Gotta love PayPal



  • I had a query about PayPals API the other day:

    http://www.pdncommunity.com/pdn/board/message?board.id=wppro&message.id=1103

    Does it strike anyone else as odd that you can optionally supply them with an (effectivly) random number, and this somehow magically prevents fraud?

    Step 1: Gather Merchant session IDs
    Step 2:
    Step 3: Fraud prevention!

    I mean, a session ID might be used just for a couple of payment pages, or a user might keep a session id for months. Maybe session IDs are taken from a pool and get re-used by other users. Without knowing what this number actually means, how can PayPal use it for fraud prevention?

    Is it just me?



  • I think I really like the statement from PayPal's tech guy: "If everyone was told how PayPal's security models/system works then it would compromise the security system then everyone would be able to take advantage of it"

    I'm curious as to how a number I provide them can be exploited in any way, shape, or form by a user.  Really, it's my number.  At the time, I know what it is.  At no point does PayPal know what it means.  How can PayPal use it to protect against fraud, and how can a user exploit it?



  • We won't tell you what it is, how it's used, what it's for, and even if it actually means anything. However, rest assured that this mysterious number is stopping hackers. Somehow.

    In retrospect, just letting you know the name if the parameter is a wide open secrutiy hole. I have raised this issue with our developers, and can now say that in the next version of our API it will just be called "a_number" in order to further protect you.



  • @Kyanar said:

    I think I really like the statement from PayPal's tech guy: "If everyone was told how PayPal's security models/system works then it would compromise the security system then everyone would be able to take advantage of it"

    That's not a good sign. Yikes. You should have a security model that stands up to scrutiny. That is, security by obscurity is not security. I mean, you can see the source code for numerous secure software packages (OpenSSL, GPG, various open source web apps) and they are still secure.



  • I don't think it's a WTF.

    I'm guessing that's an ID that the merchant can generate for their own records.  They send it along with the transaction and make a note of it internally.  Then later, if there's a transaction without one, or with an invalid ID, the merchant can detect the fraud, not paypal. 

    The response from paypal.. yeah... a wtf.  But is he a paypal employee or just some moderator on some board? 



  • [quote user="Kyanar"]

    I think I really like the statement from PayPal's tech guy: "If everyone was told how PayPal's security models/system works then it would compromise the security system then everyone would be able to take advantage of it"

    I'm curious as to how a number I provide them can be exploited in any way, shape, or form by a user.  Really, it's my number.  At the time, I know what it is.  At no point does PayPal know what it means.  How can PayPal use it to protect against fraud, and how can a user exploit it?

    [/quote]

    Funny. Everyone can easily find out how 3DES or RSA works, and yet, they're STILL effective.

    I'm getting rid of my paypal account. Yeeesh.

     

     

     



  • [quote user="mhughes"]

    I don't think it's a WTF.

    I'm guessing that's an ID that the merchant can generate for their own records.  They send it along with the transaction and make a note of it internally.  Then later, if there's a transaction without one, or with an invalid ID, the merchant can detect the fraud, not paypal. 

    The response from paypal.. yeah... a wtf.  But is he a paypal employee or just some moderator on some board? 

    [/quote]

    This is exactly the problem: You're guessing that...

    The snippet I included in the first post on the PayPal forum is the entirety of the documentation for that option. If it's something that PayPal want to report back to me at some stage, then I shouldn't bother with it as my session IDs aren't kept around after the session finishes. But the fact that PayPal can't, or more to the point, won't, tell me how it's used, makes it useless since I then have to make assumptions about the assumptions they've made about the meaning of this number.

    Yes. The reply was from a PayPal employee.


Log in to reply