLL to combat phishing

PayPal have moved further ahead in the fight against phishing by implementing EV SSL certificate support. SSL has been standard in browsers for some time and stands for Secure Socket layer, the EV stands for Extended Validation. Other browsers are looking to follow, but Microsoft plans implementation by the end of the month for Internet Explorer 7.

PayPal are one of the very first sites to go live with EV SSL certificates, having just released Security devices it's good to see they're pushing ahead with more stringent security as well.

The big difference you'll see with EV SSL certificates is the lock icon (the padlock or key depending on your browser) will be moved from the Status Bar at the bottom of your browser to the address bar at the top (where you type the web address). In addition the address bar will turn green for known safe sites, red for known phishing sites, and yellow for suspected phishing sites.

One issue for the Firefox (Mozilla based) browser is that it already changes the address bar yellow for standard SSL certificated websites. With users trained to associate yellow as "safe", using it for "Suspect" on IE will take some getting accustomed to and may lesson the security awareness it may have otherwise had. EV SSL support is unlikely to appear in FireFox until version 3.0 is released later this year.

There are also concerns that smaller websites who have been unaffected by phishing attacks will be able to afford certification costs leaving users unsure which sites are secure and which are simply uncertified.

Microsoft to challenge PayPal and Google Checkout

Well what do you reckon? Third time lucky for Gates to plunge Microsoft into the forefront of online payments? Microsoft wallet (built into Internet Explorer) was a bit of a failure (as in no one used it), so they changed it to a server based system (Microsoft Passport - and still no one used it!). Now after a week of contemplation, Gates announces he's reviewed plans for an online micropayments project. Watch out for a solution to allow you to economically collect payments from a few pence to a pound at lower rates than credit card merchant accounts would charge.

The thinking behind the re-entry into online payments is a system designed so that you can charge small amounts for online content that's currently free, e.g. Tamebay could charge you 10p for reading this article and it wouldn't all be swallowed up in precessing fees. Now there's an idea... charge you for reading this ;-)

So Microsoft aren't really out to compete with PayPal or even the easier target of Google Checkout (who continue to lag way behing PayPal regardless of the freebies they try to tempt buyers and sellers with). PayPal already have PayPal Micropayments with fees of 5%+ $0.05 per transaction. It will be interesting to see firstly if Microsoft can beat these rates and secondly how easy implementation is.

In a years time you could find yourself paying to read online content from sites like online newspapers. In fact with printed newspapers in decline we predict it won't be long before they're largely published online for micropayments anyway, so Gates could be bang on the button with this one!

IQ? Check out your TQ (Technology Quotient)

PayPal Surveyed 1000 adults and found them worryingly oblivious to the latest technology and gadgets. One in three UK adults are still grappling with the complexities of programming their video recorder whereas toddlers seem to be pre-programmed at birth to press a few buttons and play their teletubbies tape. When you move to DVD recorders close to four in five adults are baffled by the controls.

Mobile phones are another no go area with most adults settling for the ability to make phone calls, send text messages, use the camera and surprisingly the mobile is the modern alarm clock!

Neil Edwards, of online payments service PayPal, which commissioned the survey of 1,000 adults, said: "It's a worrying sign for Britain that so many of us are baffled and, therefore, turned off by technology.

Following the survey PayPal have set up a new website where you can test your "TQ". A baffling array of multiple choice answers will answer the question "What is your TQ?".

When you complete the test you'll automatically be entered into a draw for a Video iPod. The big question if you win, is will you be able to figure out how to use it?

Unable to verify www.paypal.com as a trusted site

Just days after PayPal announce security devices to generate one time passwords to protect users accounts they have yet another security flaw. The SSL certificate used to verify that the PayPal site is secure is again warning users that PayPal is not a trusted site.



This is by no means the first time PayPal have had problems with certificates, in the past they have had issues with non-secure images on SSL pages caused by third party banner adverts. It really is time a company handling financial transactions for over 100 million users got their act together on security. All the time users logging into the genuine PayPal site get warnings they have no option but to ignore if they need to perform transactions it's no wonder they also fall for phishing sites.

$5 PayPal security key gives false hope to stop phishers

Like many financial institutions, eBay and PayPal are late adopters of security devices for one time passwords. A security device (costing $5 in the US) gives a different security code each time you log into your account. PayPal say it "generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires - no-one else can use it." Or can they??

These devices have been around for almost twenty years with Security Dynamics (RSA Security) and Vasco being the earliest to market solutions. The eBay PayPal key has been developed in conjunction with VeriSign.

The biggest concern is are the tokens effective in preventing phishing attacks? Well firstly it's not what they were designed for. They were designed originally for remote access solutions where an employee would dial into a company workplace over a telephone line. Rather than a password that could be written down the token ensured hackers couldn't dial in to the network with a compromised password. There was little chance of anyone intercepting the dial up phone call. The tokens were then deployed for use internally for all users on a network. Later they migrated outside the network as the Internet became more common for remote users connecting to corporate networks, for online banking, and now for eBay and PayPal.

It's important to realise they weren't designed for use on the Internet in the first place, and that hackers have had decades to develop ways to combat the tokens. The actual keys generated are still secure, there is still no effective way to compromise the security codes generated. This doesn't deter the phishers though - they have other tools in their arsenal.

Man in the middle attack

We've all seen phishing emails where a hacker tries to get you to click to a fake eBay or PayPal website and enter your user name and password which they later use to access your account. Smarter phishing sites are becoming more common where the hacker captures your user name and password and instantly uses it to log on to the real site. They pass the information you request to the site and back to you - you may never realise you're not logged directly into the site, but in the mean time the hacker is able to perform any transaction they please while you make the transaction you logged on to do.

Trojan attacks

Far too few Internet users keep their security up to date allowing virus and trojan attacks. If a phisher manages to install a trojan on your computer next time you log on to eBay or PayPal they can piggy back on your logon to perform their own transactions.

These two methods for bypassing one time passwords are not new - they were reported by Bruce Schneier back in March 2005. What does this mean to the new PayPal and eBay security devices? Well it'll make the phishers lives harder but so far they're only available in the US, Australia and Germany, leaving plenty of targets for phishers in the other eBay and PayPal territories. Secondly they're not compulsory, free for PayPal Business accounts but the $5 cost will put off many users who arguably are the most vulnerable. Finally the efficacy of the tokens themselves has to be questioned. It's technology that's been around before most of today's hackers first logged on to the Internet and was designed for dial up connections to corporate networks. Hackers have grown up looking for ways to render them useless.

It remains to be seen if the promise of security will result in users lowering their guard still further. After all no one can access your account without your token can they? Well possibly they can - users need to be as vigilant as ever. As Blogging stocks ask "Are the days at an end to eBay and PayPal phishing scams?". Sadly the chances are they're only just beginning!

PayPal preferred

It's official, the latest JP Morgan Securities survey reveals that buyers prefer PayPal to Google Checkout. Whilst only 6% of those surveyed had actually used Google Checkout only one in five of these were happy in the survey. Contrast this to a massive 42% using PayPal of which almost half rated the service as "good" or "very good".

43% of those surveyed intend to use PayPal but not Google Checkout in the future (80% had heard of PayPal) while a tiny 2.3% intend to use Google Checkout but not PayPal.

The survey shows that PayPal not only has great brand awareness, but the threat of Google has so far had very little impact on it's business. In fact if Google weren't constantly bombarding sellers and buyers alike with cash (either free processing or cash back for paying with the service) their market share would be even less.

Google have a long way to go before they become a mainstream method of payment, or even to be a recognised alternative player in the online payments market. Google's $10 handouts to buyers obviously aren't buying them many friends!

"Safe" Paypal compulsory for new sellers

One positive aspect of Bill Cobb's Keynote speech yesterday are the payment requirements for new sellers. New seller accounts will be required to either offer Paypal or to accept direct credit card payments; other payment methods which eBay does not like, such as cheques and money orders, may be offered in addition.

Despite eBay spokesperson Catherine England's assertion that eBay do not intend to make Paypal the sole acceptible payment method on eBay, this is one more step towards exactly that: new sellers tend to start by either selling their own unwanted possessions, or as very small businesses, and one of the beauties of Paypal is that, unlike merchant accounts, it's cheap, quick and easy to set up. In practice, "Paypal or a merchant account" is going to mean *Paypal*.

This is great news. What better way to stop the brand new, (0) feedback scammer accounts than by forcing them to offer Paypal. Such a high percentage of buyers now prefer to use Paypal that this will, at a stroke, instantly protect hundreds of potential scammees. It might (and I know I'm being super-optimistic here) put the scammers off a little in the first place. It's possibly the best move eBay have ever made to keep their buyers safe.

We have just one question. Why is this, the cherry on the sour cake of eBay's changes, being kept just for north America?

Another day, another site issue

Having problems with Paypal this morning? You're not alone. If you can't withdraw any funds, messing about with your email addresses should fix it. I wonder if Paypal have any idea how amateur this looks?

Aviation industry say PayPal wins over Google Checkout

IAG who specialise in business services for the aviation and travel industry conclude that PayPal is a better solution than Google Checkout for payment services. The crux of the matter is that regardless of PayPal fees Google insist on a buyer opening an account prior to sending a payment. They suggest that buyers have enough accounts and passwords to remember already and call Google arrogant for insisting a buyer open an account with them to make a payment to a third party.

Pointing out that while users who already have accounts will have no problem logging in and making a payment there's a reluctance to use sites which constantly insist you open yet another account that you may never use again. IAG conclude that if you can accept both payment methods you should, but if you can only integrate one tool then PayPal is the one to use!

Indian takeaway for PayPal

PayPal is apparently setting up a new technical development centre in India. Chennai (formerly know as Madras) has also become a major centre for outsourced jobs from the West. PayPal have chosen this, the fourth largest city in India, for the location of their new site. The only information released so far is that they plan "to hire hundreds of professionals for product development, software engineering and other functions"

If you fancy working in Chennai send your CV to IDC@paypal.com

Bye bye Standard Protection, hello compulsory Paypal?

eBay have doubled the amount guaranteed to be refunded to Paypal buyers in the event of non-delivery or receipt of damaged goods to up to US$2000 for qualified sellers, and to US$200 or CA$315 across the board.

Well this looks nice. More protection for buyers means more confidence in the eBay marketplace, which has to be good news for everyone, buyer and seller alike. Doesn't it?

Not quite. Many eBayers, myself included, have speculated that eBay would like to force all transactions to be concluded through Paypal, and this is just one more move towards that goal, as the Standard Purchase Protection Program is being discontinued in the US and Canada. This program protected buyers who paid with non-Paypal methods such as cheques and money orders against non-receipt of their item. eBay say:

From a risk management and fraud prevention perspective, SPPP is flawed, because it offers coverage on the riskiest payment methods. This is clearly not in the best interests of the marketplace long-term.

In other words, choose to pay by a method that we don't control, where we don't take another cut of the cash and where we can't reclaim chargebacks from errant sellers like we do with Paypal... and you're on your own.

Obviously eBay don't like exposing themselves to risk. So why are they so ready to let their sellers do it? With this increase in buyer protection, sellers are left to bear even more of the risk of fraudulent chargebacks by scamming buyers. Until eBay make it possible for sellers to control the level of risk they will accept - by, for example, being able to block bidders without verified Paypal accounts and confirmed addresses - sellers remain completely over-exposed by these measures.

PayPal want to pay your mortgage for a year

PayPal have launched a new promotion in which Shelter is the latest charity to benefit. You can win the ultimate prize of having your mortgage (or rent) paid for a year!



Shelter is the charity set up in 1966 to prevent bad housing and homelessness adversely affecting people's lives, so the prize of a year mortgage free, from PayPal is very apt.

All you need to do to enter is activate PayPal Mobile and text "shelter" and (if you're feeling generous a cash amount) to 64483 (i.e. Shelter 5 will send £5). Confirm with your pin and Shelter will receive your donation paid direct from your PayPal account and you're in the prize draw. If you don't wish to donate texts cost 25p plus your standard network rate and just text Shelter.

Last month Warren Wysocki won a won a brand new Porche Boxster for donating a penny to Children in Need, next month you could be living rent free for the next year!

Old news is no news

ebaypaypalblog reported the opening of Paypal's new UK office and a reduction in the withdrawl fee for amounts under £50, quoting a Paypal spokesperson's statement that this would increase trust and comfort for UK buyers. Such a great story was picked up by both auctionforums.org and eBayyer (lacking permalinks, scroll down to 5th January post, identical to source). The only problem? The story actually dates from October 2003. Oops :-)

Catching phish

Michael Sutton's analysis of Google's list of suspected phishing sites makes interesting reading, with some shockingly simple tricks still apparently fooling web users.

eBay and Paypal remain top of the phishers' hit lists, with 47% of URLs listed aimed at either one or other site: looking at my inbox, this isn't particularly surprising.

What is jaw-droppingly incredible is that Yahoo apparently host Yahoo-phishing sites. Why anyone would put any sort of personal information into a Geocities site is quite beyond me, but as simple subdomains ("http://paypal.scamsite.com/") seem to work for the phishers, it's fair to assume that people are still not checking even the basic details as they click on these links.

As Sutton himself says,

Based on all of the sites that I looked at, the majority of phishing scams are less sophisticated than I had predicted. This is however somewhat concerning as simple attacks must still be working and attackers have not been forced to upgrade their skills in order to make a profit.

Via The Reg. via Techspot.

A penny for your Porsche

Warren Wysocki of Horsham registered for PayPal Mobile and donated just one penny to Children in Need.... and won a brand new Porche Boxster!

We blogged the promotion back in November and the winners were revealed today.

I can't believe I've won my dream car. I am thrilled to have taken part in this competition and am now the envy of a lot of people in Horsham I can tell you!

Twelve other lucky winners won cash prizes ranging from £1,000 up to the top prize of £25,000 by using PayPal to send money in various different ways or even simply for getting their PayPal account verified.

Congratulations to all the winners.... any chance of a ride in the Porche?

Romania hacks PayPal and joins the EU

Romania joins the European Union as a full-fledged member today and gains the same status as the other member states. PayPal however continues to block Romanian IP addresses and fraud prevention rules mean a single login from a ‘prohibited’ country causes a PayPal account to go into a restricted mode.

This was irksome for Sagewing Corporation whose technical team that integrate Joomla and Paypal is based in Romania. When working on a client account a single test logon would limit the account! Still, no problem - they just hacked a solution by using Windows Virtual Private Server and their techies log onto the server using Remote Desktop thus appearing as if they're based in a different company.

If it's that easy for a legitimate technical team to get around PayPal fraud controls I can't see other hackers having too many problems!

Your money or your file

In the latest twist on Dick Turpin style hold ups crooks are spreading malicious code which encrypts a companies data or a users emails. They are then demanding electronic payments for the digital keys to unlock them again through services such as PayPal.

According to security firm Websense, one recent victim was the tech administrator at a company in the Northeast. His PC was infected by malicious code, which scrambled company files. An e-mailed ransom note demanded $200 for the digital keys to unlock the files.

The victim did not pay because he doubted his data would be returned even if he paid, says Dan Hubbard, vice president of security and research at Websense. Most of the stolen files were recovered from a backup disk, Hubbard says.

In this electronic age losing your data really is a case of "Your money or your life!"

Whitman "very committed to Paypal in China"

Meg Whitman has remained tight-lipped about the future of Paypal in China after Tuesday's revelations about the future of the auction platform. Refusing to comment on the rumoured tie-up with UMPay, an online payments vehicle owned by China Mobile and bank card provider China Unionpay, Whitman did acknowledge that coming legislation may make partnership unavoidable:

"We will see what the right thing to do is here in the People's Republic of China, I am aware of some of the pending government regulation around the need to find a local partner for a financial-services product," Whitman said.

"But we continue to invest in PayPal and the cross-border trade is very strong and the local trade is very strong, so we will see what happens over the next weeks and months, but we are very committed to PayPal in China."

1200% of almost nothing is still almost nothing

"Sales via Google Checkout are up 1200% in Q4. WOW." exclaims Scott Wingo on his blog. "They admittedly started with a small base, but it's very interesting to see the growth presented this way. One has to wonder how long eBay's argument for not allowing Google Checkout will hold water that it is an "unproven system". Maybe when they overtake the Paypal transaction volume?" The big question is whether that's likely to happen, and if it does is Checkout desirable on eBay in the first place?

Many sellers already will do almost anything to persuade buyers not to pay with PayPal - reverse surcharging (discounting for all payment methods other than PayPal) was popularised when eBay outlawed surcharging for PayPal. Nochex, Cheques, Bank Transfer, Postal Orders, Merchant Account they cry, and yet overwhelming buyers vote with their feet and continue to use PayPal whenever the opportunity arises. Sure that's partly because it's a couple of clicks for an integrated solution but isn't that exactly what Google are promising? Sellers need to realise that if they start splitting payments between PayPal and Nochex, Checkout et al they're the ones that will lose. Sellers get discounts on PayPal for transactional volume and dropping down a level because you divert funds through another payment system could be cutting off your nose to spite your face.

So what is Checkout at the end of the day? It's certainly not a direct competitor to PayPal, it's more akin to an e-wallet

The electronic equivalent of a wallet for e-commerce transactions. Also called an "e-wallet," it holds credit card data and passwords for logging into Web sites. The wallet data may reside in the user's machine or on the servers of the wallet service. When stored in the client machine, the wallet may use a digital certificate that identifies the authorized card holder. Microsoft's Passport, Yahoo! Wallet and Gator's eWallet are examples of digital wallets."

If Microsoft et al failed with the digital wallet (or does anyone out there actually use it?) what makes you think Google Checkout is likely to succeed? In comparison PayPal is entrenched for eBay users and even if Checkout was allowed on the site take up by buyers is likely to be slow (consider usage of Nochex). Meanwhile PayPal continue to win merchant accounts - in the last year everything from Monster in the US and DHL, Loot, Napster, Sony, Betfair and Ladbrokes in the UK have become PayPal enabled.

Checkout is great for Google.... it helps lock adword users into the brand (or it would do if they weren't giving Checkout away for the next year anyway), but what counts is what buyers want. On eBay they have voted almost unilaterally for PayPal eschewing alternatives like Nochex. For other sites will buyers be tempted to sign up for Checkout or will they just go ahead and enter their credit card direct into the sellers online merchant account?