Skip to content

Our Security Problem with PayPal

Paul Reinheimer Jan 25, 2017

When WonderProxy launched, the payments landscape in Canada wasn’t nearly as mature as it is today. Basically, it was PayPal or a series of three ring “integration” binders from your bank. So WonderProxy accepts PayPal. Most of our hosting providers are outside the United States so when they launched they had similar payment processing options, and most of them accept PayPal.

As WonderProxy and the payments landscape have matured, we’ve moved past “PayPal for everything” towards “credit cards to pay people and Stripe[1] first for accepting payments”. Nevertheless, a few of our providers still only accept PayPal, or only accept PayPal and some local payment system or wire transfer. Thus, this is pretty standard header to see on an invoice from a providers:

paypal subscribe & checkout buttons

They want money and they’d like it through PayPal. Fair enough! This is the form you get when you click PayPal Check Out.

paypal login page, asking for email and password
Keep this form in mind…

Like most business websites, PayPal allows you to create and manage users and to set different permissions. You can create users who can correspond with customers, people authorized to make refunds: there’s a whole slew of available permissions.

paypal permissions listing offering over 20 granular permissions

Once you’ve created a user, they’re able to change their password and enable multi-factor-auth for better security.

When you create a user this is the form you see:

paypal add user page, asking for a user id and password

And we run smack dab into our huge problem! Users created in your PayPal account have a username, not an email address. Only users who log in with email addresses are able to pay vendors that integrate with PayPal. It does not matter what permissions a user is issued, they can’t even log in to the payment page.

WonderProxy has 184 hosting providers, I (personally) don’t pay them. It takes a fair amount of time, and frankly I wasn’t ever very good at it. Around the third time a server got shut off due to non-payment Will stepped in, and we’ve since hired someone to handle it. It is impossible to create a user that is permitted to pay our hosting providers, so what should I do? PayPal’s work-around is to share the account owner's email address and PayPal password. That’s the only solution. It “works”, but there’s some huge problems here:

  • Sharing credentials is an absolutely horrid idea
  • Audit logs are useless as everyone shows up as a single user
  • We’re not able to use multi-factor-auth as several people would need the same PayPal Security Key, and we don't all share a cellphone (or, indeed, timezone)
  • Everyone who needs to pay servers (one permission) has access to absolutely everything the PayPal account can do, including changing our banking details & withdrawing money. This is obviously not optimal.

So that’s our security problem with PayPal.

Conclusion

PayPal, get your shite together. I raised this issue five years ago and again last week, and there's been absolutely no progress. You require that people living in your ecosystem have horrible security practices… security practices that will probably require me to write an exception into our internal security policies just for PayPal. No one I’ve talked to at PayPal has come up with a good reason this works the way it does; the lady on the phone referred to “legacy platform” but they’ve supported user accounts at least since WonderProxy was formed, and I don't seem to be able to move onto a non-legacy alternative that would let things work in a sane way… Unless, of course, she was suggesting that PayPal itself is a legacy platform, but that doesn't sound terribly on-brand.

Easy Arguments & Our Rebuttals:

Having read what my colleagues have been calling "Paul's angry PayPal rant", you may have some points you'd like to dispute. I'm going to pre-respond to a few:

  • Why don’t you just pay them with a credit card on PayPal?

    Once you’ve attached a credit card to your PayPal account, you can’t use it without logging in to that PayPal account. Moreover, for a long time, once you’d used a given credit card with PayPal a few times they made you sign up. Using credit cards without logging in, thus, wasn't an option. I've not been able to verify this is still the behaviour, since we'd need a brand new credit card with which to test.

  • Couldn’t you issue PayPal Debit cards to everyone?

    PayPal Debit isn't available in Canada, so no. I'm also not sure it would avoid the logging in, and we don't want our employees to have to use personal PayPal accounts.

  • Why not find suppliers who don’t use PayPal?

    If all we needed was “some servers”, this would be reasonable. We have servers in 223 cities spanning 78 countries, though. There simply isn’t much competition in all those places: it’s either pay them with PayPal or lose the city (and possibly country). We don't get to be picky about providers in that way.

  • *Is anyone any better than PayPal at this stuff?

    Everyone who routinely has WonderProxy expenses has a credit card with their own name on it, so yes. Everyone who needs one has their own Stripe login credentials that use multi-factor auth. All of the software we routinely use is better than PayPal at allowing us to do user management in such a way that users aren't useless.


  1. I used to work for Stripe, though we started using well before that. ↩︎

Paul Reinheimer

Developer, support engineer, and occasional manager. I enjoy working on new products, listening to customers, and forgetting to bill them. Also: co-founder.