Welcome to NeoOffice developer notes and announcements
NeoOffice
Developer notes and announcements
 
 

This website is an archive and is no longer active
NeoOffice announcements have moved to the NeoOffice News website


Support
· Forums
· NeoOffice Support
· NeoWiki


Announcements
· Twitter @NeoOffice


Downloads
· Download NeoOffice


  
NeoOffice :: View topic - Would love to send donation - but will not use PayPal!!!
Would love to send donation - but will not use PayPal!!!
 
   NeoOffice Forum Index -> Random Whatnot
View previous topic :: View next topic  
Author Message
chance9
Blue Pill


Joined: Apr 05, 2006
Posts: 4
Location: somewhere out there

PostPosted: Sat Sep 01, 2007 9:45 am    Post subject: Would love to send donation - but will not use PayPal!!!

I did initially send you wonderful people a contribution - but then the same time also was one of those whose PayPal accounts was hacked (at eBay - not thru you)...

leading into a horrible few weeks and cancellation of my credit card etc. At this same time a close friends account was also hacked (again not through NeoOffice) and his account was actually debited $5k!!

Due to medical problems I have not worked since 2005 and have no disability or anything so my money is precious and my credit rating even moreso. I cannot involve myself with any payments made through PayPal. I upgraded and was immediately taken to your donation page - started in - and noticed PAYPAL!!! so I bolted.

If there was another way of sending a small donation - I would be happy to do so - but I am sorry I am not willing to ever use a PayPal site again...it is just too dangerous.

Thank you.
Chance
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Sat Sep 01, 2007 10:08 am    Post subject:

I totally understand your concern. PayPal and most banks make access to your account pretty simple for hackers since everything is tied to a user name and password.

I've started to see some improvement in online security from the credit union I use for my personal checking account, but most seem to be still using the outdated user/password approach. Sad

I've looked at some of the other options out there, but I must admit that I found no improvement in security with any of them. Worse, I found that some options required us to handle sensitive personal information. I really do not want to know our users' address and/or government ID numbers (and I assume that they don't want that information floating around either) so I've setup our site to never collect that data.

Unfortunately, the only other option for a small donation is to send us a check in U.S. dollars and just keep pressing the "Skip Donation" button on the download page.

If you want to send a check, send us an e-mail at donations at donations at planamesa dot com and we'll send you the address to send it to.

Patrick
Back to top
chance9
Blue Pill


Joined: Apr 05, 2006
Posts: 4
Location: somewhere out there

PostPosted: Sat Sep 01, 2007 10:55 am    Post subject: re donation

Hi Patrick:

Thank you for the reply. I can't donate much but I will send you a check if you verify the address for me - I am sending an email now from glasgow992 at Yahell dot com. In the 1980's I worked for a systems firm in Princeton - so I know how long and hard everyone works on programs. (although I was merely a secretary there)

The minute I see PAYPAL on anything - I do the Python "run away run away".... and beat feet in the opposite direction!! I agree that the banks and other firms have a long way to go with the security issues - it's a mess out there
and growing worse!!! I am poor at this point - and my credit sure can't take a hit, much less my psyche get that scared now - I am just too old!
Cheers,
Chance
Back to top
sprezzatura
Blue Pill


Joined: Sep 09, 2007
Posts: 2

PostPosted: Sun Sep 09, 2007 12:25 pm    Post subject:

Quote:
Note that the fraud is still going on as of Sep. 9, 2007.

I made a donation to NeoOffice using a MasterCard account. (not PayPal). I received a page confirming the donation for the correct amount.

I promptly received a suspicious email confirming that I had made a donation for $2,400 more than I had contributed.

The email had my name and address.

MasterCard confirms that the NeoOffice transaction went through for the original amount, but there is no indication of the $2,400+ as of a few hours later.

I've been using the Internet since 1995, and buying stuff online since as long as I can remember. This is the first time I have come close to/been the victim of fraud. I am rattled.

Either these are some very clever hackers, or your security is hopelessly compromised, and you are being irresponsible by continuing to expose your users to this abuse.


False alarm: see below...


Last edited by sprezzatura on Mon Sep 10, 2007 6:31 am; edited 1 time in total
Back to top
chance9
Blue Pill


Joined: Apr 05, 2006
Posts: 4
Location: somewhere out there

PostPosted: Sun Sep 09, 2007 12:53 pm    Post subject: credit and fraud

Oh brother!! I am not only upset that this has JUST happened to you - but that there seems to be a general breakdown in security on the net. Since I have always been a major net shopper because of medical problems - it feels even more threatening!!!

Hope this works out for you. I had to cancel all my cards and reissue. My friend who had his card actually debited during the PayPal problem, went through more than that!!

So who buys on eBay? Beats me. I could not go there after my experience and had only signed up to "perhaps" try and sell some family things after downsizing.

Wishing you luck as a fellow friend of the net!!
C
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Sun Sep 09, 2007 1:00 pm    Post subject:

sprezzatura wrote:
Either these are some very clever hackers, or your security is hopelessly compromised, and you are being irresponsible by continuing to expose your users to this abuse.


How exactly are we irresponsible? We do not handle any of your payment transaction. All payment handling is entered by you the user directly into PayPal's web site. Do users not notice that when you press our donate button it merely sends you to PayPal's website?

Serious though, are you sure that this isn't just common phishing spam e-mail? Think about it: if they have hacked your PayPal account, why would they need to send you an e-mail that tries to get you to follow their link and enter your e-mail and password?

The most common PayPal phishing scams until recently was to say that your account has been locked. Most people are wise to that one so now they use the "you got charged a huge amount" line.

The phishing tactic is actually not very clever or technically difficult. I am no expert on where spammers get their e-mail lists, but nearly e-mail account that I have ever setup eventually gets this type of spam within a year of creation.

Patrick
Back to top
MacRat
Sake Horner
Sake Horner


Joined: Mar 02, 2006
Posts: 364
Location: Earth

PostPosted: Sun Sep 09, 2007 2:06 pm    Post subject:

Well, if you have around a dozen e-mail accounts like I do, you don't get so concerned over such e-mails.

Why?

Because I see this spam in my e-mail all the time and NONE of those are associated with my PayPal or other accounts. (I saw them all the time long before I even got a PayPal account.)

Phishing scams send out these e-mails hoping to TRICK you into clicking their link and YOU giving them your info. It has nothing to do with the security of the web site they claim to be from.
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Sun Sep 09, 2007 3:17 pm    Post subject:

MacRat wrote:
Phishing scams send out these e-mails hoping to TRICK you into clicking their link and YOU giving them your info. It has nothing to do with the security of the web site they claim to be from.


Yup. Phishing is merely a new version of many of the older confidence tricks that con men have developed over time. These tricks are in almost all cases very low-tech and, instead, work by gaining the victim's trust or tapping into more basic emotions like fear or greed.

In the case of phishing, it largely works because it exploits how most of us read e-mail: we merely scan it and put it information into a website without noticing that the web page is really from pay-pal.com or some other close-but-not-exactly-the-same as paypal.com. Usually, making their e-mail and website look similar to the official PayPal e-mail and website is enough to deem the site to really be PayPal.

BTW, this same scam is used extensively for all major banks as well as they have many of the same "scammability" issues that PayPal does.

Patrick
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Sun Sep 09, 2007 5:36 pm    Post subject:

Since I got talking about phishing, I forgot to mention what information we have access to and things we do not have access to when you make a donation to us via PayPal:

Things we have access to:

1. Your e-mail address
2. Your transaction amount
3. Your PayPal transaction number

Things we do not have access to:

1. Your PayPal password
2. Your bank or bank account number
3. Your credit card number

Even if we wanted to, we cannot get access to the above three things.

In contrast, when you buy something with your credit card from a website's that has their own shopping cart, they have access to your credit card. My assumption is that most website's store this information in their shopping cart database and, should their site get hacked or an employee accidently lose a laptop with customer data on it, your name, billing address, and credit card number is now compromised.

If someone was able to hack our servers (and we have locked down our servers so that not even our webhosting company can login without taking down the whole server), the only information that they could get would be a list of e-mail addresses. Sure, they would get a PayPal transaction number, but that number is a meaningless number that isn't connected to any of your personal information.

This is why we do not have our own shopping cart pages and send you directly to PayPal's website to enter your donation: it ensures that we never see your personal financial data.

Patrick
Back to top
cbelov
Blue Pill


Joined: Mar 07, 2006
Posts: 3

PostPosted: Mon Sep 10, 2007 12:39 am    Post subject:

Actually, I've tried multiple times to send a Paypal donation to NeoOffice.org. In previous instances, I would get to the end of the form and click submit, only to be told that an error had occurred. (I suspect that you don't have time to actually read the terms of use before the form times out, but since I would never submit without reading the terms of use, I haven't been able to test this.) However, today it wouldn't even display a form, just a bare-bones page. I am not a Paypal member (due to its terms of service), allow cookies for Paypal, am using Firefox 2 with JavaScript enabled, but Paypal is supposed to allow payment from non-members using a credit card.
Back to top
sprezzatura
Blue Pill


Joined: Sep 09, 2007
Posts: 2

PostPosted: Mon Sep 10, 2007 6:29 am    Post subject:

I think I just figured out what happened:

My email is filtered through SpamArrest. When the acknowledgement email came back from PayPal, it was erroneously flagged as spam, and the formatted email was encapsulated into an attachment.

I opened the email (now a text attachment) into a text editor, exposing the raw formatting codes.

In the original (formatted) receipt, the donation amount was "$50.00". However, the hex value of the dollar sign '$' is 0x24. What showed up on my plain-text version of the receipt was "=2450.00". Yikes! My first reaction was "I'm being billed $2,450!"

So it looks like things are OK.

Nevertheless, as a business, if the payment method that you require your customers to follow were compromised, you would bear responsibility for choosing the method.

Sorry for the false alarm. I just bought my family an iMac after using Windows since 3.1. This is new territory for me.
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Mon Sep 10, 2007 9:11 am    Post subject:

sprezzatura wrote:
In the original (formatted) receipt, the donation amount was "$50.00". However, the hex value of the dollar sign '$' is 0x24. What showed up on my plain-text version of the receipt was "=2450.00". Yikes! My first reaction was "I'm being billed $2,450!"


I think it is worth noting here that, in general, users have a much higher amount of protection against overcharging, short shipment, or other erroneous billing when you use a VISA or MasterCard credit card.

All online transactions involve some risk and using a credit card gives you the option of disputing a charge through your credit card provider if you are overcharged or an item doesn't arrive or whatever problem that you may have. All credit card processors, including PayPal, must adhere to the credit cards' resolution procedures.

In addition, most credit cards provide have built-in fraud limits if you find misuse of your credit card. In the past 15 years, I have had to make use of both the dispute mechanism and the fraud limits so I do know that these protections are there (at least in the U.S. and Canada).

My personal approach (I am curious if others have better ideas) is that I always use my credit card for online purchases and my PayPal account is only attached to my credit card, not a bank account.

Unfortunately, the NeoOffice.org account is attached to a bank account (we have to withdraw the money to a checking account to make payments). Since NeoOffice.org is a public service organization funded entirely by the time and money donated by our users, Ed and I are very concerned about protecting any unspent donations so we have attached the NeoOffice.org account to a checking account that does not hold more than a very small sum of money.

We frequently withdraw funds from the NeoOffice.org PayPal account so that our PayPal balance is always very low. However, if someone uncovers our bank and bank account number (either by hacking PayPal or by having an insider within any large U.S. bank), they could throw and ACH transfer against our account so we immediately move any withdrawn funds from the checking account to a restricted account (like an interest-bearing certificate of deposit) that does not allow ACH transfers.

This brings up a point about ACH transfers in the U.S. banking system. It is my understanding that basically anyone can pull money from your checking account via an ACH transfer without any prior agreement or notice to you. This is scary considering it really isn't hard to figure out a person's or organization's bank account number. I've been told that the only recourse you have if a fraudulent ACH transfer occurs is to complain to your bank within 10 days. However, since I suspect that the masterminds that do fraudulent ACH transfers know this and are smart enough to withdraw and close their account as soon as they have successfully pulled off a fraudulent transfer.

In sum, my opinion is that both online and brick-and-mortar banks (they are all connected to large banking networks) are full of security holes but there are some basic protections that you can put in place to limit your risk. I would be interested to hear what others have done to protect their accounts from fraud.

Patrick
Back to top
jgd
Agent Smith


Joined: Feb 27, 2005
Posts: 1531
Location: France

PostPosted: Mon Sep 10, 2007 10:34 am    Post subject:

In France, we have an interesting possibility called "e-carte bleue". It's attached to your bank account and you have to pay a little charge for it. When you want to do a payment with your credit card, on line or by giving your card number on an order form, you can ask your bank (on line) a card number available for only this transaction. Thus you are sure that your account is debited of the sum you asked and nothing more. Probably it's not 100% sure, but nevertheless the risks are minimized.

Jacqueline
Back to top
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949

PostPosted: Mon Sep 10, 2007 11:55 am    Post subject:

I haven't seen this with any of the U.S. banks I use but then U.S. banks seem to be behind the rest of the world. Sad

BTW, one thing that I forgot to mention is that PayPal supports the use of a security key device. I used these devices when I was a Sun employee and they really are pretty cool. Basically, they basically are a device that generates a new password for your account every few minutes. As long as you have possession of the device, anyone who hacks your account by brute-force attack of the password will not be able to login a second time without going through the brute-force attack.

It's not perfect, but it definitely puts a significant barrier to such password hacking attacks.

Patrick
Back to top
Lorinda
Captain Mifune


Joined: Jun 20, 2006
Posts: 2051
Location: Midwest, USA

PostPosted: Mon Sep 10, 2007 3:25 pm    Post subject:

Some American credit card companies offer this. Bank of America calls it ShopSafe. You specify an expiration date and a credit limit anytime you want to make an online purchase, and the site generates a one-time-only credit card number. Citicards calls them Virtual Account Numbers. Discover Card calls them Secure Online Account Numbers. According to Google Answers, American Express used to have such a service, but discontinued it.

I've never tried these services, but I have heard about them. Right now I use one card for on-line purchases and another card for brick and mortar purchases. That makes it easier to catch fraudulent charges, and hopefully means I'll still have one working card if the other is compromised.

Lorinda
Back to top
Display posts from previous:   
   NeoOffice Forum Index -> Random Whatnot All times are GMT - 7 Hours
Goto page 1, 2  Next
Page 1 of 2

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © Planamesa Inc.
NeoOffice is a registered trademark of Planamesa Inc. and may not be used without permission.
PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.