Retailers Worry About PayPal Security — Should You?
An image from the PayPal website demonstrating a credit-card reader for iPhones.
Hank Coleman, a part-time financial planner and personal-finance writer, is a fan of PayPal.
"I do a lot of freelance writing for different personal finance websites, and receive most of my salary through PayPal," Coleman said.
"I've been letting my account balance build over the past few months in anticipation of the Christmas gift-giving season," Coleman added. "I've been buying a lot of things from websites for presents already, like normal, but I've been using PayPal at the checkout instead of a credit card."
Coleman isn't alone. PayPal and similar online-payment businesses are a popular and easy way to pay for items, get money and handle any number of financial transactions.
As more consumers turn to PayPal for Web-based purchases, retailers are paying attention and offering PayPal as a payment option.
A necessary evil?
But retailers aren't making this switch willingly. According to a new survey from Osterman Research of Black Diamond, Wash., on behalf of OneID, a personal-authentication provider in Redwood City, Calif., online retailers are caught between trying to simplify the shopping experience and securing their networks.
The survey found that while 84 percent of respondents offered PayPal for checkout, half — 50 percent — agreed with the statement that PayPal was a "necessary evil" and that they would replace it if they could.
An equal number of respondents viewed PayPal as a security risk, while 47 percent called it a privacy risk.
But at the same time, merchant acceptance of PayPal is expected to increase approximately 14 percent in 2013.
Yet these same retailers adhere to the idea that the customer is always right. Or, at least, that the customer's shopping experience is the primary priority, even if it means security takes a backseat.
Nearly three-quarters of respondents (73 percent) reported that investing in technologies to improve the shopping experience would be necessary over the next 12 months, while just 69 percent rated highly their investments in customer security or data security.
At the same time, half of online retailers queried said e-commerce security has gotten harder to ensure over the past 12 months, and 67 percent believe their sites are as secure as they could be.
Accept no substitutes
Let's be honest — most consumers don't think twice about network-security issues beyond the possibility of someone stealing their credit-card number.
That's why they turn to options like PayPal, which, as Coleman stated, is already a trusted company.
According to Michael Sutton, vice president of security research for Zscaler ThreatLabZ in San Jose, Calif., PayPal does an excellent job of ensuring that consumers have a secure means of transmitting funds for an online purchase.
"The problems generally occur when the consumer assumes that they're dealing with PayPal, but aren't," Sutton said.
"Not surprisingly, PayPal is one of the most popular targets for phishers. If an attacker can convince you to log into a fake PayPal site, you've just handed over some very valuable credentials, as they can now transfer funds on your behalf."
However, Jim Fenton, chief security officer of OneID, believes that consumers are in fact taking a big risk when they use PayPal to make purchases on retail sites.
"The biggest risk with respect to PayPal is that it is username/password based, and we have seen quite a number of such breaches this past year," Fenton said.
"To PayPal's credit, they have offered a two-factor authentication token to improve their security," Fenton said. "I have (and use) one, but I understand that a very small percentage of their users do.
"The risk with PayPal is somewhat higher than with a normal credit-card transaction, because the $50 [fraud] liability limit for users using credit cards does not apply."
PayPal is a large company, Fenton added, so that makes it a big target and subject to a high level of attack.
"Their record is good, but their dependence on usernames and passwords makes them more vulnerable as time passes," he said.
PayPal did not respond to requests for comment.
Keeping yourself safe
So how do you decrease your own online shopping risks?
Jim Mapes, vice president of security at BestIT, an information-technology consultancy in Phoenix, offered the following suggestions:
— Use one credit card with a set limit for all of your online payments, whether items are directly purchased from a retailer or through a service such as PayPal.
— Use secure passwords and develop good security practices to protect yourself. Change the password you use for PayPal, as well as all of your online bank passwords, at least twice a year.
Make sure you use a different password for each account. That way, when one company's customer list gets hacked into, the intruders don't have a single password to access all of your accounts.
— Do not enter any payment information into a website unless it has a secure connection. Check to be sure that the website has "https" displaying in the URL and that its certificate of authentication is up-to-date.
— Review your bank-account and credit-card statements and be sure they are accurate. Report any suspicious activity as soon as possible.
The sooner you detect fraud, the faster your account will be cleared and the greater the likelihood the criminals will be caught.