Tag Archives: PayPal

Skype, PayPal and eBay

There’s quite a bit that’s interesting in all this Skype/eBay business. I know others have raked over all this before, but now it’s official I’ll weigh in too.

The release is quite informative. It says “Skype, eBay and PayPal will create an unparalleled ecommerce and communications engine for buyers and sellers around the world.” How, exactly?

Well, “Skype will streamline and improve communications between buyers and sellers as it is integrated into the eBay marketplace. Buyers will gain an easy way to talk to sellers quickly and get the information they need to buy, and sellers can more easily build relationships with customers and close sales. As a result, Skype can increase the velocity of trade on eBay, especially in categories that require more involved communications such as used cars, business and industrial equipment, and high-end collectibles.”

That’s straightforward enough. Buyers and sellers can hook up via a SkypeMe button which lets them instant message, or talk to one another, presumably for free. Or does it?

“The acquisition also enables eBay and Skype to pursue entirely new lines of business. For example, in addition to eBay’s current transaction-based fees, ecommerce communications could be monetized on a pay-per-call basis through Skype. Pay-per-call communications opens up new categories of ecommerce, especially for those sectors that depend on a lead-generation model such as personal and business services, travel, new cars, and real estate.” This, I take it, means that beyond merely providing a market-place of sellers and buyers of goods, eBay hopes to become a market-place of services, whether they’re pure consulting, travel agencies, or selling things that require a degree of expertise (cars and real estate are mentioned, but they could as easily be careers.

Then there’s paying for Skype’s services. “PayPal and Skype also make a powerful combination. For example, a PayPal wallet associated with each Skype account could make it much easier for users to pay for Skype fee-based services, adding to the number of PayPal accounts and increasing payment volume.” True: Skype’s payment system is awkward, if not disastrous for many folk living off the beaten track. But PayPal’s isn’t much better. Both services need to get with the program on that, or face the growing wrath of people in the world’s more interesting regions.

I won’t get into the extraordinary cost of buying a company that made only $7 million last year. There’s no question there’s wonderful synergy to be had here. But there’s also the caveat that eBay should not underestimate the other lesson that the Skype revolution has taught us. People were willing to overcome all sorts of technophobia when they realised the enormous cost and social benefits of installing Skype. Now they’ve done so, they will more easily than ever before switch elsewhere if the appeal of Skype diminishes, either because of sneaky advertising, sneaky fees or if the remaining drawbacks of Skype — most particularly, but not exclusively, its payments system — are not tackled quickly.

Ebay to buy Skype: It’s Official

eBay Inc. has agreed to acquire Luxembourg-based Skype Technologies SA, the global Internet communications company, for approximately $2.6 billion in up-front cash and eBay stock, plus potential performance-based consideration.

Here’s the rest of the release:

The acquisition will strengthen eBay’s global marketplace and payments platform, while opening several new lines of business and creating significant new monetization opportunities for the company. The deal also represents a major opportunity for Skype to advance its leadership in Internet voice communications and offer people worldwide new ways to communicate in a global online era. Skype, eBay and PayPal will create an unparalleled ecommerce and communications engine for buyers and sellers around the world.

“Communications is at the heart of ecommerce and community,” said Meg Whitman, President and Chief Executive Officer of eBay. “By combining the two leading ecommerce franchises, eBay and PayPal, with the leader in Internet voice communications, we will create an extraordinarily powerful environment for business on the Net.”

“Our vision for Skype has always been to build the world’s largest communications business and revolutionize the ease with which people can communicate through the Internet,” said Niklas Zennström, Skype CEO and co-founder. “We can’t think of any better platform to fulfill this vision to become the voice of the Internet than with eBay and PayPal.”

“We’re great admirers of how eBay and PayPal have simplified global ecommerce and payments,” said Janus Friis, Skype co-founder and senior vice president, strategy. “Together we feel we can really change the way that people communicate, shop and do business online.”

Zennström and Friis will remain in their current positions. Zennström will report to eBay CEO Whitman and join eBay’s senior executive team.

Online shopping depends on a number of factors to function well. Communications, like payments and shipping, is a critical part of this process. Skype will streamline and improve communications between buyers and sellers as it is integrated into the eBay marketplace. Buyers will gain an easy way to talk to sellers quickly and get the information they need to buy, and sellers can more easily build relationships with customers and close sales. As a result, Skype can increase the velocity of trade on eBay, especially in categories that require more involved communications such as used cars, business and industrial equipment, and high-end collectibles.

The acquisition also enables eBay and Skype to pursue entirely new lines of business. For example, in addition to eBay’s current transaction-based fees, ecommerce communications could be monetized on a pay-per-call basis through Skype. Pay-per-call communications opens up new categories of ecommerce, especially for those sectors that depend on a lead-generation model such as personal and business services, travel, new cars, and real estate. eBay’s other shopping websites – Shopping.com, Rent.com, Marktplaats.nl and Kijiji – can also benefit from the integration of Skype.

PayPal and Skype also make a powerful combination. For example, a PayPal wallet associated with each Skype account could make it much easier for users to pay for Skype fee-based services, adding to the number of PayPal accounts and increasing payment volume.

In addition, Skype can help expand the eBay and PayPal global footprint by providing buyers and sellers in emerging ecommerce markets, such as China, India, and Russia, with a more personal way to communicate online. And consumers in markets where eBay currently has a limited presence, such as Japan and Scandinavia, can learn about eBay and PayPal through Skype. Skype can also help streamline cross-border trading and communications.

With its rapidly expanding network of users, the Skype business complements the eBay and PayPal platforms. Each business is self-reinforcing, organically bringing greater returns with each new user or transaction. The three services can also reinforce and accelerate the growth of one another, thereby increasing the value of the combined businesses. Working together, they can create an unparalleled engine for ecommerce and communications around the world.

Transaction and Financial Information

eBay will acquire all of the outstanding shares of privately-held Skype for a total up-front consideration of approximately €2.1 billion, or approximately $2.6 billion, which is comprised of $1.3 billion in cash and the value of 32.4 million shares of eBay stock, which are subject to certain restrictions on resale.

The maximum amount potentially payable under the performance-based earn-out is approximately €1.2 billion, or approximately $1.5 billion, and would be payable in cash or eBay stock, at eBay’s discretion, with an expected payment date in 2008 or 2009. Skype shareholders were offered the choice between several consideration options for their shares. Shareholders representing approximately 40% of the Skype shares chose to receive a single payment in cash and eBay stock at the close of the transaction. Shareholders representing the remaining 60% of the Skype shares chose to receive a reduced up-front payment in cash and eBay stock at the close plus potential future earn-out payments which are based on performance-based goals for active users, gross profit and revenue.

The above-mentioned dollar and eBay share amounts are approximate, based on the Euro-Dollar exchange rate and eBay’s stock price as of September 9, 2005. The final value of the stock component of the consideration may vary significantly from this estimate based on the value of eBay stock at closing.

Skype generated approximately $7 million in revenues in 2004, and the company anticipates that it will generate an estimated $60 million in revenues in 2005 and more than $200 million in 2006. For Q4-05, eBay expects the acquisition to be dilutive to pro forma and GAAP earnings per share by $0.01 and $0.04 respectively. For the full year 2006, eBay expects the transaction to be dilutive to pro forma and GAAP earnings per share by $0.04 and $0.12 respectively, with breakeven on a pro forma basis expected in the fourth quarter of 2006. On a long-term basis, eBay expects Skype operating margins could be in the range of 20% to 25%.

The acquisition is subject to various closing conditions and is expected to close in the fourth quarter of 2005.

Email For A Survey

AlienCamel, the email service that does a pretty good job of keeping out spam and viruses I’ve mentioned in the past, is offering a year’s Clean Email in return for feedback:

We are looking for 50 special users who are willing to give us some feedback about our email service from time to time. In return, we will give you a year’s subscription to AlienCamel’s “Clean Email” service for free.

You must sign up, however, which means having a PayPal account.

Phishing Your Yahoo! Account

More evidence that phishers are widening their net. Munir Kotadia of ZDNet Australia reports that Yahoo’s free instant-messaging (IM) service is being targeted by phishers in an attempt to steal usernames, passwords and other personal information.

Yahoo confirmed on Thursday its service was being targeted by a phishing scam. According to the search giant, attackers are sending members a message containing a link to a fake Web site that looks like an official Yahoo site and asks the user to log in by entering their Yahoo ID and password.

The scam is convincing because the original message seems to arrive from someone on the victim’s friends list. Should the recipient of the phishing message enter their details, the attackers can gain access to any personal information stored in their profile and more importantly, the victim’s contact lists.

The bigger point about this is that any kind of password may be enough for the phisher. WIth Yahoo! the successful phisher may be able to get quite a lot of personal data for a future social engineering attack, and may even be able to access payment details such as addresses from within the profile. A phisher could also access the user’s Paypal account, redirect shipments, learn about the user’s investments, impersonate the user in auctions, etc etc. I’m not sure whether the phisher could access credit card details, but it’s feasible, I guess.

A New Phish?

Not sure if this is new but I’ve not seen it before: A clever new piece of social engineering in a phishing email.

You have added phoneseller@yahoo.com as a new email address for your PayPal account.

If you did not authorize this change or if you need assistance with your account, please contact PayPal customer service at:

https://www.paypal.com/row/wf/f=ap_email

Thank you for using PayPal! The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the “Help” link in the header of any page.

Of course, viewed in plain txt the address is not PayPal at all, but some Czech corner of the dark web, but the idea that someone may have gotten into your PayPal account and added or changed your email address might just be enough to get you to click on the link without scrutinizing it too carefully.

Closing The Door After The Phish Has Bolted

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International “has confirmed finding and fixing a flaw on its web site’s ‘Find A Card’ tool that could have facilitated a phishing scam”. The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It’s not yet over: He says that PayPal and several sub-domains of Microsoft.com “remain susceptible”.

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

  • Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it’s probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that “It does not believe that any scams were attempted”.)
  • Why is no mention made of the flaw or the fix in MasterCard’s own ‘newsroom’? There are two releases trumpeting MasterCard’s own ‘fight on phishers’ but nothing of its own vulnerabilities.
  • How many more vulnerabilities are out there? Did Greenhalgh’s discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I’ve not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don’t get there first.

How To Make A Phish Look Real

Here’s an interesting — and troubling — variation on the phishing scam: Using country-specific domain name to make a phishing link look real.

The problem for phishers has always been to conceal the fact that the link victims are asked to click on takes them to a website address that looks dodgy — either the URL clearly does not belong to the company the phishing email claims to be from, or the link has to so heavily disguised in the email the victim doesn’t get suspicious. Phishers have tried registering real sounding domain names (www.securepayeee.com, or somesuch) to get around this, but it’s not easy to come up with names that aren’t taken, and nowadays unless the name has paypal or ebay or citibank somewhere in the URL, victims are not going to be fooled. Hence this new twist:

The phishing email in question is the same as any another PayPal phish – “We recently reviewed your account, and suspect that your PayPal account may  have been accessed by an unauthorized third party.” But the link victims are expected to click on, visible as https://www.paypal.com/cgi-bin/webscr?cmd=_fraud-check&limited_access=1086452724=”/A”> resolves to www.paypal.de.com , which looks credible as a legitimate PayPal website in Germany.

De.com is actually owned by CentralNic Ltd, a private London Based domain name registry, which also own US.COM, EU.COM, UK.COM, CN.COM, RU.COM, and twelve others that “represent the worlds most populated countries.” According to eNom, Inc, one of the Internet’s accredited registrars which issued the country specific domains, ”there are no restrictions or rules when registering these domains, unlike other domains which require you to be a citizen of the country in order to make a purchase.”

In other words, easy pickings for phishers. And of course, this means that anti-phish devices such as SpoofStick, which look at the underlying domain name to gauge whether a website is fraudulent or not, are not going to be much help here because they would only show the domain to be de.com, which doesn’t sound phishy enough to deter anyone but the most alert user.

My tupennies’ worth: Domain registrars must take on some of the responsibility for these registrations. It’s not acceptable to just let anyone register a paypal domain and say it’s not your business. Secondly, anti-phishing devices must make clear they can’t guard against every phishing attack.

Double Checking A Phishing Scam

Sometimes the usual checks to see whether an email is a phishing scam or not don’t work.

Here’s an example. This morning I received a quite credible looking PayPal email. Of course it had all the hallmarks of a phishing scam too, but then again I’ve received some genuine emails I thought were phishers, so you can never be 100% sure.

The best test — viewing the email in non-HTML format, so the links show up for what they really are — didn’t work particularly well this time: The URL was http://www.updatesecuritycheck.com, which doesn’t sound like PayPal, but then sounds official enough to possibly lure some folk.

So I checked the registrant of the website in question, usually a surefire way to know whether it’s dodgy. It was under the name of someone in the UK, with an address and telephone number that all looked kosher (right postcode, all that sort of thing). Hard to imagine that someone in the wilds of Devon would be administering PayPal accounts, but who knows? If the website was fraudulent, the thinking goes, why would someone go to such trouble to register a full name and address?

So I checked to see whether the person existed. He does. I contacted him, not via the email address given, but by hunting down a working email address via Google. Needless to say he’s not part of the scam and is suitably outraged that his name has been used. (Of course all this raises the possibility he has become the victim of broader ID and financial theft.) The page on the scam site itself no longer exists, as far as I can see, but the home page is a boilerplate PayPal copy.

The lesson: Sometimes it’s not enough to check whether the URL looks and feels kosher. Neither it is sufficient to see whether the website itself has been registered by someone who looks kosher. Clearly scammers are going to greater lengths to register proper sounding website names, and to register them under real names and addresses — which they’ve probably found in phone books and on the Internet.

Two Ways To Fight Fraud

Here are some tools to help folk worried by all this identity theft/fraud/phishing thang.

Protecteer LLC has today released SignupShield 2.0, an add-on for Microsoft’s Internet Explorer that, among other things “automatically creates a hard to guess password and a disposable email address, each time a user signs-up with a new Web site”.

It then automatically “fills up up sign-up forms, saves and tracks usage or change of passwords. When a user needs to provide sign-in credentials to a site, SignupShield does it automatically.” With the disposable email address that it automatically uses, “users can easily block any misbehaving sources of emails. Shielding is 100%, no false positives.” SignupShield is available for $29.95. A free, limited version is offered as well.

Then there’s Cloudmark’s Anti-Fraud, also out today, “the first free fraud prevention service for email users available today”. Cloudmark’s SpamNet uses real-time feedback from users, which has, the company says, “protected the SpamNet community from all email threats — viruses, worms, spam and even the most devious fraud messages — since the product was launched”. Cloudmark also uses a Rating program, an “email reputation system that fingerprints those messages sent by legitimate businesses and matches them at the end-user level, correctly allowing them through every time”. Taken together, the company says, the two “rebuild trust between companies and consumers, ensuring that the email from PayPal waiting for you in your inbox was positively sent by PayPal, Inc.

New users can download SpamNet for Outlook or Outlook Express and get free anti-spam and anti-fraud service for 30 days here. After the trial, the regular price is $4 per month, or $40 per year.

I’ll level with you: I haven’t tried either, but I plan to.