OT: Online payment security

C

cameo

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?
 
J

John Williamson

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?
It's certainly more of a target for e-mails asking you to update your
account details or your account will be suspended, restricted or closed
if you don't reply within a time limit.

I get them and I don't even have a live account. I get no e-mails of
this sort about my active credit cards.
 
J

Jason

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?
I don't think it's necessarily more secure. Most (all?) credit card
issuers will allow you to contest a charge and you hang on to your
money until it is resolved. I don't think PayPal operates that way;
the money moves to the merchant right away. In about 20 years of
buying things on the Web, I have been defrauded once - it was a PayPal
transaction and it was ultimately NOT resolved to my satisfaction.
Fortunately it was not a lot of money. I do know that PayPal will
not open an incident if 45 days have passed since the transaction
occurred. A neighbor learned that the hard way.

As far as having your CC number stolen, my understanding is that
merchants don't ever even see it - the CC issuer merely validates
your account and tells then signals the merchant that the
transaction is ok. I once had my card # lifted, apparently by
an employee in a bricks-and-mortar store. He, or someone, then
purchased a $1,000 camera. When I saw that on my bill, I opened
a dispute with the issuer and didn't have to pay anything. The
CC security person told me that thieves like this typically only
use a number once, but that they collect a LOT of them and go on
a shopping binge, usually with delivery to a rental address that
they rent only for a few days until the deliveries are made. (One
might wonder if UPS or FedEx could/would spot such behavior...)
 
P

Peter Jason

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?
You may have the option, on some sites, to pay
directly into the seller's bank account, so
bypassing the credit card system completely.

A clever disgruntled employee can steal credit
card details.
 
K

Ken Blake

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?

I greatly doubt it. Four points about the security of using a credit
card online:

1. I've used a credit card online umpteen hundreds of times for many
years now, and never had a single problem. I know many other people
with the same experience as mine.

2. If your credit card number is used by someone else improperly, you
can contest the charge and you won't have to pay it unless the credit
card company can prove that it was you.

3. If you ever get taken, there's a maximum amount you would have to
pay. It's usually around $50 USD.

4. Almost all of those people who fear using a credit card online have
no problem giving their credit card to a pimply-faced young kid in a
restaurant, and having him take it to another room where he can copy
the number at his leisure and then use it later himself. Which is more
dangerous, online or the restaurant? It's no contest, as far as I'm
concerned; the restaurant is far more dangerous. If you fear using a
credit card online, you shouldn't use one anywhere.
 
M

mick

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?

I greatly doubt it. Four points about the security of using a credit
card online:

1. I've used a credit card online umpteen hundreds of times for many
years now, and never had a single problem. I know many other people
with the same experience as mine.

2. If your credit card number is used by someone else improperly, you
can contest the charge and you won't have to pay it unless the credit
card company can prove that it was you.

3. If you ever get taken, there's a maximum amount you would have to
pay. It's usually around $50 USD.

4. Almost all of those people who fear using a credit card online have
no problem giving their credit card to a pimply-faced young kid in a
restaurant, and having him take it to another room where he can copy
the number at his leisure and then use it later himself. Which is more
dangerous, online or the restaurant? It's no contest, as far as I'm
concerned; the restaurant is far more dangerous. If you fear using a
credit card online, you shouldn't use one anywhere.[/QUOTE]

It can be more dangerous NOT using a credit card as the story here
illustrates:
https://www.getsafeonline.org/news/the-amazon-scam-reported-on-the-one-show/
 
C

cameo

I greatly doubt it. Four points about the security of using a credit
card online:

1. I've used a credit card online umpteen hundreds of times for many
years now, and never had a single problem. I know many other people
with the same experience as mine.

2. If your credit card number is used by someone else improperly, you
can contest the charge and you won't have to pay it unless the credit
card company can prove that it was you.

3. If you ever get taken, there's a maximum amount you would have to
pay. It's usually around $50 USD.

4. Almost all of those people who fear using a credit card online have
no problem giving their credit card to a pimply-faced young kid in a
restaurant, and having him take it to another room where he can copy
the number at his leisure and then use it later himself. Which is more
dangerous, online or the restaurant? It's no contest, as far as I'm
concerned; the restaurant is far more dangerous. If you fear using a
credit card online, you shouldn't use one anywhere.
Well, in restaurants I have no choice but using a CC as I don't like
to carry much cash with me. However, you guys convinced me that CCs are
a better choice even online. So thanks to all responders.
 
P

Paul in Houston TX

cameo said:
Well, in restaurants I have no choice but using a CC as I don't like
to carry much cash with me. However, you guys convinced me that CCs are
a better choice even online. So thanks to all responders.
For anything over about $20 USD, I call the vendor before hitting
the "buy" button.
No phone number or no physical location listed = no sale.
 
G

Gene E. Bloch

You may have the option, on some sites, to pay
directly into the seller's bank account, so
bypassing the credit card system completely.

A clever disgruntled employee can steal credit
card details.
PayPal doesn't display the user's credit card number to the merchant.
 
P

philo 

Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenience and
partly because of my possibly mistaken assumption of its smaller risk
for identity theft. My thinking is that using a credit card would let
any possibly dishonest employee of the online merchant to use the credit
card info for other than intended purposes, not to mention that some of
those merchants' databases could also be hacked in from the outside with
relative ease. With PayPal on the other hand, the merchants, even if
they know my account, they would not see my PayPal password, I assume,
as it would bypass the merchant. Hopefully PayPal's customer database is
also more secure against hacking than many of the merchants'.

What do you think? Am I correct assuming PayPal to be more secure?


On two occasions I've had my credit card compromised.
In both cases, I filed a *fraud* report immediately and was not charged
for the transaction but it was a bit inconvenient.


I do a lot of transactions on-line so the convenience is worth it.
It is not likely an employee of one of the companies was dishonest.
I know in one instance the vendor had their data base hacked...
there was an article in the paper about it.

From now on, I am not going to let any vendor store my credit card
number though.
 
J

Jeff Barnett

Paul in Houston TX wrote, On 3/6/2013 5:01 PM:
For anything over about $20 USD, I call the vendor before hitting
the "buy" button.
No phone number or no physical location listed = no sale.
That's close to my algorithm too. However, a phone number isn't reliable
since it might, and often is, directed overseas. When I consider using a
new vendor I try through online reviews to verify the address. A few
times I've called the CC issuer to see what they have to say - usually
they wont commit to anything but sometimes you can pick up some helpful
information.
 
D

dweebken

I greatly doubt it. Four points about the security of using a credit
card online:

1. I've used a credit card online umpteen hundreds of times for many
years now, and never had a single problem. I know many other people
with the same experience as mine.

2. If your credit card number is used by someone else improperly, you
can contest the charge and you won't have to pay it unless the credit
card company can prove that it was you.

3. If you ever get taken, there's a maximum amount you would have to
pay. It's usually around $50 USD.

4. Almost all of those people who fear using a credit card online have
no problem giving their credit card to a pimply-faced young kid in a
restaurant, and having him take it to another room where he can copy
the number at his leisure and then use it later himself. Which is more
dangerous, online or the restaurant? It's no contest, as far as I'm
concerned; the restaurant is far more dangerous. If you fear using a
credit card online, you shouldn't use one anywhere.
I've been travelling overseas and my credit card was cancelled by the
bank while I was travelling because of suspected fraudulent activity
by someone thousands of km from anywhere I had anything to do with.
In any 5 year period this will happen to me two or three times. Try
paying for hotels and transport and meals without a credit card, or
getting cash out? Fortunately I have two credit cards that are totally
unlinked. So I finished my trip with the other.

It's never happened with PayPal, where NOBODY sees the credit card
information but PayPal. During a purchase, it never appears on my
screen, never gets typed in (except the first time I set it up of
course) and never gets sent to the vendor.

When I use PayPal I also use second-factor authentication to log in
(and eBay as well). I use a Yubikey VIP key (by Symantec, from
http://store.yubico.com). It is a USB dongle that looks like a
keyboard to the PC, but is only as big as my thumb and it sends a
one-time-use passcode (OTP) to my account after I give my login ID and
regular password. Symantec verifies the OTP at the other end. This
prevents man-in-the-middle attacks because the next time I log in I'll
have a totally different yubikey OTP that effectively can't be
predicted by the snoops (or even me, the user!). I've never had a
fradulent misuse of my PayPal account in the years I've been using it.
On the contrary, one time I purchased a thingy from an online retailer
in eBay and it didn't arrive (less than $50). After the ETA passed by
I tried to contact the vendor and got no response. A week later I
tried again and a week after that - zero response, so I contacted eBay
who said they needed 45 days and I had to contact the supplier. I gave
eBay the notes trail and they refunded my money immediately (well
within a few days) via PayPal. Since then I've never dealt with an
eBay provider who has less than a Best Seller status over at least
several hundred recent sales. Never had another incident with eBay
after taking that approach.

There be dragons out there, sure, but there's protections too.
 
D

doctorvapor

GUEST wrote
Lately I've been paying for my online purchases more any more with
PayPal than credit cards. Partly because of PayPal's convenienc and
partly because of my possibly mistaken assumption of its smalle risk
for identity theft. My thinking is that using a credit card woul let
any possibly dishonest employee of the online merchant to use th credit
card info for other than intended purposes, not to mention tha some of
those merchants' databases could also be hacked in from the outsid with
relative ease. With PayPal on the other hand, the merchants, eve if
they know my account, they would not see my PayPal password, assume,
as it would bypass the merchant. Hopefully PayPal's custome database is
also more secure against hacking than many of the merchants'

What do you think? Am I correct assuming PayPal to be mor
secure

I dont feel like paying online is insecure, so long a
you have good malware protection and the site has a good reputation.
And really, if someone racks up your cards, you call the bank and th
cancel it, it is a hassle but isn't too much of a headache
 
C

cameo

I've been travelling overseas and my credit card was cancelled by the
bank while I was travelling because of suspected fraudulent activity
by someone thousands of km from anywhere I had anything to do with.
In any 5 year period this will happen to me two or three times. Try
paying for hotels and transport and meals without a credit card, or
getting cash out? Fortunately I have two credit cards that are totally
unlinked. So I finished my trip with the other.
Actually, banks like to be notified of any overseas trips beforehand to
avoid exactly the type of situation you describe. I think it's a prudent
move on their part.
It's never happened with PayPal, where NOBODY sees the credit card
information but PayPal. During a purchase, it never appears on my
screen, never gets typed in (except the first time I set it up of
course) and never gets sent to the vendor.
I noticed an annoying thing PayPal does lately: it keeps prodding me to
choose payment later instead of right away and even offers a reward of
$5 for it but does not explain what's in it for them. Smelling a rat, I
keep refusing that offer. Do you know what they are up to with that?
When I use PayPal I also use second-factor authentication to log in
(and eBay as well). I use a Yubikey VIP key (by Symantec, from
http://store.yubico.com). It is a USB dongle that looks like a
keyboard to the PC, but is only as big as my thumb and it sends a
one-time-use passcode (OTP) to my account after I give my login ID and
regular password. Symantec verifies the OTP at the other end. This
prevents man-in-the-middle attacks because the next time I log in I'll
have a totally different yubikey OTP that effectively can't be
predicted by the snoops (or even me, the user!). I've never had a
fradulent misuse of my PayPal account in the years I've been using it.
Interesting ... I've never heard of it before. I better check it out, too.
On the contrary, one time I purchased a thingy from an online retailer
in eBay and it didn't arrive (less than $50). After the ETA passed by
I tried to contact the vendor and got no response. A week later I
tried again and a week after that - zero response, so I contacted eBay
who said they needed 45 days and I had to contact the supplier. I gave
eBay the notes trail and they refunded my money immediately (well
within a few days) via PayPal. Since then I've never dealt with an
eBay provider who has less than a Best Seller status over at least
several hundred recent sales. Never had another incident with eBay
after taking that approach.

There be dragons out there, sure, but there's protections too.
I also look at the seller's rating and it has to reside in North
America. It's been working for me so far.
 
M

Mike Barnes

Ken Blake said:
4. Almost all of those people who fear using a credit card online have
no problem giving their credit card to a pimply-faced young kid in a
restaurant, and having him take it to another room where he can copy
the number at his leisure and then use it later himself.
It's worth pointing out that it doesn't work like that here in the UK. I
never need to hand my card to anyone. A sharp-eyed person could memorise
the number by looking at the card, but that's it.
 
K

Ken Blake

I've been travelling overseas and my credit card was cancelled by the
bank while I was travelling because of suspected fraudulent activity
by someone thousands of km from anywhere I had anything to do with.
In any 5 year period this will happen to me two or three times.

For the last 20 years or so, I've traveled overseas once or twice each
year. Nothing like that has never happened to me.
Try
paying for hotels and transport and meals without a credit card, or
getting cash out?


First, I never get cash with a credit card. I always use a debit card
for that. It's *much* cheaper.
Fortunately I have two credit cards that are totally
unlinked. So I finished my trip with the other.

Despite what I said above, I always carry two or three different
credit cards, just in case. And my wife carries a couple of others,
just in case my wallet gets stolen.
 
K

Ken Blake

Actually, banks like to be notified of any overseas trips beforehand to
avoid exactly the type of situation you describe. I think it's a prudent
move on their part.
Yes, and it's also a prudent thing for us customers to do. In my
previous message, I neglected to say that I always do that.
 
K

Ken Blake

It's worth pointing out that it doesn't work like that here in the UK. I
never need to hand my card to anyone. A sharp-eyed person could memorise
the number by looking at the card, but that's it.

Are you talking about the waiter coming to the table with a small
portable terminal that reads the credit card? Yes, I remember seeing
those, in the UK, France, and Italy (and other countries too). But if
my memory is correct, some restaurants have those and others don't.
 
M

Mike Barnes

Ken Blake said:
Are you talking about the waiter coming to the table with a small
portable terminal that reads the credit card? Yes, I remember seeing
those, in the UK, France, and Italy (and other countries too). But if
my memory is correct, some restaurants have those and others don't.
Yes, that's what I'm talking about. First it was the swipe machine, then
it was the one that printed out a ticket for you to sign, now you enter
a PIN. Restaurants that don't have them are unheard of in the UK, and
getting increasingly rare in continental Europe. As for taking your card
away from the table - it never happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top