10 posts in this topic

Posted

PayPal can be a hassle for online shopping when you have to leave a store's site just to finish your transaction. Purchases should be much simpler once PayPal finishes rolling out its new In-Context Checkout, though. The technology lets you enter all your billing and shipping info through a pop-up; you never have to visit PayPal itself, and the interface remains simple regardless of what device you're using. Only a handful of stores are testing the new checkout format today, but the company promises that more large retailers will get to use it in the first half of 2014. Meanwhile, PayPal hasn't forgotten those who'd rather skip checkout altogether. It's expanding trials of its hands-free Beacon payment system to retailers in Canada, France, Germany and the UK; if all goes according to plan, the service will launch early this year.

I9lqx9l.jpg


Source: http://www.engadget.com/2014/01/13/paypal-starts-testing-seamless-online-store-checkouts/

---

This seems like a horrible idea, how would you verify that the pop-up is actually from Paypal and not a phishing scam? You can't look at the address bar since it would just show the store's address. So now if one of the stores gets hacked, someone could easily modify the pop-up to their own liking and collect a ton of paypal accounts and credit card information.

Share this post


Link to post
Share on other sites

Posted

Doesn't that mean the website using it has full access to all the paypal details? Also as mentioned the phishing implications seem massive. This seems like a bad idea to me, so far.

Share this post


Link to post
Share on other sites

Posted

This seems like a horrible idea, how would you verify that the pop-up is actually from Paypal and not a phishing scam? You can't look at the address bar since it would just show the store's address. So now if one of the stores gets hacked, someone could easily modify the pop-up to their own liking and collect a ton of paypal accounts and credit card information.

 

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.

Share this post


Link to post
Share on other sites

Posted

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.

How would the address be faked (apart from malware installed on computers, or the DNS itself being hacked)?

They can use similar sounding names like pypal.com or paypals.com w/e, but they can't make a website seem to be paypal.com if it's not, or at least not that I'm aware of.

Share this post


Link to post
Share on other sites

Posted

I don't think a hacker could mimic the popup as there is a lot of dynamic data being pushed around.

 

Nice to see PayPal getting with the times. I've been working with Stripe recently and it is breath of fresh air when compared to working with some other payment providers.

 

 

No different to wondering if the Paypal site that opens in a new tab is the real PayPal. Addresses in the address bar can be easily faked.

 

Modal boxes don't display an address bar, nor do browser phising scanners check modal box URLs. So that is the big difference.

At least you can look in the URL of a new tab and see a padlock and check the URL, SSL certificate.

Share this post


Link to post
Share on other sites

Posted

How would the address be faked (apart from malware installed on computers, or the DNS itself being hacked)?

They can use similar sounding names like pypal.com or paypals.com w/e, but they can't make a website seem to be paypal.com if it's not, or at least not that I'm aware of.

 

I've seen it before in demonstration websites, where in the example the address bar said "www.facebook.com". It showed what looked like the Facebook site etc except they were nice enough to have a huge banner that said "THIS IS NOT THE REAL FACEBOOK"

Share this post


Link to post
Share on other sites

Posted

I don't think a hacker could mimic the popup as there is a lot of dynamic data being pushed around.

Nice to see PayPal getting with the times. I've been working with Stripe recently and it is breath of fresh air when compared to working with some other payment providers.

But they don't have to make it work.

They could just make a popup that looks exactly like the paypal screen, ask for information and then when the user clicks submit just display an error "Oh sorry we are having issues, please try again later" Or if they want to be even more sneaky and once the user clicks submit on their fake form, the real form appears and asks the user to sign in again. Now the user has no idea his information was stolen.
 

I've seen it before in demonstration websites, where in the example the address bar said "www.facebook.com". It showed what looked like the Facebook site etc except they were nice enough to have a huge banner that said "THIS IS NOT THE REAL FACEBOOK"

Scary. Wonder how they pulled that off :/

---

Then you have Paypal's new Beacon system for automated in-store payments. Basically it's a little USB receiver that connects with the paypal app on your phone and allows you to pay for things without needing to take the phone or your credit card out of your pocket (or sign anything). Basically all the cashier has to do is select your name on her computer and voila your paypal account gets billed.

Awesome idea? Sure. But what if someone decided to add small amounts to each transaction? Say you had 200 people come into your shop everyday, add $1 to each of their bills and that's a ton of extra money a year. They don't have to verify the charge by signing a receipt or asking for the bill and since the amount is so small, they'd probably never notice it.

Share this post


Link to post
Share on other sites

Posted

But they don't have to make it work.

They could just make a popup that looks exactly like the paypal screen, ask for information and then when the user clicks submit just display an error "Oh sorry we are having issues, please try again later" Or if they want to be even more sneaky and once the user clicks submit on their fake form, the real form appears and asks the user to sign in again. Now the user has no idea his information was stolen.
 

 

True, it will make tricking users easier. I think though PayPal displays what you're going to pay in the popup (or should do). So if none of that matches up. Then you'd question that.

Still if someone has managed to access that much of your site. You're in trouble anyway.

 

It still will be interesting to see how they will handle the security side of it.

Share this post


Link to post
Share on other sites

Posted

I still want them to bring back the one time use credit cards :(

Share this post


Link to post
Share on other sites

Posted

I still want them to bring back the one time use credit cards :(

If you use Bank of America they have something similar called ShopSafe. Creates you a one-time (or recurring) credit card number that can only be used online.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.