[ic] RE: PayPal working with IC (changed to pleeeaaase make a PayPal mod)?

Jason Kohles interchange-users@interchange.redhat.com
Thu Feb 21 17:02:00 2002 

On Thu, 2002-02-21 at 16:24, Julia Jacobs wrote:
> On 2/21/02 3:50 PM, "Jason Kohles" <jkohles@redhat.com> wrote:
> 
> > You can't do this because it would require that the customer give you
> > their PayPal account name and password, which any sane person would
> > refuse to do.
> 
> If a customer would give you their credit card number, why would they not
> give you their PayPal account name and password if it is necessary to
> complete the transaction and you put a disclaimer stating you do not store
> their account info, it just passes directly to PayPal in a secure SSL form?

If they are willing to do that, why not just ask them for the username
and password of their banks webpage, then transfer the money directly
from their account.  The big difference here is that with their paypal
username and password, you can EASILY drain the contents of any of their
linked bank accounts, charge all their credit cards up to the limit,
compile a list of everyone they had ever sent or received money from,
get their auction site usernames and passwords, and generally wreaked
havoc. 

> If the customer is uneasy about paying with PayPal, they can choose an
> alternate payment method.  But to not include a PayPal mod because you feel
> a customer would not want to put their PayPal account info on your secure
> site, but would do this on PayPal's site does not seem logical, Captain.

You could always just make your payment page a simple page that says 'to
complete transaction send $amount dollars in cash to the following
address', it would be much safer for everyone.  Also keep in mind this
section of the paypal terms of use:

"* Passwords. You may not reveal your account password(s) to anyone
else, nor may you use anyone else's password. PayPal is not responsible
for losses incurred by Users as the result of their misuse of
passwords."

So implementing this would just lead to you losing your PayPal account.

> Can you just make the mod and allow the makers of the Interchange apps to
> decide wether or not they want to implement the PayPal functionality and
> deal with its hairy consequences?
I could, I could also make a module that handles payments by posting the
credit card information to usenet news with a note that says 'please
charge $x to this card and forward the cash to me', however I won't
because these are both very bad ideas.

> SSL would encrypt the user info anyway so how could anyone get to it?  Maybe
> you could set it so PayPal functionality can only be implemented if SSL is
> turned on.
> 
It's the merchant who I would not trust with this information.  If you
were having dinner in a restaurant and gave the waiter a credit card,
and he told you the only way they take credit cards is if you give him
the card and your pin number so he can run across the street and use the
atm to withdraw the amount of your check from your account, would you
give the waiter your pin number?  Of course you wouldn't, but this is
exactly what you are suggesting here, with the difference being that
someone who has your paypal username and password may have access to
more than one credit card/bank account.

-- 
Jason Kohles                                 jkohles@redhat.com
Senior System Architect
Red Hat Professional Consulting              http://www.redhat.com/