Last week, I blog about the appearance of Paypal Security Challenge (captcha) screen, which shows up on the screen, once I logged in into my Paypal account. I never came across it  before. It’s odd.. The same screen won’t appear again, even though I purposely key in wrong password multiple times using different system. What I’m wondering is, if this screen appears whenever there are repetitive invalid attempts by unauthorized user/bot to access my account,  as pointed out by Eches. Sounds creepy huh?

Back to the CAPTCHA, it is not a new stuff in Paypal. According to the source in Wiki, Paypal has been using it (and some say invent it) since 90s to block an attempt by automated system to access Paypal. However, I’ve no answer on  what kind of form or situation triggering this CAPTCHA

A quick check on my RSS feed spot 2 webmasters on Ghacks and Saifulsham(his brother) who has their Paypal account fund been stolen or used for unauthorized transaction. Fraud can happen to anyone, even without you notice it or provide early signal.  Even after all security measure being taken, to ensure the safety of the account, this kind of thing can still happen when hackers become more creative than ever.

1 commentator in Ghack point me out to Youtube, where there are a lots of how-to-hack-paypal videos. I watch couple of them, including the one on top of the search result. It shows how to update certain paramenter on salespages’s source code to buy stuff on net with 1 cent.  I never tried it (and not gonna tried it), so I’m not sure if it works now. But it give basic impression that fully automated peyment system using Paypal is not that secure, without the involvement of human check.

There are couple of points that I learn from these 2 posts. I bet you know it, but not yet implement it. First and foremost is, don’t ever use your Paypal account (your email) for any registration, regardless with any kind of services. You might also consider to limit the usage of your Paypal email account even for email purpose. Use or create a new email account

Use debit card instead of credit card for your Paypal account. I’m sure many will disagree with this, but please give it some thought. Here is why. In case your account hacked, the damage is minimum to the extent of fund only in your account. You’re not risking losing more money since debit card amount is limited and most of the time, it only has amount whenever you want using it

Be careful when selling your Paypal fund for cash in forum. Your identity is in risk even though you’re registered using different email address. This is especially true if your password is not strong enough, which consist of common personal info such as your name, your nickname, what you like, your website etc. All these infos are crucial for intruder,  in process of guessing your password using automated system, thus gain a control. But you shouldn’t put much worry on this, if your password is strong enough.

Other than that, you might want to consider login into your e-commerce account (such as Paypal) from only your system. Avoid using public computer by any means if possible. You might not aware that public computer could have been installed with keylogger.  It’s not hard to find free keylogger nowadays. There are tonnes of free keylogger available on the net

OK now, it’s turn to listen to Paypal advice (taken from their website)

Website Security

• Type in the PayPal URL: To safely and securely access the PayPal website or your PayPal account, open a new web browser (e.g., Internet Explorer or Netscape) and type in the following: https://www.paypal.com/

Password Safety

• Never share your PayPal password: PayPal representatives will never ask you for your password. If you believe someone has learned your password, please change it immediately and contact us.
• Create a secure password: Choose a password that uses a combination of letters, numbers, and symbols. For example, $coo!place2l!ve or 2Barry5Bonds#1. Avoid choosing obvious words or dates such as a nickname or your birth date.
• Keep your PayPal password unique: Don’t use the same password for PayPal and other online services such as AOL, eBay, MSN, or Yahoo. Using the same password for multiple websites increases the likelihood that someone could learn your password and gain access to your account.

Email Security

• Look for a PayPal Greeting: PayPal will never send an email with the greeting “Dear PayPal User” or “Dear PayPal Member.” Real PayPal emails will address you by your first and last name or the business name associated with your PayPal account. If you believe you have received a fraudulent email, please forward the entire email—including the header information—to spoof@paypal.com. We investigate every spoof reported. Please note that the automatic response you get from us may not address you by name.
• Don’t share personal information via email: We will never ask you to enter your password or financial information in an email or send such information in an email. You should only share information about your account once you have logged in to www.paypal.com/row.
• Don’t download attachments: PayPal will never send you an attachment or software update to install on your computer.

Use Your Account Wisely

• Don’t share your account: Don’t use your PayPal account to collect or transfer money for someone else. These types of activity are often conducted as forms of money laundering or mail fraud and may result in significant criminal penalties. If someone contacts you and asks you to transfer money on their behalf, you should deny the request and contact us immediately.
• Increase your security: Become a Verified PayPal member.

Look for legitimate sites: Examine all privacy and security seals before doing business with a particular website and make sure they are legitimate.