Paypal Hong Kong Neglects Customer Security

First published: 07^th September 2009

Allan Dyer

A recent incident has highlighted poorly-designed procedures and policies at Paypal Hong Kong. On 7th September 2009, I, a Paypal customer in Hong Kong, received a message, supposedly from Paypal. My suspicions were immediately aroused: the message was in Traditional Chinese, a language I cannot read, and Paypal has my language preferences on record. I checked the Paypal website, and forwarded the message to the address for reporting phishing attempts, spoof@paypal.com.hk. However, I also thought it possible that it was a genuine message, but Paypal disregards the needs of "minority" customers. Looking further, I noticed that the message included my name registered with Paypal, a feature included because it is difficult for bulk emailers to guess the correct names for each phishing message, but also that the message arrived from the mailserver om-paypal-apac.rsys4.com [12.130.139.51]. The domain rsys4.com is registered to RESPONSYS Inc., 900 Cherry Avenue, 5th Floor, San Bruno, CA 94066, US, not to Paypal.

Intrigued, I called the Paypal Hong Kong hotline (35508574) and spoke to their customer service officer Nicky. She indicated that phishing emails should be forwarded to spoof@paypal.com, and I would get a response in three to four days, and that spoof@paypal.com.hk was not the correct address. She was uncertain what happened to emails sent to the address listed on the Paypal website.

I therefore asked Nicky to investigate what happened to three earlier phishing reports I made to spoof@paypal.com.hk, on 22 January 2009, 9 May 2009 and 6 August 2009, that had received no response. To facilitate future communications, I asked for the tracking number of this incident, but was told that they do not use tracking numbers. So:

• The Paypal website lists the address for reporting phishing emails as spoof@paypal.com.hk, on the page https://www.paypal.com/hk/cgi-bin/webscr?cmd=xpt/Marketing/securitycenter/antiphishing/PPPhishingReport-outside.
• The Paypal customer service hotline in Hong Kong says that the address for reporting phishing emails is spoof@paypal.com, and there should be a response in three to four days.
• There has been no Paypal response to three reports made more than a month ago.
• The Paypal customer service hotline in Hong Kong does not issue incident tracking numbers.

With the current confusion between the Paypal website, and the Hong Kong customer service; and the lack of response on earlier incidents, it is clear that Paypal can make some improvements in how it handles customers and security.

Updated: 15^th December 2009

Randy Abrams, Director of Technical Education at ESET has also noticed some inconsistencies in Paypal's anti-phishing measures. Follow-up articles by Randy and his colleague, David Harley are a good discussion of the problems.