Ahhhh, Paypal — the online juggernaut that promises that you can “pay securely on millions of sites”. You can “know that your payments are secure” and “securely link your bank and credit card accounts”.
Except for one very big, rather blatant, flaw.
When you use it, the merchant sends you to Paypal’s website where you log into your Paypal account. Then you go back to the merchant’s website, confirm that you want the purchase, go back to Paypal and confirm with them. Once you do that, Paypal returns you again to the merchant where you can then download your stuff, get it shipped to you, etc. All on the same tab of your browser so that the merchant is notified that, yes, you’ve paid. Easy, peasy, peachy keen, right?
Except … what Paypal doesn’t tell you is that, once you go back to the merchant’s website, you’re still logged into your Paypal account. If you go back to Paypal, you’ll discover that you don’t go to their home page where you have to log in to get to your account. You go straight to your account page, where you’re already logged in.
So, if you use Paypal to pay for something on your phone, or at work, at a school or computer lab, at the library, or at any shared computer, anyone can come behind you and have full access to your Paypal account. As long as they don’t log out of it, they can go to whatever website they want to and buy whatever their heart desires. Meantime, you’ll be stuck with the bill, and good luck trying to get those charges reversed.
The fix for this, of course, is pretty basic. Paypal could require every merchant that uses them to place a very big button on their sale completion page that says “click here to go back to Paypal and log out of your account”. Or Paypal could actually notify you that, when you go back to the merchant, you need to return to Paypal to log out of your account. The “return to merchant” button on Paypal should tell you that you’ll still be logged in after the transaction, and that you need to return to Paypal to log out. It should, but it sure doesn’t.
I accidentally stumbled across this when I had to do 2 purchases back-to-back from 2 different vendors. I completed the first one and assumed that I’d have to log back into Paypal to complete the second one. That’s when I discovered — to my horror — that I was still logged in. And since I was at a shared work computer, this was not good.
So, how long has this insane flaw been in existence? I discovered this … back in 2001. Of course, I immediately notified Paypal that they have this rather significant basic security flaw. Paypal’s response was something along the lines of:
Thank you for sharing your concerns about Paypal with us. We take our security responsibilities very seriously, and adhere to the industry’s strictest security measures available. Be assured that all your transactions via Paypal are safe, secure and … blah blah blah
Obviously, I was not assured. I’ve notified them multiple times, and the only change I’ve seen was earlier this year. It now looks like Paypal will automatically log you out if you’re inactive on their site after about half an hour or so. That, of course, is not the same thing as letting you know that you’re still logged in.
So, if you use Paypal, make sure to log out of your account once your transaction has been completed. You’ll need to do this after the merchant has been notified by Paypal that you’ve paid, so you need to wait until you get to the merchant page that confirms that your transaction has been completed.
So, bottom line, this is a pretty basic, blatantly ridiculous, security flaw that’s been in existence for over 15 years. Undoubtedly, at least some of Paypal’s engineers have been trying to make the case internally that they need to fix this. Maybe the negative fallout from Equifax’ breach and some public pressure can finally get them to.