racoma.com.phJ. Angelo Racoma on technology, economics, writing, problogging, and getting things done

This is perhaps the best news I’ve seen lately. I got an email from PayPal saying Philippine users can now withdraw PayPal funds into our local bank accounts.

New! Withdraw Your Funds to Your Philippine Bank Account

Now you can add your Philippine bank account to your PayPal account, so you can withdraw your money directly to your bank. It saves you time and gives you faster access to your PayPal funds!

Plus, there is no charge to withdrawal amounts over PHP 7000*. So go ahead and add your bank account today!

Withdrawals of less than PhP 7,000 are only charged PhP 50. How great is that?

For more information, head on to the Philippine PayPal withdrawal page. A list of supported banks is here.

I think I’ll link up my PayPal account to those banks which have online access, so I can monitor how quickly funds are transfered.

After reading my post about online payment systems “not being as easy to implement as we think,”:http://racoma.com.ph/archives/electronic-payments-in-the-philippines-it-may-not-be-as-simple-as-we-think/ Marhgil earlier emailed me about how he discovered “Xoom”:http://www.xoom.com accounts are potentially vulnerable to cracking. He “details in his blog”:http://kaluskoskuskos.com/marhgil/technology/xoom-accounts-easy-target-for-hackers/ how a user’s password can easily be changed if a malicious hacker (or “cracker” in this case) correctly figures out three things: the user’s email address, bank account number and ZIP code.

Not really easy, but can be done

I tried it out myself, and it was so shockingly simple. Of course, you would need to correctly input the email account that a person uses for Xoom, and since people usually give out their email and IM addresses on their blogs or email/forum signatures, it won’t be too difficult to guess. Xoom makes it even easier by helping you out. The system even tells you when you’ve guessed incorrectly!

Bank account numbers aren’t as easily guessed, however. But with a bit of social engineering or stalking, you can easily figure out a person’s bank account details. For instance, some ATMs print receipts with the full bank account included. Or perhaps you can call or email a potential victim posing as a bank employee (don’t get any ideas here).

ZIP codes might not be readily available, but you can check out any zoning references (available online), and if you know where a person lives, you can easily guess his ZIP code.

The point here is that a combination of an email address and bank account number are difficult to correctly guess. But it’s not impossible to do so. And to the determined thief, any effort exerted would be worth it, if only to get into the e-wallet of an individual.

Level of risk

You have to consider the level of risk and the vulnerability here. What exactly does access to another person’s Xoom account entail? Xoom doesn’t serve as an e-wallet like PayPal does (you cannot load it up with funds, like PayPal). However, if you have already registered a credit or debit card on your profile, then the cracker can use your Xoom account to transfer funds to his own account (by using the _Send Money_ feature) or pay for merchandise online.

How to mitigate this risk / A simple change of procedure

Marhgil suggests you change your ZIP code to a different value to make it difficult for a potential attacker to reach the _change password_ screen. This is only a stop-gap measure, though. Xoom should make its password retrieval procedure more secure by either sending the retrieval link to the user via email or requiring another form of verification, such as via SMS.

The fact that Xoom directly allows you to change your password once the correct detials are keyed in adds to the risk. Perhaps if Xoom emails the user a link to a password-reset form, the system would be more secure. It’s easy enough to acquire an email address, but it’s not as easy to enter a user’s inbox.

Around the blogosphere

As of this posting, here’s what other people think about this issue:

* “Yugatech”:http://www.yugatech.com/blog/?p=1282
* “Techno Pinoy”:http://www.technopinoy.com/?p=233
* “PinoyTechBlog”:http://www.pinoytechblog.com/archives/does-your-bank-mask-your-account-number

One of the benefits of blogging for advocacy is the attention one gets from the movers and shakers. My being part of the PayPal for the Philippines campaign has caught the attention of execs in the electronic payments industry, as well as business owners who are into e-commerce (either planning to start selling online, or already have ongoing e-commerce setups). In fact, whenever I attend EBs and blogger get-togethers I’m usually referred to as the PayPal guy. It’s good to be identified with something.

I had dinner–and a few beers–with the top honchos of YES Payments last night to discuss the possibility of their offering P2P e-payment facilities in the country. This is my second meeting with them, so far, and it was great that we were able to exchange ideas freely. I related the needs of the freelance/problogger/developer community in the country, and they told us about the issues that e-payment providers continually face in the line of their doing business.

It’s All About Risk!

The foremost concerns of any business doing e-payments are security and fraud. When money is involved, there is always the chance of one party defrauding another party, or one party defrauding the system itself. So there is always risk. And the issue is determining which party bears the risk, for the system to work. In some cases, it’s the seller that bears the risk. In some, it’s the operator of the e-payment facility.

Fraud can be perpetrated a number of ways.

* Buyer uses stolen card/card details. Card owner disputes. Chargeback is paid (paid back by seller). If the seller has already sent the goods, it’s his loss.
* Seller does not send the goods or goes under. Card owner disputes. Chargeback is paid by the facility. It’s the facility’s loss.
* Buyer uses legitimate card to pay for transaction. Seller sends the goods. Buyer receives the goods, but claims otherwise. Buyer files a dispute. Seller pays chargeback thru the facility. It’s the seller’s loss.

There are even more ways–don’t get any ideas from me! The point is that there are loopholes that can be exploited. So there the system has to consider the trust factor.

For the most part, dealing with the risk is a big headache to the e-payment facility because of regulatory requirements. I never realized that the banking system asks so much of these companies–there are big guarantees, there are limitations, and there are requirements for compliance with several laws, both local and international. And even the card companies like Mastercard and Visa require a lot, such as security of transactions, regular auditing and subscription costs–something in the range of $15,000 per year (or is it monthly?), which, while affordable to big companies, can be a steep amount for small players.

Social Engineering

On top of these risks, there is one difficulty faced by e-payment businesses particularly in countries like the Philippines without a strong judicial system. Fraud is not so difficult to detect. YES cites cases where fraudulent transactions were flagged, but allowed to push through so the perpetrators can be caught in the act. The problem is once the criminals were caught, the inefficient and corrupt judicial system was not capable of warranting adequate punishment.

Hence, perpetrators can expect be let go with just a slap on the wrist. I can also imagine cases where either the judges or the police personnel could be bribed.

We come back to the issue of risk. E-payment facilities may not be so keen on setting up shop here because they know the risk of fraud is high. Even worse, the risk of fraud not being properly addressed by the law is even a bigger threat. Fraud can be minimized if the legal system is good enough to be a deterrent to people planning to commit crime. But if one knows the system can be gamed, then people will go lie, cheat and steal their way to getting a fast buck.

A Problem of Circularity

So which came first? The chicken or the egg? (Sorry for using a cliché–it sucks, I know.)

I earlier made a bold claim that having good e-payment facilities here in the country–particularly PayPal–would be beneficial to the Philippine economy. However, it turns out that most players (probably PayPal included) would only be open to servicing the country if they can be mitigate or minimize the risks of fraud.

Perhaps for large players like PayPal it’s a bit easier. For small players, it could be a challenge.

Facilities for SMEs and Individuals

YES is considering opening a facility for P2P transactions for the purpose of business and commerce. While they don’t have such a system in place right now, they do have YES Payments for SMEs and YES Pinoy for remittance. None of these services can be used by individuals like myself for receiving payments for goods or services rendered, though. YES Payments works for businesses (well, this does not preclude individuals or groups of individuals from registering as a business). YES Pinoy, meanwhile works for P2P transactions between people with existing relationships–you have to prove you’re related to the person sending money, whether he/she is a family member, relative or friend.

I had been mentioning existing services that could do P2P, like Xoom, which fellow problogger Abe has been recommending, and which I’ve also been using. YES is positioning itself as a strong player in the country because of its presence and support. They actually do have an office here, and they do accept support calls. I think that’s an advantage. I actually tried calling Xoom support once thru their 1-800 number, but since they’re based in California, their office hours are quite off when calling from the Philippines.

What’s Next

If–and once–YES gets their planned P2P service up and running anytime soon, would there be people willing to be part of a test group? Just tell me, so we can make the necessary arrangements.

As for PayPal for the Philippines, it’s a continuing advocacy. PayPal may have already set up here, but it’s still very limited. We can only use the service to pay or send money online, and not receive (not even to load up the account). We’re still pushing for full functionality. If you have not yet signed up, please do so. We would also appreciate any support (such as linking to us and/or displaying our banners).

Check out my post on the “PayPal for the Philippines blog.”:http://www.paypalnow.com.ph/blog/archives/paypal-now-available-in-the-philippines/

PayPal has included the Philippines in its limited-functionality list. This means you can now register for an account and use it to pay online. That’s it. We still cannot do the following:

# Receive money
# Load up the account thru credit card
# Withdraw money into a bank account

It’s a good development, but not good enough. Pinoys can now buy and pay for stuff online. But we cannot receive funds from other PayPal (and credit card) users here and abroad, which is, I think, what we need more. We’re still hoping (and lobbying) for full-fledged PayPal functionalities.