Paypal terminated my Account because use of a VPN is against their terms and conditions
I’m in good standing with both Paypal and Ebay, with 100% reviews etc etc. Today, Paypal just terminated my account..
My high security VPN triggered the suspension of the Paypal account. I was told that use of a VPN is “against Paypal’s terms and conditions”.
Paypal will not allow me to use a VPN. **arched eyebrows** So lets get this straight. I’m on a super secure, highly encrypted VPN, yet I’ve just had my PayPal account terminated for “security reasons”.
Yep, that’s about it.
Paypal don’t like “high security”, I can only stay with them, if I go back to “low security”. Who are Paypal to decide my security settings? And insist I use low security to boot.
Lifehacker made a wonderful comment, PayPal like all large corporations have started to “suck”.
How can Paypal even argue that a VPN is against their terms and conditions? Is a virus checker against their terms?
I’m surprised that they haven’t prohibited the use of virus checkers and anti cookie software as “a breach of terms and conditions” – and a breach of security.
Have you ever heard such nonsense ?
Amazon and other shopping sites are all happy with security and VPN’s. But Paypal aren’t. So who has the problem?
Well, here’s guessing Amazon have just increased their already enormous market share… and I can’t imagine why.
University of South Wales: Cyber University of the year: Four years running: 2019, 2020, 2021, 2022 
In WHAT world does routing your traffic through a 3rd party’s internet connection make the traffic MORE secure than if it had originated from your own network? Your VPN does not make your connection more secure. In fact, it makes it less secure. Why do you think your VPN is more secure than your own connection?
I’m sure you were terminated because it looks like fraud. We get fraudulent activity all the time coming from VPN services, which is why my company won’t accept any signups that come through a VPN. This is a basic anti-fraud measure and anybody NOT checking this is being negligent.
LikeLike
Hi Flawed logic.
Yes, you do have flawed logic.
The use of OpenVPN prevents man in the middle hacking attacks. OpenVPN was designed to operate in Russia and China, and prevent state surveillance.
So now, that I have uber security… and blocks against eavesdropping and MITM, and SSL and AES 256 encryption via an EFF sponsor, who runs a VPN… it’s a breach of Paypals terms and conditions? Who are paypal to decide my security settings?
My accounts and transactions have never been so secure.
If it’s the VPN, tight security or Paypal, Paypal have to be canned.
LikeLike
“”” Who are paypal to decide my security settings?””
They don’t decide your “security settings”.
They just decide what methods they find acceptable for login into their services.
You can still use VPN or whatever other security measure outside PayPal.
As for the “security reason”, not all security is tied to attacks and hacking.
In this case they refer to security against fraud. One such example is regional restrictions. PayPal doesn’t want people using VPN to make it look like he is connecting from another country that he actually is (which is one possibility a VPN offers). They also want to be able to log your actual desktop IP (NAT would be tolerated in this case, a VPN service no).
And why do they do that? Because they know that people do those kinds of frauds all the time, using VPNs and/or tunneling. And because they have tons of contracts with local governments and tax authorities that cover stuff from regional taxes, to them being able to provide your IP and transactions, to liabilities, etc.
LikeLike
Hi Foljs
I accept your argument. This is a “not security” reason.
If they prevented you buying stuff from an Open wifi – that would be “security”. However, if you’re on an unencrypted wifi access point then that’s fine.
Paypal’s argument is that you must work from a “LOW SECURITY” system…
It’s an Orwellian argument.
If they bothered to ask – was that you? Are you on a VPN… then they’d know, the IP is me.
No discussion – just terminate the account.
LikeLike
Your connection is only secure TO/FROM your VPN provider and YOU. The connection that the VPN provider makes on your behalf from THEIR network to the rest of the internet is most certainly NOT encrypted and can easily be subject to man-in-the-middle attacks or worse.
Your security is in fact no more or less secure by using your VPN tunnel, which brings out the true purpose for VPN – to bypass geolocation restrictions or to protect your true identity. The fact that PayPal has made a business decision (due to fraud concerns) to block VPN users is entirely their decision to make. You can make the decision not to use their service, as that is your choice. They owe you nothing.
LikeLike
Paypal’s business decision could involve talking to their customers. That’s that wonderful concept called “customer service”.
Banks call their clients… and ask was this you?
If they’re that worried.. they could have elected to speak to me.
Then they would have found out that I’m on a VPN.
So the VPN’s providers IP’s would flag up. And yes, that’s probably me. That’s what customer service is about.
I need to work on VPN’s and understand them – as that’s in effect my job… but I can’t study or work on VPN’s because Paypal say so.
Without speaking to the customer, that’s what happens.
LikeLike
VPN only prevent man in the middle attack between you and your VPN server. Your VPN still send out your request unencrypted to the end recipient, in this case, its PayPal.
Only HTTPS/SSL provides full encryption between the end user (you) and the service provider (payapl) in your use case.
LikeLike
Hi SL,
Sorry to break it to you, but SSL is broken, and has been for some time.
It is not secure. they are investigating ways to make it more secure..
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/
LikeLike
I am confused… perhaps you can clarify, but here’s what I know… VPN gives you a very secure tunnel between Point A (VPN client) and Point B (VPN server). This can be amazingly secure if you want to do something like connect to your home network from Starbucks to access some files, or just surf the web (from the websites point of view, all traffic will originate from your home network, not Starbucks, and even unencrypted web traffic cannot be intercepted from individuals at Starbucks). A side affect of doing this is that the web site, such as Paypal, has no way of knowing you’re in a VPN. All it will see is the externally facing IP address (ie your router’s IP). So with that said, and taking into consideration you can’t have a VPN connection with Paypal, as they aren’t running a VPN server, I guess I’m wondering what VPN server you are using, whether it’s yours (at home) or a public one…
Now, if you are saying that you’re connecting to a public openVPN server, that is not secure in any sense of the word. You would gain some anonymity by using a public openVPN server, but you give up security, and in fact set yourself up for an immediate MITM (who truly knows what the public server has going on, could be running fun stuff like sslstrip and logging everywhere you go). This setup can be detected by sites like Paypal, as all your traffic will originate from this known openVPN server. If this is the setup you have going on, Paypal did you a favor by terminating your account.
So please clarify, I look forward to understanding what actually happened, and learning something new if there’s something I missed.
LikeLike
Hi Jaxin,
Look up the awesome OpenVPN – bypasses Chinese and Russian state surveillance.
My VPN provider are IVPN.net – who are sponsors of EFF – and one of the most secure in the business, if not THE most secure.
http://www.ivpn.net
Paypal most certainly would not have done me a favour by forcing me to use open or low security systems.
The highest security on the planet is the way to go.
and ditch Paypal.
LikeLike
Even SSL is broken (which is not) as you have suggested, you OpenVPN server is still communicating with PayPal’s server over SSL.
As I’ve pointed out earlier, your OpenVPN server will have to decrypt the payload received from your browser before sending it to PayPal’s server.
LikeLike
SSL is broken – where PKI is involved. Even the German govt have admitted that SSL is broken.
If you’re using public structures – you’re likely to be in major trouble.
https://mocana.com/blog/2013/03/07/new-java-security-undone-by-stolen-certificate/
OpenVPN uses a PKI for the server and client only – so not trusting the world and his dog.
Use of the Private key verifies it’s me to the VPN provider.
Overview
The first step in building an OpenVPN 2.0 configuration is to establish a PKI (public key infrastructure). The PKI consists of:
a separate certificate (also known as a public key) and private key for the server and each client, and
a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.
Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
This security model has a number of desirable features from the VPN perspective:
The server only needs its own certificate/key — it doesn’t need to know the individual certificates of every client which might possibly connect to it.
The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
LikeLike
Your explanation of asymmetric encryption used by VPN is pointless!
Because……, your VPN will decrypt the payload originated from your browser before sending it PayPal’s server. Therefore, you are still using SSL for communication between VPN and PayPal.
LikeLike
Yes, but who’s IP is the data coming in on? The VPN’s IP – not mine.
So neither my ISP, nor any local eavesdroppers can intercept my comms with Paypal – as it’s encrypted (to the VPN provider), WHO TAKE OVER. My local connections are secured. They secure the data between me and their VPN’s. So local security is a given. I am secure, from my own ISP, eavesdroppers, interception etc.
I use a private key between my connection and the VPN server.
My private key is used in all OpenVPN comms.
Yes, the VPN can see your real IP, and the actual data – but they’ve blocked out your ISP. Which is the next major point… those connection, server or traffic logs.
Part 2 – Server log Deletion.
The connection logs are then deleted after 10 minutes – that’s where IVPN come in… they delete server logs every 10 minutes. The job of the VPN provider, should be getting rid of server logs as a top priority. Lets hope the EU regulates “the Right to be forgotten” as that’s critical that society gets this right of deletion against Big Data.
Part 3 – Browser Security. OpenVPN does not use Browser security.
SSL encryption can be undermined by a fake Certificate Authority:
Just as phone companies and email providers can be forced to assist governments in their surveillance efforts, so too can SSL certificate authorities. The compelled certificate creation attack is thus one in which a government agency requires a domestic certificate authority to provide it with false SSL certificates for use in surveillance (Soghoian and Stamm, 2010).
You can’t afford to use browser based SSL security – regardless of how secure it may be sold to you.
State actors can order a fake certificate be issued to bypass encryption. Alexander Sotirov et al were able to create a fake certification authority (CA) certificate that was trusted by web browsers.
So you don’t trust centralised PKI – it’s just PKI between you and the VPN server. No one else is invited to this party.
LikeLike
The connection between your VPN and PayPal is over SSL. Your beloved VPN cannot provide any encryption over this leg of the network traffic. I am sorry for you, but it is true.
LikeLike
OpenVPN do not use Browser based security.
There is a master key, that is injected.
It’s NOT a browser based system.
It operates on Layer 2 or Layer 3.
Read the OpenVPN manual – it’s far more interesting.
LikeLike
@Flawed Logic
You’re one dumb mother fucker. Do you realize that? VPNs make you less secure? Please get off the internet and kill your computer, you idiot.
LikeLike
lol Illmortalized,
I couldn’t agree more. It’s amazing how people consider VPN’s as weaker security.
How can AES 256 make you LESS secure than your passwords being in plaintext on an Open Wifi? If you’re using an Open Wifi in a hotel or Starbucks, you’re at extreme risk.. but this seems to be okay. As long as you don’t use a VPN.
Some people should have L plates, for their laptops.
Thanks for your comment – it’s so good to have someone knowledgeable around. 🙂
LikeLike
This is all about Free Speech. After all the gov’t (and their corporate cronies) censor the media and ban books like “America Deceived II”.
Last link of “America Deceived II” before it is completely censored:
**Edit**
Big photo there mate…
Look on amazon for his book…. /America-Deceived-II-Possession-interrogation/dp/1450257437
LikeLike
Hi Nick,
If I had low security settings, they’d have an argument.
But with AES256 encryption? That’s not an argument.
I know Paypal are getting a reputation, but “oh, your security is too high…”, you have to become unsecured again to reactivate your account. It’s a bit daft really, especially as they have to foot the bill for insurance risks and fraud. You’d think they’d be delighted, that I’m operating in their best interests, with high security.
Something odd is afoot, I’ll agree with you there. All they had to confirm, is “was that you?”. I’d say yes, and that’s it. No, they have to terminate the account. It’s against their terms and conditions.
What a load of old cobblers as an excuse that is. If they had any concerns, they could ask the bank, they even have my phone number. When I called them, they can verify me by phone.. but they can’t be bothered to make a polite phone call and check before terminating my account. So I’m not allowed a VPN.
Paypal say so.
If that’s not good old abuse of power, I don’t know what is.
LikeLike
the new scam abouit ebay and paypal, is this, when someone buys a product of ebay and you deliver it to the customer , the customer will get very disappointed about said product, then he will bitch to you about product, after that the customer will wait, and then file a complaint with his credit card, and the credit card will give the money back to the customer and also the product you sold is with the customer also, so you lose product and money.
this scam is now with pappal and ebay, and you think ebay or pappal would listen, NO WAY.
LikeLike
Hi jimmy,
Somehow that news doesn’t surprise me. I’m disgusted by Paypal, their arrogance, and their bullying tactics.
their customer service is pants, and without initiative. So I can well imagine that they would treat you in a high handed manner, I can understand what you mean, after that phone call with them today.
So it’s Amazon all the way then. Hurt Paypal financially. They want to play hardball, that’s fine, but we’re paying their wages.
Never forget that.
And I’ve just stopped. 🙂
LikeLike
That’s why I only use Ebay and Paypal to buy cheap chinese products 😉
Amazon FTW
LikeLike
I use a secure connection.
So am Banned from Ebay and Paypal.
The banning of a Paypal account closes down Ebay by proxy…. so they lose 2 customers.
That’s their problem – they need to get their act together. The number of complaints against them is staggering… even making prime time TV… which speaks for itself 🙂
LikeLike
Something tells me that this is more of a crib and rant rather than some constructive feedback. I run a similar setup and havn’t faced any issues with PayPal.
Their twitter accounts AskPayPal is highly active and have helped me all the times. Their customer support works, I was overseas on a trip and they fixed my issue.
If you really have a problem, fix it. Don’t crib.
LikeLike
They’ve terminated the account.
End of.
I can use a VPN or use Paypal…. that was the choice they gave me.
So now I buy from Amazon.
LikeLike
And now Amazon is interfering with VPN’s. At least for me. Pages hang or time out usually but not always. If I turn off my VPN, Private Internet Access, there is no problem. Enable it and Amazon fucks me.
LikeLike
Hi don,
So far, I’ve not had a problem with Amazon and VPN, but I sincerely hope they don’t go the route of PayPal!
At the end of the day, we are more secure on private VPN’s that we are on a Hotel or Starbucks Wifi! The security argument just doesn’t hold up. If you’re on an encrypted VPN, your passwords are more secure!
LikeLike
The issue will be about Fraud, and that trumps Civil Rights anytime 🙂
I imagine that Paypal are not paying the CC Companies for card checking, so therefore they are reducing the risk that entails by not accepting transactions from outside the geographical area of the account holder. Its highly likely that a VPN will show as a connection from an entirely different country from that in which the Paypal account is registered.
LikeLike
No fraud does not and never will trump civil rights.
If I wish to use a VPN, then that protects me against fraud, against MITM and against eavesdropping.
I’m far less likely to suffer fraud on a VPN than on an ISP system or an Open Wifi – neither of which is banned by Paypal.
LikeLike
PayPal does not give a fuck whether _you_ are protected against fraud or not. They only care about protecting _themselves_ against fraud, which is why they do not allow the use of proxies/VPN services, as these are often used by fraudsters to hide their identities.
LikeLike
Hi Cynix,
VPN’s are also used by those just protecting themselves against fraudsters.
The issue of identity is a non starter of an argument for paypal – they could verify me by the telephone number used, and they had both my visa card and my bank account details.
No question of me hiding my id.
the only thing they haven’t ask for yet is the name of my dentist. I’m expecting them to ask for that next week.
LikeLike
Can we all just agree that no one should use Paypal ever. There are so many better alternatives now for fucks sake!
LikeLike
YAY!!
I totally agree. I’m shocked at Paypal. My account with both Paypal and Ebay was in 100% standing.
So it’s Amazon all the way.
Amazon are bringing in their own payment system to rival Paypal, it’s not available in the UK yet, but not doubt there will be queues a mile long to transfer over to Amazon after the way Paypal treats it’s customers.
LikeLike
While it’s typically heavy-handed of PayPal to suspend your account, I have to wonder about some of your comments. Could you explain exactly how a VPN protects you?
I’m no expert, but as far as I can see, your VPN provides you with anonymity rather than security. Your PayPal connection is already over SSL with a 2048 public key. I suppose your VPN might mitigate a MITM SSL stripping attack but it would be pretty obvious from your end. And it just moves the attack surface from You PayPal to VPN Provider PayPal.
Flawed has a point that you’ve introduced a third party into the equation, and while *you* trust them, you’re also asking PayPal to trust them. Considering that the first thing a fraudster is going to do is use a VPN, or bounce through tor, you can see why it might be pretty huge red flag to PayPal.
I mean, *I* know that I’m not a robber if I walk into the bank with a balaclava on, but I can understand why they might ask me to remove it.
LikeLike
Hi Hamish,
SSL has been breached and can be breached in a multitude of ways.
I’m no uber expert, but know enough to know that PKI on which SSL relies, is broken.
There are news links on here, which relate to all the stolen certificates from Google etc.
Basically lots of certificates have been stolen. And you don’t get the option to “grade” your trust levels. You trust totally or not at all. A major flaw in the entire PKI system.
The current system is basically defunct. We know it – but how to change is the question. There are several alternatives being put forward, some by Google, to groans of concern.
A VPN encrypts my communication with AES 256 and SSL. So even if SSL is breached, it should make no difference.
Look up the superb OpenVPN for the security backbone in use. If a VPN is really serious about security, they’ll be arm wrestling you onto OpenVPN for your own safety.
It was designed to work in China and Russia and to thwart state surveillance.
Most importantly… it works.
Paypal always allow “open connections”. So if you’re in a coffee shop – do they bounce your connection. “Oh we noticed that you’re on a hotel wifi”… so we’ve terminated your account. Doesn’t happen does it…
The argument to therefore terminate an account from a highly credible VPN supplier is total nonsense by Paypal.
LikeLike
I’m not defending Paypal or their policy; but the “security” angle they’re thinking about is likely that they want to see the (apparent) geographic origin of network traffic, and apply different rules to accounts/transactions depending on the (apparent) location of the other endpoint. They want to force users off of VPN’s so that they can say “aha! this user/transaction is sourced in Evil Country X! reject it!”
LikeLike
Hi blakdawg,
I like your argument – it has a ring of truth to it.
If they terminated open wifi connections – they could argue security. But they’re arguing that the geolocation of the IP is enough for them to terminate the account.
So yes, your point about the “country” is valid.
However, if the countries involved are all “awesome democracies” then what is their real argument?
The UK, Netherlands, US are homes to democracy.
No evil axis of terror there.
LikeLike
Without taking the time to read the convoluted legal mumbo-jumbo of Paypal’s TOS, what’s their reasoning? If there’s some sort of problem they want to have your actual IP address?
When both selling and buying on EBay, I haven’t had much “luck” at all when going through both the eBay and Paypal channels. I’ve gotten screwed by buyers AND sellers, and neither of them seemed to give much of a #$@%. I ended up just having to eat the losses, which were NOT insignificant amounts.
LikeLike
Hi Geekdrop,
It appears to be the IP – they are tracking the IP I log on from. If they don’t like it – they terminate your account.
Use of a VPN is “against their terms and conditions”. But they don’t explicitly tell customers we are tracking your IP. Which is a data protection concern.
There was no problem, both the Paypal and Ebay accounts are clean, with 100% reviews etc.
But my account has been terminated, and I’m officially joining you, as the “Paypal are pants” brigade.
LikeLike
Other sites want your money. PayPal is trying to protect others against fraud, and will turn away your money to protect their customers.
Take your money elsewhere if you don’t like their policy.
LikeLike
Hi Tim,
Totally agree with you.
Amazon cash systems look a good solution – can’t wait for them to be introduced in the UK.
LikeLike
I think it has more to do with knowing your “real” IP address to prevent fraud. My bank will ask my all of my security questions for example when I use my VPN service, because it expects my IP to be my home ISP location. So this is normal business practice and frankly I am glad that they do it. If I want to bank or use Paypal I simply turn off my VPN temporarily.
LikeLike
All they had to do was ask… “do you use a VPN, and if so, which one”.
Most VPN’s have a range of IP’s.. so that’s as good as knowing your home IP.
Data tracking of users in this manner, and terminating their accounts is dangerous practice.
they need to talk to the customer… is this fraud, or a highly secure system. If they knew the VPN was in use, then they’d know it was me.
This really needs to be referred to the UK’s ICO and the EU Data protection team, “Article 29”. No-one should be tracking your IP in this manner. It’s a breach of privacy, and if they claim risk and fraud, then a VPN is good practice. So they can’t even through the fraud card at me. A VPN is in their best interests.
LikeLike
Yea I don’t think PayPal will even lift a single finger just for your and frankly a very small minority’s problem. Why don’t you start a lawsuit, it might make them think this though.
LikeLike
The BBC’s Watchdog programme did an official televised complaint into Paypal’s behaviour. Thousands sent in complaints regarding Paypal.. so I added mine to the official payroll.
The BBC has the kudos and statute to make Paypal listen, whereas they ignore their customers. The ignoring of their customers and their arbitrary decisions were all very clear from the BBC’s programme… so I just wrote in and added my situation to the complaint list. Every little complaint matters (except to Paypal). They simply haven’t got the first clue regarding customer service.
LikeLike
Very probably their fraud-detection algorithm relies in part on noting users’ IP addresses. If your VPN routed your remote connection through your office or your home (as mine does), it’s highly unlikely they could have detected it. But if your traffic is coming from the same commercial VPN host that thousands of others are… well, potentially problematic. There’s no way of telling whether a transaction on your account over a commercial VPN is perhaps originating from China or Ukraine and likely fraudulent. Same goes for transactions occurring over Tor.
It’s not your security they’re worried about, it’s theirs.
Communicating through a VPN does not add materially to the security of an https connection (though it does cloak your location, which is the problem from PayPal’s standpoint). Of course you likely had more than just your Paypal transaction underway at the time, and the VPN would have secured those against monitoring.
LikeLike
Hi Scott,
Yes, a VPN protects against monitoring, data collection, retention, data resale and aggregation.
It’s the way forward, for any kind of privacy, and becoming essential in the tracking world online.
Even if it’s privacy for research purposes, a VPN is critical.
My VPN is a sponsor to the EFF, so unlikely to be well-dodgy. More likely to be honourable – and promote freedom.
LikeLike
what’s funny is that the vpn vendor you are recommending (ivpn) only accept paypal :
“We currently accept only Paypal payments due to the large amount of fraudulent transactions we experienced recently through our alternative payment processors. ”
Maybe you are a false positive, but it seems to work … you cannot have it both ways …
LikeLike
Hiya,
Already emailed them regarding alternative ways to pay.
I’m happy to do visa/bank transfer.
But the VPN stays, Paypal goes.
LikeLike
its ironic that you are so ‘pedantic’ about security, but have have a https site that is only partially encrypted.
btw. i agree paypal sucks.
LikeLike
Hi Shev,
I had to choose between a google blog or non google blog.
I’m on the non google site. 🙂
If that answers the question.
LikeLike
I’d have to agree that introducing a third party (the VPN service) wasn’t a good idea from a purely technical standpoint. The way I see it, the VPN might well have weakened your security, depending on how the data was tunneled and the VPN provider’s own security compared with that of PayPal.
Ideally you should have a secure connection between your computer the PayPal servers, with nothing in between relaying the traffic (except for the routers, of course). A proxy/VPN becomes important when something else is interfering with or intercepting that connection.
That said, there is a case for boycotting PayPal, after it played politics by witholding funds for the Wikileaks and Bradley Manning campaigns.
By the way, the PKI issue is an interesting one. As much as we need it, the system is fragile, not because of the keys themselves, but the fact the certificate system is entirely dependent on trusting certain authorities to verify that server x belongs to organisation y, unless you’re really scrutinising every certificate. Sometimes those certificates are stolen (DigiNotar), and in very rare cases sold to a malicious party (GeoTrust).
LikeLike
No one mentioned Bitcoin yet?
LikeLike
Yep, it’s coming to that.
My banks are happy, Amazon are happy, but darling paypal are running scared of VPN’s.
Super security is scary.
All they’ve got to do is ask “do you use a VPN”. answer = yes. End of story.
They could tell which VPN i use by the IP. As they track IP’s.
Which is another issue that they’ve revealed… and a data protection issue.
If they wish to track customers… then they should ask customers… are you likely to log on from Germany or france (as you could be visiting your mum, for all they know).
Nar, they’ve got a tracking IP policy, which is a major data protection breach.
LikeLike
Thanks for your reply, it’s now more clear how you have everything setup.
But just to echo others, VPNing to a public openVPN server detracts from your security, it does not enhance your security. The way you are using VPN (through ivpn.net) gives you anonymity, but that is all. I even checked out ivpn.net, and they do not try to sell their service as a security solution, but as a privacy solution, and that much at least is very true. Privacy and anonymity is what is bypassing state surveillance (as you keep bringing that up), and it uses a secure tunnel to do so, but the solution as a whole is not secure. There is a distinction between a secure technology (openVPN is quite secure), and a secure solution (public openVPN server is not a secure solution, but it is a privacy solution).
The only scenario it provides some level of initial security is if you are VPNing from a coffee shop with public access wifi (or something similar). Anyone in said coffee shop will not be able to interfere with your traffic between you and ivpn.net. They cant see the traffic (strong encryption), inject data (due to the tunneling features), ect.
However, when your traffic gets the ivpn.net, it is decrypted there, and then sent on it’s way (in this case, to paypal’s website). Another thought to consider is who else is on the VPN with you? If both you and I VPN to the same server, are we put on the same VLAN? Chances are we are, or at least have a chance of it depending on the number of users at that time. So at that point, can I start attacking your pc through the VPN? Does ivpn.net have firewalls in place within each VLAN to prevent such traffic (possible, but doubtful)? I could go on, but the point is a significant number of security concerns arise when you use a service like this. And still, even after all those questions, you have to TRUST that they are actually true to their word (might be easy for you to trust, but most of us security minded people dont trust very easily)
However, a more true secure solution would be to set up an openVPN server at your house. At the coffee shop, you can VPN to your home network, and from there, navigate to paypal. No one at the coffee shop can interfere with your traffic (same reasons stated earlier). And, unless your have an insecure home network, you can trust your home network a lot more than some vpn service provider. You do loose the privacy benefit of a public openVPN solution, but this solution is a FAR more secure one.
All that said, I don’t use paypal, and am not defending them (I personally use Amazon). I just work the cyber security industry, and just want to make sure you understand the differences between privacy and security…
LikeLike
Hi Jaxin,
OpenVPN allows you configure it so that users cannot interact with each other.
Privacy VPN’s would need to prohibit comms with other users.
You have to trust your VPN provider, and select them carefully, that is agreed. And Torrentfreak’s excellent article on who takes privacy seriously is a good starting point for this. It asked who keeps server logs… and who deletes those logs.
IVPN delete those server logs every 10 minutes. Those VPN’s who openly hand over data, are to be avoided like the plague.
The EU is debating whether server logs and search queries should be reclassified as “sensitive Data”. This is why the server logs are critical – and we need those wiped almost instantly.
Data collection, retention etc is all based on the server logs.
the bigger crime against civilians is data aggregation (Google aggregates data across 60 services). Privacy International called Google an “Endemic threat to privacy”… and there’s about 90 criminal and civil legal cases against Google.
We know that Google etc, resell those server logs containing sensitive data on to companies and insurance companies.
This is why server log deletion is critical.
It stops data collection.
Which stops data retention.
Which stops data aggregation.
I have a private key that only works between myself and IVPN. They delete the logs to protect me every 10 minutes.
This deletion of server logs is the way for European privacy to go.
Like startpage.com – who have their server logs deletion audited by the EU, to gain the EUroprise Award for privacy enhancing tools.
We need strong server log deletion practices from search engines, VPN’s.
But Big Data like our darling Paypal, are going to have a head on collision against EU privacy laws… you can see it coming in the EU’s “Right to be forgotten” Directive.
Data Retention has to be stopped. And I’m delighted that the EU are on the side of the people rather than big data.
Off to right a complaint to the UK’s ICO about Paypal.:)
LikeLike
Jaxim
I totally disagree with the statement made about OpenVPN’s security – it’s a nonsense statement. If it wasn’t secure, then OpenVPN would have buckled under Russia and Chinese state surveillance. Chinese hackers would have cracked it wide open.
IVPN give me anonymity – by deleting the server logs every 10 minutes for privacy.
But Security is the PRIMARY REASON to opt for OpenVPN.
LikeLike
uwnthesis:
You are not understanding what Jaxim is saying. He is agreeing with you that OpenVPN is secure, and so am I. However, what makes the OVERALL solution/connection out to the Internet not secure, is the part that’s NOT safeguarded by OpenVPN (which is EVERYTHING else other than the connection between you and iVPN.
Outside of your connection to iVPN, it is just like anything else. What he is saying is that his overall solution of having an OpenVPN server at home, THEN out to the Internet is much more safe. This is because YOU have direct control over your direct connection out to the Internet from your home network. Whereas with iVPN, you are putting your trust in their connections out to the Internet.
He also acknowledged that yes, a third-party public VPN service will make you anonymous. BUT, this is NOT the same as security. Security also means trusting said third-party to handle your data in a good manner, and that nothing happens to them. It is more inherently secure if you cut out a middle-man (a public VPN service), and handle that at home, as suggested in his home network VPN scenario. But of course, this doesn’t give anonymity.
As said before, anonymity and security are NOT the same thing (although may have some overlap which causes this confusion).
LikeLike
Hiya,
I agree that anything which gives us back privacy is to be applauded.
In the UK, there is a problem running a home based VPN. Yes, you have control over the device, but court orders can be enforced against equipment located in the UK. Therefore we need a DNS server that is separate from the ISP (and not Google). In addition, court orders can be upheld in the UK to take the server and equipment. Therefore we need to connect to an ISP, then route the data out of the UK. The DNS server and connections need to take place outside of the UK.
We have to treat the ISP and indeed anything located in this country as the enemy. The selection of a privacy based service out of the country is paramount. It’s important that they will not accept UK court orders and keep no data that links to any living person.
Having a home based could leave you wide open to seizure of the computer and the data on it. The openvpn server could potentially log everything – so you have to be very careful having that server at home. It has to be configured specifically to not log connections.
However, you are totally right about trusting a third party – you have to do your research on whom you select. It’s great to get comments, and the feedback is really appreciated. Thank you.
LikeLike
I run few vpn server. True it does not guarantee security. Yes privacy and anonymity what it does. From your point to the vpn server yes it is secured. but frm vpn server we could not guarantee. I all my vpn server also has transparent proxy in it. though I don’t keep store logs but we cant guarantee all vpn does.
And Yes paypall sucks. They also rob me cause I forget to logout from the vpn whent I checkedout. Three years pass and they still refuse to return my money. As much as possible keep away from PP.
LikeLike
Alas Paypal have earnt their reputation of being an horrendous company.
They tell us that open wifi’s in Starbucks and Hotels are fine but an encrypted connection would be refused due to “security”. It’s utter rubbish – and we all know it’s a nonsense argument.
What they actually mean, is that the VPN prevents their tracking and surveillance technology… and therefore they will terminate your account forever.
All they had to do was ask “are you on a VPN”… should we accept transactions from you on a VPN, (even if that meant you were uninsured for loss). This is the kind of conversations they need to have with clients.
Alas, they would rather allow your personal details to be stolen on public wifi, as “safe”, and close down highly encrypted technology as a “security” risk.
Clearly.. the VPN isn’t the real argument, neither is the security risk.. it’s a logical fallacy. So what is the real reason? The answer to that, is prehaps the same reason that we shouldn’t deal with paypal. I personally am very suscipious of a company that insists on tracking its customers online. If Lloyds bank closed your account, because you refused to allow them to put a GPS tracker in your car – there would be a public outcry regarding the privacy and Data Protection breach. Let’s hope a class action is brought against Paypal for their tracking and surveillance of accounts.
LikeLike
its against their policy because they can’t tell where you coming from and that’s just absurd, I’m entitled to login from any country around the world whether i’m physically there or through VPN, Paypal sucks.
LikeLike
Probably late to the party, but… Surprise I am having trouble with both PP and ebay for the same reason. As far as I can gather the PP site is https. If one is using VPN with ordinary http sites then there is a security problem. You leave yourself open to snooping etc… there would be little to no point in using a VPN. However with a https site and using a VPN there cannot be any third party monitoring or snooping. I wonder whether this is the problem. You stop monitoring by outside actors. Also if we come back to this they know who they are dealing with by asking questions, then that is a falacicy. All they are getting are correct answers. Over the phone or other the internet its all correct answers. Anyone, could supply correct answers so long as they have the correct data. they never truely know who they are dealing with. And that is no company by asking questions knows who they are truly dealing with. Which makes me suspect its entirely to get the caller to legally cover the company and they will do nothing for you until they are legally covered by you. So again its not about security.
LikeLike
Hi Anon,
I’m still blocked by Paypal and Ebay.
All they had to do was ask “are you using a VPN”.
As for the technical issues.
Http is not encrypted.
https is encrypted.
Use the EFF tool “Https everywhere” to ensure that if a site accepts encryption, your browser defaults to being encrypted.. automatically.
The HTTPS /HTTP issue is the heart of the matter. IF security were the REAL issue – all HTTP transactions would be blocked as they can be hijacked/snooped. They do not block HTTP – or transactions from hotels, or starbucks or open wifi systems. Therefore we can discount “security” and encryption as their real concern.
Paypal are “tracking” your IP. Now, we need to ask “WHY”??? What business is it of theirs if you travel or logon overseas or logon using a VPN.
Amazon allows transactions via a VPN.
Therefore you can use “encrypted” systems.. via a VPN, but you have to buy via Amazon, which is fine by me. They offer better customer service compared to ebay.
If you use a VPN, even on unencrypted sites, the trail leads back to the VPN IP.
If you’re using OpenVPN, that encrypts your transaction so that the ISP can’t see it. Even if you browse to unencrypted sites, OpenVPN is using virtualised network adapters… which encrypt all the data from your device to the site. It’s a **Secondary** layer of encryption… for HTTPS sites, and the more layers the better. It’s a primary encryption system for HTTP sites.. so it protects your mobile connections even on open or public wifi systems.
Thanks for commenting.
LikeLike
You are right – non of it is about security. But if we listen hard for Goebbels words of wisdom – “if I can repeat a lie enough times it eventually will be believed” – then its all about giving the same message for everything until the majority believe the lie. thing is the employees are also now under the trance and cannot believe they are doing anything wrong. And cant understand what the complaint is about. its all self-serving, disingenuous, manipulative excuses anyway with paypal-ebay 9and for most companies these days. Oh well …
LikeLike
Hi Anon,
LOL! Paypal are being deceitful and hiding their true purpose. They’ll accept you accessing your finances on an Open and unencrypted wifi… but not on a secured VPN. You are right, everyone hears the term “security” and then turn out. But it’s not security, if I’m secure and their open wifi’s aren’t.. so what is it exactly? I do wonder why Paypal want to track your IP. Anyone who is tracking your IP – without your consent or knowledge is up to something. Thanks for your awesome comments… I love them.
LikeLike
Wow, talk about flawed logic. Some of you folks are trying to argue that using a VPN tunnel provided by a trusted VPN provider does not increase the security of your Internet and/or network connection. Of course a VPN tunnel doesn’t protect you from every danger on the Internet, but to say that it doesn’t have any security value is absolutely ridiculous. If you truly beleive that, then you are crazy as hell.
LikeLike
Hi Bob,
Thank goodness for a sane voice out there! I couldn’t agree with you more. A VPN, with a safe provider, committed to privacy is the best thing since sliced bread.
LikeLike