Greetings, A few years ago, I had connected my PayPal account with Digital Point and within weeks of doing this, I had unauthorized purchases using my debit card. I had to replace the card a couple of times and this continued happening a few more times until I broke the Digital Point and PayPal account link as a precaution and haven't had a problem for about 4-5 years. fast Forward: Only 2 months ago, I listed another website for sale and was required to link my PayPal account with Digital Point. For some reason, DP wanted access to TONS of information in my PayPal account instead of a simple email address to send funds to. Today, I had an unauthorized debit purchase that emptied my entire PayPal account and part of my bank account ($500+) - and I suspect this has something to do with Digital Point or some kind of security breach in the site. I highly recommend looking a bit deeper into this as I almost never link my PayPal account (Digital Point is currently the only linked account), and rarely use my debit card. It's HIGHLY coincidental that all of my unauthorized purchases seemly happen when my PayPal account is connected with Digital Point. Thank you ------------------------------------------------------------------------ Here are the odd and invasive permissions Digital Point wants when you link a PayPal account, the most suspicious one: Authorize and capture your PayPal transactions... Authorize PayPal transactions on your behalf The rest: Here is what Digital Point requests when you link your PayPal account: Granted Permissions For more information about the permissions you are viewing, see Use Express Checkout to process payments. Use Express Checkout to process payments. This permission enables Digital Point Solutions to take the following actions: Grant permission for PayPal Express Checkout which enables you to receive payments from buyers. Obtain your Pal ID (PayPal assigned identification number) and location of your merchant account. Issue a refund for a specific transaction. Issue a refund for a specific transaction. This permission enables Digital Point Solutions to issue a refund to a buyer for PayPal, debit, and credit card transaction. Authorize and capture your PayPal transactions. Authorize and capture your PayPal transactions. This permission enables Digital Point Solutions to take the following actions on your behalf: Authorize PayPal transactions on your behalf Capture previously authorized transactions Extend the authorizations period for any PayPal transactions received by you Void PayPal transaction authorizations Obtain your PayPal account balance. Obtain your PayPal account balance. This permission enables Digital Point Solutions to display your available balance for each of the currencies you hold in your PayPal account. Obtain information about a single transaction. Obtain information about a single transaction. This permission enables Digital Point Solutions to access and retrieve information about a single transaction between you and a buyer, including: date amount status email address phone number shipping address Search your transactions for items that match specific criteria and display the results. Search your transactions for items that match specific criteria and display the results. This permission enables Digital Point Solutions to search your transaction history for the following specific criteria and display the results: a consumer's email address a date, or range of dates transaction status transaction amount an invoice number Access your PayPal contact information.
None of the access DP needs can be used to MAKE a withdrawal from your account. Nor does it contain anything giving others access to your account. Besides, all of what DP requests are part of the PayPal API, so any breaches would most likely be on their part. That being said, are you using the same email / password combo on PayPal that you do on ANY other sites?
As mentioned there are no API functions that allow withdrawing funds even if we wanted to. The worst someone could do is put funds *into* your PayPal account. There is also never a point where we know your PayPal password (nor is it ever transmitted to us even temporarily). Authentication is intentionally handled via OAuth2 for that purpose with permissions that never allow any sort of withdrawals. So if a security breach on this end happened (which it didn't), the worst the hackers could do is give you money.
I have had my PayPal debit card used by a hacker a few times. Each time it was traced back to either a card skimmer in a physical location or a data breach at a place I used my PayPal "debit card". Think back where you have used the debit card and do searches on the place to see if you find any data breach news stories.
To get a better understanding of what each permission does, you can find it broken down in the API documentation here: https://developer.paypal.com/docs/classic/permissions-service/integration-guide/PermissionsAbout/ And specifically the AUTH_CAPTURE set of methods is what I think you were concerned with. It basically allows a transaction to be set up where the person paying you authorizes up to a certain amount to be paid to you, but the capture part (settling the money into your account) is done at a later date. Info on that here: https://developer.paypal.com/docs/classic/admin/auth-capture/ It doesn't allow authorizing or "capturing" money *from* your account if that's what you were thinking. The auth/capture permission is used within Digital Point Ads where if you were a publisher selling ad space that was on a monthly bid basis, the bidders have to pre-authorize their bid amount and then when the bidding time has ended, the system will void all the pre-authorizations for the losing bids and capture the winning bid's pre-authorization (which puts the money into your account if you were the site selling the ad space). Just in case you were wondering where on the site that permission would even be used.
It's f*cking not even safe to shop at your large chain stores anymore. My wife just saw a small charge on her credit card that she didn't make. She called and found out that someone keyed in her cc number in another state. More likely than not your debit card # got stolen at some physical location (did you take your BF, GF to a restaurant recently and pay with your DC?).
Thanks for the clarification, much appreciated. I never thought DP itself was responsible, I wasn't sure if an outsider could hack DP and breach the PayPal data, considering the number of hackers who very likely hang out here on a coding site and probably also attempt to "play around" with the DP site. I'm pretty certain my card wasn't physically skimmed as I never use it offline. I only use it a handful of times online at major places like Steam, Dreamhost, Amazon and Wal-Mart - not very often at all, so it got stolen somewhere online. I have a new card coming, hopefully PayPal gets the money back considering the SOB stole everything in my PayPal account - although I have to wait for the transaction to become "Complete" before they look into anything...