Soon after Superfreaker Studios put its software up for sale on the Web last year using the popular PayPal payment service, co-owner Shannon Sofield noticed the $40 products were mysteriously disappearing off his site's virtual shelves.
The culprit, he discovered, was the cut-and-paste code provided to merchants by California-based PayPal for sending transaction data to the payment service. Examine the PayPal payment links closely and you could easily see where the software was stored on the server. If you pointed your browser accordingly, the software was yours without paying.
"The system wasn't secure at all. People were downloading our software for free. There was a huge hole there," said Sofield, director of development for Superfreaker Studios of New York.
While purveyors of downloadable digital goods who accept PayPal payments are especially vulnerable, PayPal's Web Accept system may hold potential risks for many of its more than 3 million business customers.
Armed with nothing more than a text editor and a Web browser, a crafty fraud artist can, for example, change prices of items at hundreds of e-shops that use PayPal.
Think $650 is too much to pay for a guitar personally signed by Grammy-winning, 80s-rocker Rick Springfield? Tweak the HTML in the PayPal form at his site, RicksMerch.com, and you can order the guitar for just $1 instead.
Roger Harris, owner of eMartCart, an e-commerce service that provides a front-end to PayPal for RicksMerch.com and other online shops, said he hasn't received any reports of such tampering, "but of course that doesn't necessarily mean it hasn't happened."
"I don't really know of any fool-proof way to avoid the potential for shoppers altering prices, since the interface (is) standard HTTP," Harris said.
Amid complaints -- and even class-action lawsuits -- from online businesses that say PayPal has been too aggressive in its anti-fraud efforts, some security experts now question whether the company is being too lax in protecting merchants from computer crooks.
"We very much want to help our merchants create a safe and convenient shopping experience but we certainly are not in the business of policing transactions," said Max Levchin, PayPal's co-founder and chief technology officer.
Levchin acknowledged that some merchants may be vulnerable to price tampering and other attacks; but he said it was "highly unlikely" that such fraudulent transactions would slip by the watchful eye of merchants who fill orders manually.
According to Bruce Schneier, chief technology officer for Counterpane Internet Security, such attacks are the equivalent of going into a grocery store and switching price stickers.
"If a merchant is dumb enough to take their customer's word on the price, without checking, that's not PayPal's fault," Schneier said.
But not all PayPal merchants are using the service to sell cheap knickknacks in low volumes. ThaiGem.com, which specializes in precious stones with prices reaching into the thousands of dollars, depends primarily on PayPal to process payments.
Crooked shoppers can edit the HTML of ThaiGem's PayPal Web Accept page and mark a $2,000 white diamond down to $1 if they desire. ThaiGem.com officials did not respond to requests for information about how they would screen such fraudulent orders.
For security-conscious merchants or high-volume e-stores that have automated the fulfillment process, Levchin said PayPal provides a more secure feature called Instant Payment Notification. The IPN system adds a series of SSL-encrypted communications between PayPal and the merchant's server to confirm the details and authenticity of an order.
While Levchin, an expert in cryptography, boasts that IPN offers "bullet-proof" security, he concedes that very few of PayPal's merchants use it, and many may not even know it exists.
"It has not been enormously popular," said Levchin.
According to Sofield, author of a recent article on IPN for PayPal's Developer Network, implementing the added security layer requires a level of technical sophistication that's beyond many PayPal merchants.
"It's not being deployed because of how technically challenging it is. PayPal is geared toward mom-and-pop shops that want simplicity. If you have a serious Web business, you're going to get your own merchant credit-card account and set up a secure server," Sofield said.
Even when a merchant bites the bullet and implements IPN, the security technology may still be prone to attack.
According to John Viega, chief technology officer for Secure Software Solutions, many SSL-enabled applications are improperly implemented and can be exploited "with a low amount of effort" by network-sniffing tools such as dsniff.
"This is one of the biggest dirty little secrets about e-commerce," said Viega, co-author of the forthcoming O'Reily book Network Security with OpenSSL.
The design of IPN is "pretty good," Viega said. But PayPal merchants who implement it incorrectly may leave themselves open to "man-in-the-middle" attacks.
According to Levchin, the success of such IPN attacks is "highly improbable," and PayPal has received no reports from merchants of attempts to thwart its IPN system.
Indeed, the security and convenience of the PayPal has given peace of mind to millions of Internet shoppers -- and in the process made the newly public company a darling of Wall Street.
As a result, most merchants, like Fred Voetsch, owner of photography site Picturesof.net, will probably stick with the service -- and continue paying PayPal a 2.9 percent commission on every transaction -- despite any alleged security flaws.
Voetsch acknowledged that if crafty users examine his site's PayPal payment links closely, they can easily figure out how to bypass the system and download the high-resolution images without paying.
"I realized it was a potential problem when I set up the site, but I don't think most people would take advantage of it," Voetsch said.
Other merchants who deal in digital goods such as software, music, photos, e-books or clip art, may turn to low-cost fixes such as a piece of $50 software from EliteWeaver called PayPal Anti-Fraud Portal. The script's Great Britain-based developers claim it enables merchants to prevent visitors from downloading their products unless they provide a valid and verified PayPal account e-mail.
Ironically, the PayPal Anti-Fraud Portal is only available for purchase through "snail mail," according to EliteWeaver's site.
Counterpane's Schneier said PayPal doesn't have to be "100 percent bullet proof" to be of value to online merchants.
"I'm sure there are lots of ways to muck with it. The question is, does it work well most of the time? I mean, how badly do people want to steal Pez dispensers?" he said.
PayPal Faces Post-IPO Pitfalls
