Jump to content



Photo

PayPal starts testing seamless online store checkouts


  • Please log in to reply
9 replies to this topic

#1 -Razorfold

-Razorfold

    Neowinian Senior

  • 9,809 posts
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 13 January 2014 - 20:22

PayPal can be a hassle for online shopping when you have to leave a store's site just to finish your transaction. Purchases should be much simpler once PayPal finishes rolling out its new In-Context Checkout, though. The technology lets you enter all your billing and shipping info through a pop-up; you never have to visit PayPal itself, and the interface remains simple regardless of what device you're using. Only a handful of stores are testing the new checkout format today, but the company promises that more large retailers will get to use it in the first half of 2014. Meanwhile, PayPal hasn't forgotten those who'd rather skip checkout altogether. It's expanding trials of its hands-free Beacon payment system to retailers in Canada, France, Germany and the UK; if all goes according to plan, the service will launch early this year.

I9lqx9l.jpg


Source: http://www.engadget....tore-checkouts/

---

This seems like a horrible idea, how would you verify that the pop-up is actually from Paypal and not a phishing scam? You can't look at the address bar since it would just show the store's address. So now if one of the stores gets hacked, someone could easily modify the pop-up to their own liking and collect a ton of paypal accounts and credit card information.


#2 astropheed

astropheed

    astropheed

  • 1,833 posts
  • Joined: 08-December 11
  • Location: Sydney, AU

Posted 13 January 2014 - 20:26

Doesn't that mean the website using it has full access to all the paypal details? Also as mentioned the phishing implications seem massive. This seems like a bad idea to me, so far.



#3 McKay

McKay

    Neowinian Stallion

  • 6,011 posts
  • Joined: 29-August 10
  • Location: 308 Negra Arroyo Lane
  • OS: Windows 8.1
  • Phone: LG G3

Posted 13 January 2014 - 20:29

This seems like a horrible idea, how would you verify that the pop-up is actually from Paypal and not a phishing scam? You can't look at the address bar since it would just show the store's address. So now if one of the stores gets hacked, someone could easily modify the pop-up to their own liking and collect a ton of paypal accounts and credit card information.

 

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.



#4 OP -Razorfold

-Razorfold

    Neowinian Senior

  • 9,809 posts
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 13 January 2014 - 20:33

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.

How would the address be faked (apart from malware installed on computers, or the DNS itself being hacked)?

They can use similar sounding names like pypal.com or paypals.com w/e, but they can't make a website seem to be paypal.com if it's not, or at least not that I'm aware of.

#5 +Lingwo

Lingwo

    Neowinian Senior

  • 5,756 posts
  • Joined: 22-April 03
  • Location: UK

Posted 13 January 2014 - 20:34

I don't think a hacker could mimic the popup as there is a lot of dynamic data being pushed around.

 

Nice to see PayPal getting with the times. I've been working with Stripe recently and it is breath of fresh air when compared to working with some other payment providers.

 

 

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.

 

Modal boxes don't display an address bar, nor do browser phising scanners check modal box URLs. So that is the big difference.

At least you can look in the URL of a new tab and see a padlock and check the URL, SSL certificate.



#6 McKay

McKay

    Neowinian Stallion

  • 6,011 posts
  • Joined: 29-August 10
  • Location: 308 Negra Arroyo Lane
  • OS: Windows 8.1
  • Phone: LG G3

Posted 13 January 2014 - 20:35

How would the address be faked (apart from malware installed on computers, or the DNS itself being hacked)?

They can use similar sounding names like pypal.com or paypals.com w/e, but they can't make a website seem to be paypal.com if it's not, or at least not that I'm aware of.

 

I've seen it before in demonstration websites, where in the example the address bar said "www.facebook.com". It showed what looked like the Facebook site etc except they were nice enough to have a huge banner that said "THIS IS NOT THE REAL FACEBOOK"



#7 OP -Razorfold

-Razorfold

    Neowinian Senior

  • 9,809 posts
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 13 January 2014 - 20:39

I don't think a hacker could mimic the popup as there is a lot of dynamic data being pushed around.

Nice to see PayPal getting with the times. I've been working with Stripe recently and it is breath of fresh air when compared to working with some other payment providers.

But they don't have to make it work.

They could just make a popup that looks exactly like the paypal screen, ask for information and then when the user clicks submit just display an error "Oh sorry we are having issues, please try again later" Or if they want to be even more sneaky and once the user clicks submit on their fake form, the real form appears and asks the user to sign in again. Now the user has no idea his information was stolen.
 

I've seen it before in demonstration websites, where in the example the address bar said "www.facebook.com". It showed what looked like the Facebook site etc except they were nice enough to have a huge banner that said "THIS IS NOT THE REAL FACEBOOK"

Scary. Wonder how they pulled that off :/

---

Then you have Paypal's new Beacon system for automated in-store payments. Basically it's a little USB receiver that connects with the paypal app on your phone and allows you to pay for things without needing to take the phone or your credit card out of your pocket (or sign anything). Basically all the cashier has to do is select your name on her computer and voila your paypal account gets billed.

Awesome idea? Sure. But what if someone decided to add small amounts to each transaction? Say you had 200 people come into your shop everyday, add $1 to each of their bills and that's a ton of extra money a year. They don't have to verify the charge by signing a receipt or asking for the bill and since the amount is so small, they'd probably never notice it.

#8 +Lingwo

Lingwo

    Neowinian Senior

  • 5,756 posts
  • Joined: 22-April 03
  • Location: UK

Posted 13 January 2014 - 20:48

But they don't have to make it work.

They could just make a popup that looks exactly like the paypal screen, ask for information and then when the user clicks submit just display an error "Oh sorry we are having issues, please try again later" Or if they want to be even more sneaky and once the user clicks submit on their fake form, the real form appears and asks the user to sign in again. Now the user has no idea his information was stolen.
 

 

True, it will make tricking users easier. I think though PayPal displays what you're going to pay in the popup (or should do). So if none of that matches up. Then you'd question that.

Still if someone has managed to access that much of your site. You're in trouble anyway.

 

It still will be interesting to see how they will handle the security side of it.



#9 +warwagon

warwagon

    Only you can prevent forest fires.

  • 26,766 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 13 January 2014 - 20:50

I still want them to bring back the one time use credit cards :(



#10 OP -Razorfold

-Razorfold

    Neowinian Senior

  • 9,809 posts
  • Joined: 16-March 06
  • OS: Windows 8
  • Phone: Nokia Lumia 900 / Oneplus One

Posted 13 January 2014 - 20:56

I still want them to bring back the one time use credit cards :(

If you use Bank of America they have something similar called ShopSafe. Creates you a one-time (or recurring) credit card number that can only be used online.