PayPal are Tracking your IP – Did you see any warnings that “PAYPAL are TRACKING your IP?”
As you may have noticed, Paypal have terminated my account due to my use of a high security VPN – on the grounds that it’s a security risk. Paypal consider use of a VPN as a breach of their terms and conditions. Which is interesting, now that I’ve accidentally discovered that they’re tracking us. Geolocation tracking is an insidious form of surveillance. Yet they will have the audacity to argue that an open wifi in a coffee shop is not a breach of security. Now, ask yourself which has greatest security.. the open WIFI or the Ultra secure VPN? So what’s really going on here…
Thanks for the 50 comments from yesterday. Here’s an overview of what you need to consider with IP tracking by Paypal:
Paypal are tracking your IP.
There’s Data Retention on your IP – which in effect allows them to track your movements and whereabouts – and acts as a surveillance tool.
If you use a VPN, they will terminate your account – as a breach of “Security”. I wonder how many Paypal users know that they’re being tracked?
I certainly never gave my consent to tracking by PayPal. I wonder what other purposes they use your IP for.. and whether they resell or aggregate that data for third parties such as Councils, police and the tax man?
I wonder if their IP tracking of customers is a Data protection breach ?
Their data retention of users IP’s is in effect a tracking device. Does the ICO even know what they ‘re doing… without informed consent. I saw no notice “PAYPAL are tracking this IP”… did you?
So many questions…
This is how it came to my attention
Paypal Terminated my account because use of a VPN is against their terms and conditions
*****OPENVPN Geek Stuff*****
I use OpenVPN – which was designed to run in Russia and China to thwart state surveillance. I use a VPN provider that’s dedicated to privacy – and works to support journalists and civil rights activists. And I’m terminated due to “security”. ummh. You can smell the baloney from a mile away.
OpenVPN – with total regards to the awesome book OPENVPN – Building and Integrating Virtual Private Networks by Markus Feilner.
Step 1 – Create the STATIC KEY – SYMMETRIC ENCRYPTION
Symmetric means the same key is used to encrypt and decrypt (Paypal might not know this).
OpenVPN mix and matches several encryption systems – so this is just stage 1 of security.
Step 2 – Secret Key stops Handshake hiccups
Each pair on the Client/Server has their own key. This is important – as you can’t knock on the door of OpenVPN and start the SSL handshake (as with normal SSL handshakes) without those key codes. A standard SSL handshake is weak… it can be “tripped up”. These keycodes prevent that little hiccup.
It’s like Fort Knox. You’ve got rings of protection…. interwoven for maximum security (well as safe as you can get without leaving the country). So here’s the sample config file jobby.
dev tap = creating the virtual ethernet subnet. Remember those “virtual ethernet devices” that I said OpenVPN used?
OH LOOK – PRETTY PICTURES.
Virtual Network Cards
Remember those virtual networks… created out of thin air. We’ll here a sample config for them. The 2 ip’s are set up…. so that the virtual cards can chat to each other – but no-one else.
SUBNET MASK – CIDR 4 HOSTS
On an actual VPN the subnet mask will usually be set to allow 4 hosts.
What does a subnet mask of 255.255.255.252 mean? This allows 4 hosts maximum.
.0 = Network ID
.255 = Broadcast ID
.1 = the Client side of the VPN
.2 = The Server side of VPN
So we’re a little short on IP’s. Which is a cunning plan from the VPN providers.
Super Secret Spy thingy
Did you notice that SUPER SECRET SPY Key thingy in the virtual network card diagram? Yeah. Good innit.
X509 Certificates – that old chestnut of security.
SSL and the PKI instructure are well dodgy. Daily we see reports of stolen MI6, CIA, MOSSAD certificates to go along with the Google, Yahoo and Microsoft automatic update certificates. Some CA’s have been hacked to next Thursday and back.. some say around 20% of the Internet works with compromised CA certificates. And yet it’s preached by those who like the idea of a central authority. Which with a draconian employer, might not be Plan A – as they’d have your key codes. AHHHRRR. Penny dropped for you has it. What took you so long :)
So using an X509 certificate is probably not all that it’s cracked up to be. OpenVPN can and does use it as an extra ring of security. But we can use it in a super sneaky way.
KEY GENERATION – PARTY FOR 2
We can generate the keys… This is strictly just me and you. No one else is invited to our party. Asymmetrical – uses 2 keys. One key ENCRYPTS the other key DECRYPTS.
Clearly don’t use 1024 as a key size. Use the longest you can, without hitting performance.
Building the CA
Remember, this is a party for just me and you. No one else is invited.
Super Secret KEYS
Of course, open wifi’s are much higher security than any of these… if you listen to Paypal.
I guess their IP tracking is popular in democracies like China.
I wonder if their IP tracking of customers is a Data protection breach within Europe? Their data retention of users IP’s is in effect a tracking device. Is this legal? Does the ICO even know what they ‘re doing… and that they terminate accounts that use VPN – which bypasses their IP tracking.
So many questions…
Full credit to Markus for his OpenVPN book