PayPal's security 'flawed'

A security flaw in the online payment service PayPal means sensitive information is at risk and customers could lose control of their accounts, according to an Auckland software developer.

Ewart MacLucas says the flaw means customers who have not registered a credit card or bank account to their PayPal account need only supply a street address or phone number to change their password information that can be easily obtained by others.

Once an account is accessed, people can see details of financial transactions and change account settings so a customer could be locked out of their own account, he says.

PayPal spokeswoman Kelly Stevens confirmed that for PayPal accounts not tied to a credit card or bank account and which have "little to no remaining balance", customers can reset their password by providing "personal information like a phone number and street address".

"This does not put account holders at risk of disclosing sensitive personal or financial account information that can be used to steal their money, so we do not see this as a significant threat.

"It's important to note that for PayPal accounts that have bank accounts, credit cards or cash balances tied to them, the password reset process is much more sophisticated."

But Mr MacLucas says information in a PayPal account should be protected, regardless of whether it can be used to steal money.

"As a paypal customer, I consider a list of who paid, how much and when to be sensitive personal information.

"I shouldn't have to give PayPal my credit card or bank account number to protect that information."

Many small companies and community organisations use the PayPal donate scheme, in which people can donate money to them via PayPal.

"While I don't know how many people could be affected by this, the volume of Paypal users means even if it's only one in every 1000, that's still a big number."

By CLAIRE McENTEE - The Dominion Post | Source: