If the freedom of speech is taken away then dumb and silent we may be led, like sheep to the slaughter.

- George Washington

Sunday, 20 March 2011

Paypal security

I've just made a couple of purchases off the web (an aux power socket for the Bonnie from Jack Lilley and a splitter from eBay so that I can charge the phone and use the satnav without the yards of wiring and dodgy connectors that I have to use at the moment). I paid for both with Paypal. You have to log in to Paypal in order to pay. In each case, I completed the purchase and logged out of the site before closing the page. In each case, I then went to the main Paypal page to find that, as far as Paypal was concerned, I was still logged in. I had to log out of the Paypal site from there.

As far as I can see, this means that if you use Paypal for a purchase and close the merchant's page, Paypal still thinks you are logged in, as there is no mechanism for logging out of Paypal when you do so.

I don't know enough about the system to know whether this is a concern or not, but I'm not very happy with it. It feels like leaving a door open somewhere. In future I will always check on the main Paypal page after I have purchased something, and log out if necessary. Unless anyone who knows more than I do can tell me that I am wasting my time.


  1. Paypal security has been stepped up since thon time they had a pop at John Paul II. Old Firm game oan at Hampden the day tae. Yoo tryin tae be funny?

  2. Nay lad, tha's got 't wrong end o't stick as usual.

    It's 't security o' payin' pals, like giz a tenner and Ah'll get thi some baccy. Tha cannut be too careful, tha knaws.

  3. That's the worst Newcastle accent I've heard in a while. Geordies - Weegies wi their brains kicked oot. And you fae Yorkshire. Stick to what yer good at, if ye ever find oot whit that is. (Oh, and tell the rest o ayz while yer at it in the unlikely event that ye doo).

    Ye know, ahm as fed up wi the man as the next man but I have for tae concede that he is good at accents:


  4. Ma bonnie lad, if ye canna tell a Geordie accent fram a Tyke, ye wants hangin. Ah noa we aal luik the same to yer up theer, but we're nat aal 'tits oot fer the lads', ye knaa.

    Indeed to goodness look you, I'll be starting on Norn Iron next.

  5. In a normal accent, possibly RP, I don't think you have a problem. If hackers could get at PayPal that easily they would.
    In order to use it properly, to sell stuff, you have to verify your account, and that actually involves a letter popping through your letterbox with a code. You then have to send them the code, etc.

  6. Ear hellear, old chap :) (That's the nearest I get to RP.) Thanks for that. My account is verified and I am very careful with passwords etc. The obvious danger is leaving the PC logged in to the account, and someone using this PC to access my funds (zero, but hey). That isn't a concern. What I was wondering was: if the account is 'open', i.e. with me logged into it, does that leave it insecure for someone else to hack into it? Say I logged into Paypal, closed the PC down and went on holiday for a week. Would my security be compromised? Would that give someone else easy access to my Paypal from another location? You can tell how ignorant I am about these things. Logging out properly just seems like shutting and locking the door when you go out.

  7. Unnerstawn unnerstawn. Ahunnerrstawn mah man. Utts yoo duznae unnertsawn, pure statey yoo, yah trumpet atyarr. Weshull agree to disagree. In surrenity shull wee proceed. Awl wull be peece. Peece an surretitllity shull prevail by the way. Utherwise, utherthwize, utherwize ahll tell ye this, ahll pan yer heid in utherwise. Deellur no deal? The dessizhun is yoors.

    Aye thenkyooz. Ahm drunkbytheway. See ah pyure stateyyooz.

  8. Uh? What'd he say?

  9. Richard ..
    You may have logged out ok but still have their cookie. This might show you as being logged in.
    With firefox it's 'Tools..clear recent history..clear...to clear all your cookies and history. Simialr for IE etc.

  10. Thanks Don - I'll try that next time. I have it set to clear history and delete cookies every time I close in any case, but I will do that immediately after leaving the site to see if it's just a cookie.

  11. All I can say is "spray eucalypti", we have a "parsley paucity".

  12. You needn't worry.

    PayPal connection is https rather than http, so uses point-to-point encryption: in other words, the session is only visble from the PC you originally connected from. It also has an idle session limit of between 10 and 15 minutes, at the end of which the server drops the connection automatically and you need to log on again to access your account.

    The default for secure protocols like https is never to store any credential information within cookies - they simply hold session preferences, such as custom sort lists, in such cases. Clearing them won't affect whether you're logged on or off.

    Hope this goes some way towards dispelling the myth that IT is a tediously geeky profession...

  13. Thanks Endo - understood and suitably reassured.


Comment is free, according to C P Scott, so go for it. Word verification is turned off for the time being. Play nicely.

Related Posts Plugin for WordPress, Blogger...