Tuesday, April 27, 2004

Doing my part

I got a call today from the Department of Homeland Security. A nice man, whose name I didn't catch, wanted to ask about some attempted credit card fraud against us last year.

In December someone tried to use our Visa card to buy something in Indonesia. We heard about it from the credit card company. We took it as an ordinary hassle of modern life, joked about how much more interesting or credit cards' lives are than ours, changed the credit card numbers, asked ourselves how the number got to Indonesia, and moved on.

It turns out that ours was one of three numbers used in an attempt to buy "military goods" (the man paused and cast around for the right phrase) in Indonesia. Ours was the second of the three numbers the investigator had called, and he was having trouble putting the data together. We and the other cardholder don't live anywhere near each other; we haven't been out of the country; we haven't been on a cruise. I offered to look through our account records for charges at the time. It turns out that the only thing we have in common with cardholder 1 is that both of us bought an item through E-Bay using Paypal.

Perhaps (just perhaps, mind you, based on incomplete information) someone who works at Paypal could use his inside information to collect credit card numbers--whether by deliberate selection or at random. And suppose he passed on the numbers to someone in the market for "military goods" overseas. If these three widely spaced credit card thefts were handled by local or state authorities, or even if federal, if they were not connected together, it would be difficult to connect the thefts to anyone at Paypal. And there would be a never-ending flood of credit card numbers from around the world to choose from. I wonder if this is a fluke or the tip of an iceberg.

Paypal has already faced some allegations of connection with terrorists; the state of New York basically chased the company out of the online gambling business, reasoning that online gambling can serve as an international money laundering operation. When E-Bay bought Paypal, the gambling stopped.

But that's about an accusation of customers using Paypal for nefarious activities. I can't find anything about Paypal employees being accused of stealing. Of course, it would only take one.

I wasn't going to mention Paypal in this post. I was going to write to Paypal and find out what the organization has to say about its internal security procedures. I went to the Paypal website and couldn't find a way to e-mail the company except by choosing an item from its list. For some reason, "What is your position on giving credit card numbers to potential terrorists?" is not one of the menu items. Calling the phone number revealed that the company's voice routing is as unresponsive as its e-mail.

So I don't have a Paypal response to my concerns. To cancel my account, I would have had to update my credit card, since the one Paypal has is expired. I think I'll leave it that way, open but useless.

No comments: