Have you ever considered how safe your Online Payments account is?

I’m not talking about the vagaries of Buyer and Seller “Protection” policies issued by the payment companies, but rather about the simplest and most basic requirement - keeping out unauthorised users.

It’s something that’s been on my mind a fair bit this year, particularly with the increasing number of phishing emails that are doing the rounds, some of them being extremely good fakes and almost catching me out once or twice.  Luckily I’m too long in the IT tooth, and live by the motto, “If you’re not sure, do nothing before checking”.

So I thought with the Christmas season about to hit full swing (hopefully), that it would be time to have a look at some of the most basic security functions involved with holding an online payments account, and to do it by rolling back to the common sense measures that were in place before browsers began flashing red and green buttons everywhere.

For this comparison, I’ve only looked at four well known services.  If you use another service and want to add similar details for them, please do so in the comments at the bottom of the page.

Login Basics

Google Checkout - Uses a basic payment email address and password pairing.  The email address login is the same one used to tell customers who to pay, and both could be the same pairing used for other Google services such as Gmail, Adsense, and Adwords.  No front-end preventative tool against automated login hack attempts (e.g. spamming a known email address with random password generation).

MoneyBookers - Also use the payment email address and password pairing as GCO, but include a graphic “real-person” check via a “Turing Number” that changes for each login attempt.  This prevents login spamming from being effective.  Additionally, MoneyBookers send an email for every failed login attempt, and display (inside the account once logged in) the date and time of last successful login.

Nochex - Basic login is the usual email address and password combo, plus 6 drop down lists that require the last six digits of the primary credit card on file.  This is similar to the system used by British main bank Lloyds TSB and appears to be secure against login spamming, though whether it is more secure than image recognition systems is a moot point.  NoChex also email everytime there is a failed login attempt, and display the time and date of last successful login, once you’re into your account.

PayPal - Essentially the same login security as GCO, except for two minor variations.  Regardless of which PayPal site you browse to, once you’ve input your email and password, you’re redirected to the correct PayPal site for your account - this is why phishing email authors love to spam PayPal user emails harvested from eBay.  PayPal users KNOW they’re going to be bounced from the login page to a different location, and think nothing about it when it happens.

Login Security Ranking

MoneyBookers and NoChex are the more secure at login, by virtue of the visual check systems they use, and the failed login emails they send to account holders immediately upon that attempt being made.

Google Checkout is marginally more secure than PayPal, purely because it’s not allowed on eBay.  If ever eBay do allow it, the concerns about the single email address (see below) and sharing the login with other Google services come into play, but that is balanced against the visibility of emails permitted by PayPal per account.

Hmmm …

What astounds me is that neither GCO or PayPal have implemented a visual check to prevent login spamming.  If you look at the bottom of this page, you’ll see four grey letters/numbers used to verify that commenters are human and not spam bots.  That is a 100% free plug-in for wordpress, and it works.  The BuildaSkill Blog was averaging 50 spam-bot submitted comments per day (99.999% caught and held by Akismet anti-comment-spam filters), but since adding the visual check, not one spam comment has been successfully submitted to the blog (by an automated submitter).

Why then do GCO and PayPal not implement such a system - it could be zero cost (except implementation time, which takes under 10 minutes) and would be a huge improvement in security.

I’m also annoyed that GCO and PayPal do not email me when there is a failed login attempt on my accounts - I use the emails from MoneyBookers and NoChex to nudge me into changing passwords or email addresses, or both, as neccesary by the frequency of login attempts.  We all know that changing the primary payment email address is not usually a regular option for auction site users - especially on eBay where every listing has to be edited singly - but for ecommerce sites built around oscommerce, it is a 20-second job.

The email quantity question

GCO only allow one email address per account.  MoneyBookers, NoChex, and PayPal Personal/Premiere accounts allow up to 6 email addresses per account (I think I read PayPal have increased that to 10 for Premiere accounts).  PayPal have a facility for up to 150 user login email addresses for business accounts.  The availability of multiple email addresses means that login spammers can randomise how they attack a particular account - especially if all of the payment emails are appearing via one username on eBay, or on the account holders website.

As GCO is the only service not permitting more than one email address per account, this makes login spammers only have to focus on cracking passwords to get into your GCO account.  It also prevents user-initiated security limitations - i.e. email addresses cannot be rotated by adding new ones, then dropping out old ones after ecommerce locations have been updated.  Essentially, a change of GCO email address means a complete take down of all ecommerce offerings or buyers will be unable to complete checkout until they’re updated.

email harvesting

This is a major sore point for eBay and for all payment processors, which is why the eBay and PayPal User Agreements bang on about it so much.

Google seems to come out on top here - their purchasing system uses Merchant IDs that do not reveal the account email address in the purchase button or checkout code.

MoneyBookers, NoChex, and PayPal all embed the seller’s email address in the button code - and PayPal’s Buy Now buttons are particularly insecure due to how they’re coded, meaning that web spiders can crawl websites to extract them together with the fact they’re used for PayPal.  Launch the right spider today, and you could have 10 million known PayPal account email addresses in your spam book by the weekend.

Payment button encryption IS slowly making headway, but it’s like pulling teeth in terms of getting payment companies to implement it.  This is part of the reason they’re all insisting on a move to SSL layer security - that may protect the buyer’s details, but it doesn’t protect the seller’s embedded login data in payment buttons etc.

The future?  My Christmas Wish List.

What I’d like to see as the very basic login security and verification is a minimum of seven elements -

1. The login identity must not be the email address used with the account (2CO / 2CheckOut already do this - a seperate ID is used for login, compared to the correspondence email address) and it must not be in email structure format.
2. Longer password minimum lengths, and multi-case structures, must be enforced - for example, a 15-20 character password using upper and lower case, symbols, and numbers (e.g. ” 1DumbDog(5%=IQ) ” is 15 characters, memorable, but not easily guessable).
3. At login, all attempts must include a visual verification system - either the Captcha style of our comments form below, the Turing Number system used by MoneyBookers, or the drop lists used by NoChex and LloydsTSB.
4. At failed login, all payment processing sites must email verified account holders and advise of that incident.  Ideally, the email should include the IP address of the login attempt source, in order that account holders can check against their own IP range inventory, and those of mobile staff.
5. At successful login, account holders should be prominently shown the date and time (and IP address) of the last successful login, PLUS warnings of any account holder information changes during that last login.
6. All accounts should have a “secret” never revealed email address attached, that is used for all security notifications - only the initial account opener should have knowledge of that email address, and it must never be used for sending any email, and certainly never published on a web or auction site.
7. Payment processors MUST stop embedding the account holders login/payment email in payment buttons, checkout tools, and the like.  There is absolutely zero need to do this.  A user code, is all that should be required (like GCO’s Merchant Number) and ideally, the account holder should have an automated method of obtaining an additional number for each different site on which they sell (sales analysis as well as security).

If all seven of the above points were implemented on all online payment processing services, phishers and spammers would have a far more difficult time hacking into accounts.  Payment processing companies that don’t create a list such as the above are also causing work and costs for themselves.  Implementing tighter and increasingly layered security will reduce the user security support overhead and workload.

To me, it makes blidingly obvious sense to implement changes like these.  In the case of PayPal and eBay’s hypocritical proclaiming of “PayPal is best because PayPal is the most secure” all the time, well, sorry, but even my non expert observations (above) show that to be just not true.

Unless you know better?

Post your thoughts about other online payment processors, for example - AlertPay, Amazon Payments, BillMeLater, PaisaPay, ProPay, ppPay, Xoom, and any others you know about.

Ed