There Goes PayPal As A Money Laundering Tool
from the for-those-of-you-who-do-that-sort-of-thing dept
Not that any of you would be using PayPal to stash cash overseas to hide it from the IRS, but if you were doing so... you might want to look for an alternative. We had noted last year that PayPal might be cooperating with the IRS, but apparently they were resisting at least some aspects of the requests from the IRS and the Department of Justice. However, a court has now ruled that the IRS has every right to investigate potential tax cheats using PayPal by requiring the company to turn over data on users who have credit cards from certain "tax haven" countries. It still is somewhat amazing that people actually would think that hiding money via PayPal was likely to work.
Reader Comments (rss)
(Flattened / Threaded)
LMAO...LOL by Mike on Apr 11th, 2006 @ 8:06pm
"It still is somewhat amazing that people actually would think that hiding money via PayPal was likely to work."
That's the understatement of the year. PayPal is eBay, the same eBay who forks over user data (including passwords) when it receives a simple fax asking for it:
http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=925
Now that's Tech Dirt !
(reply to this comment) (link to this comment)
by David Mcleod on Apr 11th, 2006 @ 9:00pm
no shit you got that right my brother AMEN!!!!!!!!!
(reply to this comment) (link to this comment)
Re: LMAO...LOL by Anonymous Coward on Apr 11th, 2006 @ 9:06pm
the FIXED link:
http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=925
thanks - it is a good read!!
(reply to this comment) (link to this comment)
You are wrong by Randy on Apr 11th, 2006 @ 9:12pm
Ebay is screwed up in a lot of ways, but if you think they CAN provide passwords, you are on crack. They do not HAVE the password you idiot. It is hashed before it is stored in the DB.
Yes, I know this for an absolute positive fact, had to work on the shit long enough.
(reply to this comment) (link to this comment)
Not much to debate here... by Professor Highbrow on Apr 11th, 2006 @ 9:12pm
No grounds to argue! Ebay = PayPal. Who are the idiots that thought that they could avoid the IRS? As certain to fail as cheating death...
sorry, Grim Reaper, but I transferred my life to an offshore account. I sold my soul on Ebay and they paid via PayPal.
Then, I transferred the funds to the Prince in Nigeria that keeps sending me those emails asking for my account number so that he can get his millions of dollars transferred to US dollars. He said he'd gimme 10% or something.
(reply to this comment) (link to this comment)
by cw on Apr 11th, 2006 @ 9:29pm
I've been hiding $127.43 there for years.
(reply to this comment) (link to this comment)
Thats if paypal doesnt steal it from you first by John on Apr 11th, 2006 @ 10:52pm
Back a while ago I had quite a bit of money in paypal for selling things online, then one day my account was suspended. They never gave me a solid reason, but sure liked to take my money.
Point being, sure you can hide money from the IRS there I assume, but you also run a good chance of paypal taking it for no reason.
(reply to this comment) (link to this comment)
Randy: are you on crack? by Scott on Apr 11th, 2006 @ 11:08pm
So what if the password is hashed before it gets to the database. If you create the key that is used for the hash then you can decrypt the password any time you like.
(reply to this comment) (link to this comment)
Re: Randy: are you on crack? by like duh doooood on Apr 11th, 2006 @ 11:27pm
Any sensible developer would assume it's a one way, non reversible hash.
(reply to this comment) (link to this comment)
Psssssssssh by Luke on Apr 12th, 2006 @ 12:14am
#1 lol, they have a database management program, which doesnt display in code, but actually enables to search by username.
#2 Yes it displays an encoded password. But any idiot can see by looking at the password (encoded) as to which encoding was used and search google for a decoder, I use them alot for lost passwords on a system I am still developing.
(reply to this comment) (link to this comment)
Hash etc by Ragz on Apr 12th, 2006 @ 4:18am
I thought teh whole point of a hash is you can't easily decode it? How can you tell how it's encoded by looking at it? Aren't they all just random looking strings of numbers and letters?
(reply to this comment) (link to this comment)
Re: You are wrong by Mike on Apr 12th, 2006 @ 4:32am
"Ebay is screwed up in a lot of ways, but if you think they CAN provide passwords, you are on crack."
Someone likes to smoke crack instead of READING THE FUCKING ARTICLES people provide to back up their post:
http://research.yale.edu/lawmeme/modules.php?name=News&file=article&sid=925
(reply to this comment) (link to this comment)
Re: Hash etc by JL on Apr 12th, 2006 @ 4:57am
A Hash is a security algorithim that uses a key (a series of letters and numbers) and changes whatever your changing into a series of letters, numbers, and symbols.
If you have the key that encrypts the password, it's usually possible to unencrypt it.
(reply to this comment) (link to this comment)
Learn cryptography by Randy on Apr 12th, 2006 @ 5:14am
It is clear none of you debating me understand the concept of a one-way hash. No, it is NOT possible for eBay to provide the original password; same with Paypal. This is why you cannot get them to send you your password; they can only reset your password. Have you noticed other places, that are even less secure, such as E*Trade, do the same?
This is also part of Sorbanes Oxley requirements. Welcome to computer science 101.
Even knowing the key, finding any set of characters that hashes to the same value is incredibly difficult (read: computing years of time).
(reply to this comment) (link to this comment)
JL by Randy on Apr 12th, 2006 @ 5:17am
I don't care what the article says. I also read an article that the holocaust never happened, and another article about santa claus. I am telling you nothing more than a hard cold fact that is indisputable.
Ebay can CHANGE your password, even to something they know... but they cannot provide the password you chose. That is a physical impossibility.
(reply to this comment) (link to this comment)
Re: Learn cryptography by Andy on Apr 12th, 2006 @ 5:30am
Randy is quite right - for a lowdown on the difficulty of brute-forcing a one-way hash, check out the link below, using MD5 as an example:
http://www.iusmentis.com/technology/encryption/pgp/pgpattackfaq/hash/
To quote the article:
"To find such message (assuming it exists) it would take a machine that could try 1,000,000,000 messages per second about 1.07 times 1022 years. (To find m would require the same amount of time.) "
If you're able to decrypt such a cipher it's usually because there is a particular weakness in the algorithm, or because you are in possession of information that will give you an edge. Either way:
1) Why would eBay waste their time cracking a password when they can change it?
2) We can safely assume that a company making the money eBay does has invested funds in ensuring a secure solution for user passwords.
(reply to this comment) (link to this comment)
Crypto & Policy by Brad on Apr 12th, 2006 @ 5:41am
Yes, A one way hash is called a "One-Way Hash" for a reason. However there are other ways to "crack" a password... brute force, etc. which don't really matter what method is used to encrypt it.
Also any customer service employee who feels like breaking policy can change the password of anyone's account at anytime they choose, login & get any info they want. But if that's what you are arguing, then all I can say is that you should never conduct any money transaction over the internet b/c every company you do business with can do the same.
(reply to this comment) (link to this comment)
Re: JL by Mike on Apr 12th, 2006 @ 5:46am
"I don't care what the article says...Ebay can CHANGE your password, even to something they know... but they cannot provide the password you chose."
The contention is that eBay will provide law enforcement with a password to access accounts. Who said anything about the original password? Btw, that's the eBay head of security quoted in TFA.
(reply to this comment) (link to this comment)
Re: JL by JL on Apr 12th, 2006 @ 5:52am
First off, my comment was not at all geared towards you so I have no idea why your so enraged in a response towards me. I was simply trying to explain what your average hash is to Ragz.
Second, let's take a look at what I said shall we?
"A Hash is a security algorithim that uses a key (a series of letters and numbers) and changes whatever your changing into a series of letters, numbers, and symbols.
If you have the key that encrypts the password, it's usually possible to unencrypt it."
Note the word usually in my last sentence. I by no means meant 100% of the time you can reverse a hash, or was I attempting to slander anything you said. Ebay and Paypal very easily could have an algorithim that is very hard to unencrypt.
Next time try to read a bit more carefully before you blow your hot head around and relate a simple explanation to things like an article denying the Holocaust...
(reply to this comment) (link to this comment)
Re: Re: JL by Mike on Apr 12th, 2006 @ 6:01am
Huh, enraged? Thanks for the crypto enlightenment. But when someone starts a sentence with "I don't care what the article says" and disputes something not mentioned in it or in posts for that matter, I'd say that's webrage for ya. No hard feelings though, let's keep it civil.
(reply to this comment) (link to this comment)
where!! by Anonymous Coward on Apr 12th, 2006 @ 11:27am
where are honest money hiders supposed to hide their money now?
(reply to this comment) (link to this comment)
Re: Re: You are wrong by discojohnson on Apr 12th, 2006 @ 7:06pm
No, you're dead wrong. How about instead of believing everything you read on a website that is anti-[insert company here], read what the policy is. People like you blindly forward hoax emails and take them as the truth (go check out snopes before you do that again). I present for your reading pleasure:
We may also share your personal information with:
law enforcement or other governmental officials, in response to a verified request relating to a criminal investigation or alleged illegal activity; (In such events we will disclose name, city, state, telephone number, email address, User ID history, fraud complaints, and bidding and listing history.)
this is from ebay's privacy policy
(reply to this comment) (link to this comment)
Re: Re: Re: You are wrong by Mike on Apr 14th, 2006 @ 7:15am
The article is from YALE.EDU (not some anti-insert company here website), it quotes eBay's head of security. Perhaps eBay has revised their privacy policy since that scandal broke out (how many years late), but that doesn't excuse their behavior.
(reply to this comment) (link to this comment)
just wow by ezra burgoyne on Feb 14th, 2007 @ 2:57am
...
wow, just wow.
i see everyone's drawn out their e-peens for this.
of course they can give law enforcement access to anyone's records by resetting the password or using special authentication for flagged accounts like a one time pass or a "master key" law enforcement can use on flagged accounts. jesus christ, are you guys that dumb enough to spend 293840 comments trying to show off your knowledge about hash functions and cracking md5, 3des, etc when it doesn't matter? apparently so. even if mention was made in an article about transmitting of a user's "original password", it's probably just an easy way for a journalist to explain the process of giving a third party access to someone's account records.
(reply to this comment) (link to this comment)
PAYPAL by Mike on Apr 13th, 2007 @ 7:12am
We use paypal at funny t-shirts and i haven't thought about hiding money...but I guess that takes a backseat to the illegal immigrants we hire to make our shirts!
(reply to this comment) (link to this comment)
Add Your Comment