[asterisk-biz] [asterisk-users] FRAUD: BE AWARE

[Trixter aka Bret McDanel]

On Thu, 2008-07-03 at 16:03 +1200, Matt Riddell wrote:
> It's a real problem with not much of a solution in sight.

There is one, but it requires paypal to take an action they do not want
to do currently when fraud is 0.5% of transactions (lower than credit
cards).

Paypal has optional, for sale ($5), OTP generators (one time password),
at least in some countries.  This would mean that some users could do
this.  I do not know if the IPN notifies you if this was used or not (it
should).  If it does then you can rate security a little differently
based on that flag.

The real solution would be to mandate it on all accounts.  Cant transfer
money, do anything to the "real" accounts, etc without entering it each
time on the web page (debit card is of course not their webpage).

I believe that if they did this the anti-fraud workers at paypal could
be reduced, since most of the phishing incentive would be gone.  I would
almost bet that they spend more per customer on anti-fraud stuff than
the cost of the devices as well.  Looking at it from that perspective,
how long, per customer, until their efforts are paid for and they see
more profit?  

The breaking point seems to be that paypal has millions of customers and
to fit them all with this would cost many millions of dollars.  If they
mandate it, it would seem quite unfair to require that the customer buy
the OTP generator.  I do not know how much they lose per year with
seller protection, anti-fraud "specialists", etc so I really cant say
how beneficial this would be over the next 1-5 years. 

I do not know anything about the paypal OTP generator, other than
someone said they bought one, and later it broke displaying a series of
'42', a number which I thought amusing.

http://blog.wired.com/gadgets/2007/01/paypals_passwor.html

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
Belfast +44 28 9099 6461        US +1 516 687 5200
http://www.trxtel.com the phone company that pays you!