Monday, May 08, 2006

Possible Credit Card Risk With PayPal

I had my first encounter with PayPal today but not by choice. I was attempting to purchase a magazine online and was redirected to PayPal which captured my credit card and mailed a receipt. But the download of the magazine did not work. Here's where it all falls apart.

None of the published email addresses for the vendor worked so I intended to file a complaint with PayPal. But this is only possible if one has a PayPal account. My attempt to create an account was rejected because my credit card was already attached to an account.

After several useless emails, I phoned PayPal for help. The support lady told me that I was supposed to click "Save My Info" in the email receipt so that the transaction info would be pasted into the account application. She resent the receipt.

My computer has remote images in email disabled for security. Links to remote images are a favourite of spammers for bypassing spam filters. PayPal hides information in remote images so I did not see any links in the email receipt.

After disabling security, I see the PayPal logo but it only has a link to the main PayPal page. I still cannot create an account.

Now my emails are ignored so I phone PayPal again. This time the support guy says my visa account has another name. If that is true, how could I use it for purchase? Don't they check that the person name matches the card number? I ask if my card is compromised, he says no. But I later call visa and cancel the card anyway.

The first problem here is the email receipt is comprised of two pieces of information. One part is just text from the email server, the other is a link to a remote graphic on the web server. I suspect that the email programmer changed his part but the webserver guy did not update the other part to match. So the customer bears the confusion.

The other problem is customer support. They know how the system is supposed to work but are not aware of it's quirks and bugs. Successful problem resolution depends upon which support persons one happens to contact.

Finally, enter into Google "security remote images email" and see 49 million links. Many of these warn against allowing remote links in emails. Given this common wisdom, it is quite surprising and disturbing that PayPal, who is supposed to provide ultimate security, sends email with remote images.