Pagoda Blog

PayPal is widely accepted as a secure way to conduct online transactions. 36 percent of North American retailers accepted PayPal as of December 2018, and in the fourth quarter of 2019, there were 305 million active PayPal accounts worldwide. A recent login hack, however, has put the company’s security in question. CyberNews analysts discovered vulnerabilities that would allow someone to access a user’s PayPal account by phishing their credentials or using stolen credentials purchased on the dark web. 

 

So, how concerned should we be about these vulnerabilities? If your business uses PayPal as a form of accepted payment, should your business discontinue this practice and consider an alternative online payment system? Before jumping to conclusions, let’s first look at how PayPal safeguards its accounts and then how these safeguards have been compromised. 

 

How PayPal safeguards your information 

PayPal uses a security layer called key pinning to ensure that your browser is communicating with a legit PayPal server. This helps prevent a scammer from intercepting a transaction in transit and redirecting you to a cloned site designed to capture your personal information. They also encrypt any information sent during a transaction to prevent interception by a scammer. 

 

PayPal also knows each user’s behavioral track record, the device normally used to login, and recent activity, allowing them to better detect fraudulent transactions. Whenever you login from a new device, PayPal runs a series of checks in the background to ensure the user is actually you before approving your transactions. It’s this series of checks that CyberNews claims to have circumnavigated, allowing them to gain access to an account. 

 

What CyberNews analysts achieved was the ability to log-in to an account from a new device using basic credentials (username and password) without PayPal challenging the login attempt. 

 

How to further secure your PayPal account 

While this is concerning, there is an easy way to protect your account from this vulnerability.   

PayPal offers two-factor authentication, an additional layer of security that requires an additional piece of identifying information beyond your username and password to gain access to your account. This piece of information is typically a one-time code texted to your smartphone or it can token-based or through an app. 

 

Learn more about 2FA in our post, What is Two-Factor Authentication and Why You Need It

 

Activate 2FA

The issue is that 2FA through PayPal is optional and must be activated by the user. If you haven’t chosen to activate this security feature, your account could be at risk. Although it’s always concerning when vulnerabilities in a trusted, widely used software are revealed, PayPal asserts that their 2FA prevents this vulnerability from being an issue. If a user’s account were hacked due to a bug or vulnerability in PayPal’s system, the company reported to Forbes that they would repay the user for any losses incurred. 

 

Use a unique password and watch out for phishing scams 

To further protect your account, you can ensure you’re using a unique password for your PayPal account that adheres to the latest password security guidelines. It’s also important to know that PayPal will never request your private information such as your address, social security number, financial details, or password via email. If you receive an email from PayPal requesting this type of information then it’s a phishing scam that could compromise your account if you click any links. (Also note that emails from the official PayPal account will never contain attachments.) 

 

Can PayPal still be trusted?  

If you enact 2FA on your PayPal account, follow password security guidelines, and stay on the lookout for phishing scams, PayPal is still the securest online money-transfer service available. Below are additional security precautions you can take when using PayPal to make purchases.  

 

- Don’t conduct purchases over public Wi-Fi 

- Don’t link a debit card to your PayPal account 

- Review your PayPal balance periodically 

- Only buy from trusted sources with an HTTPS web address

 

If you’re receiving payment for products, rather than services, through PayPal then you should take the following precautions as a seller: 

 

- Only ship to confirmed addresses

- Use your own shipping labels 

- Require full payment through a single PayPal account 

- Require signature confirmation upon receipt

- Hold onto your sale and shipment records 

 

Conducting any type of transaction online is never 100 percent safe but PayPal is overall a secure way to buy and sell goods and services. Check out PayPal’s Safety & Security page for more information on their security policies.  

 

Have further questions about PayPal or other online money-transfer services? Let us know so we can cover it in a future post. 

   

Related posts:

Online Credit Card Security and What to Do in the Even of a Data Breach

9 Useful Apps Every Business Owner Should Know About

Not All Hackers Are Criminals: Ethical Hacking, Hacktivism, and White Hat Hackers

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.