Call to regulate e-payment firms after fraudulent PayPal transactions

Customers, experts flag risk after recent fraudulent PayPal transactions

SOME consumers and security experts are calling for e-payment service providers to be regulated like banks following a series of fraudulent PayPal transactions on users' credit cards recently.

This comes after The Straits Times reported over a week ago that hackers had stolen from a larger-than-usual number of Singapore PayPal accounts in the last two months, with losses ranging from $50 to more than $3,000.

Pharmaceutical executive Lim Mei Ee, 30, said the relevant authorities should "put pressure" on PayPal to add more security layers before letting a credit card purchase go through.

This includes requiring users to enter a one-time password (OTP) - randomly generated on security tokens or sent via text messages to users' mobile phones.

OTPs, good for only one log-in, provide an extra layer of online security in a process called two-factor authentication (2FA), a standard protection for online banking here since 2006.

PayPal said its customers are protected by the company's anti- fraud technology, which alerts a user when it detects unusual activity and asks him if he wants to proceed.

But in Ms Lim's case, which happened two Wednesdays ago, no such alert was sent.

When she was informed in an e-mail that $180 had been charged to her card from a seller on Facebook in Ireland, the transaction had already gone through.

PayPal has since refunded her the money.

Still, security experts think that it is time for the Monetary Authority of Singapore (MAS) to step in, as PayPal reportedly had more than 600,000 registered users here in 2010. The company has not provided an update on its local user base since.

Mr Seah Seng Choon, executive director of the Consumers Association of Singapore, said MAS should look into the possibility of regulating PayPal as it has a large customer base here.

Mr Hoo Chuan Wei, security information officer at British Telecom Singapore, said: "All online payment services should be regulated to better safeguard consumers' interests."

Specifically, online banking security standards should be applied to PayPal transactions, Mr Hoo added.

Mr Paul Ducklin, a consultant at security software firm Sophos, said: "Even in the absence of regulatory pressure, online service providers should consider rolling out 2FA as a matter of best practice, and at least getting some early adopters on board among their user base."

When contacted, an MAS spokesman said PayPal's operations are not subject to its supervision. PayPal is also not required to comply with the Internet banking rules - like 2FA roll-out - imposed on banks.

The spokesman added: "MAS encourages all payment systems and intermediaries that are not subject to our supervision to refer to the (MAS Internet Banking and Technology Risk Management) guidelines in formulating their IT security management."

At present, PayPal offers 2FA only in certain markets like the United States and Australia. Singapore users do not have this security layer.

When contacted, PayPal did not address when it will roll out 2FA locally but said that if a dispute is raised within 60 days of the unauthorised transaction occurring, a refund will be made to users.

Mr Lawrence Chan, its vice-president of Asia-Pacific merchant services, said the company takes a "holistic approach" to security, including investments in anti-fraud technologies, partnerships with law enforcement agencies and customer education.

In the meantime, online shoppers are advised to remove their credit card details from their PayPal accounts.

"Don't use your credit card unless you know that it will be securely handled," said Mr Jeffrey Kok, Asia-Pacific and Japan technology consultant director at RSA, the security arm of data storage firm EMC.

Instead, users should transfer small amounts of money to their PayPal accounts and deduct their purchases from there. "This will limit your loss due to fraud," said Mr Kok.

itham@sph.com.sg