02 October 2014

Crooks swipe PayPal chief Marcus's card data for shopping spree

11 February 2014  |  4970 views  |  8 David Marcus PayPal CEO

PayPal president David Marcus has fallen foul of crooks who swiped the details of his EMV card and used the information to go on a shopping spree.

Ever the company man, Marcus took to Twitter to share his misfortune and tell the world that such a thing would never have happened if PayPal were accepted on the high street:

With the debate over EMV raging in the US thanks to the Target data breach, Marcus's decision to highlight the fact that his card had a chip drew complaints on Twitter, prompting a clarification:


Comments: (8)

Martin cox - Bell ID - Sydney | 11 February, 2014, 10:49

What Marcus could have said was "wouldn't have happenned if EMV was mandated everywhere".

His mag stripe got skimmed and the fraudster was able to make a mag stripe transaction because (I assume) his card was issued in the U.S. and merchants around the world accept that U.S. = mag stripe.

I had the same issue in reverse. My UK EMV card was skimmed and the mag stripe data used in the U.S.

CNP fraud may still exist post EMV but the common theme here is: Mag stripe in the U.S. facilitates fraud at the terminal.

A Finextra member | 11 February, 2014, 11:27

alternative headline "PayPal chief admits that paypal acceptance is incredibly poor and has to resort to using a much more widely accepted instead"

David Pipe - Powa Technologies - London | 11 February, 2014, 11:33

A couple of important things to note here:

PayPal is a huge magnet for fraud - the LAST place I'd want to see it widely adopted is on the high street.

Furthermore, EMV does not eliminate the fraud issue - as an earlier poster quite rightly stated, it simply shifts most of the fraud to CNP transactions.

Fraud will only be eliminated when merchants adopt technologies whereby the personal and payment details of the consumer need not be transferred to the merchant in order to execute the transaction.  

Peter Robinson - Dixons Retail - London | 11 February, 2014, 12:38

"Ton of fraudulent transactions"? Assuming his card was used at a UK retail PoS terminal, the merchant would have invariably gone 'on-line' for auth. The Card Issuier would have seen previous transactions being undertaken with EMV verification which would have then stopped. Given that the auth message from the merchant to the card issuer would have made it clear it was a 'fallback' transaction, one would have thought that something was awry and triggered an alert of some sort. I wonder how many transactions equate to a 'Ton' before they noticed?

If true, it does beg the question as to (a) why bother going on-line for auth in the first place and (b) why bother flagging a transaction as fallback from EMV to mag Stripe if the card issuers not going to do anything about it....

A Finextra member | 11 February, 2014, 12:44

if the card is (mis)used in the USA the transasction doesn't "fall back" as the majority of terminals only supports magstripe. What should have happened is that his UK/US transaction should have triggered an alert if the timing wasn't right.

I would image that either the bank in question doesn't want to stop its high net worth customers from being declined so just pays away and accetps the risk or its fraud system flags the problem after the payment and they rely on the relationship manager contacting the customer.

Either way, the issue really isn't EMV, but magstripe and its continued use.

A Finextra member | 11 February, 2014, 14:30


This type of comment just displays the size of the task facing right minded payments professionals who just want to make the USA understand that whilst EMV is not perfect,  and is not a short term solution due to the cost of migration, .. Long term - its the only way to go....  US MBP's and share prices cater for escalating  fraud YOY  - they probably cant cater for long term investment (sadly) as the analysts would not understand.

Does Paypal publish its fraud figures from phished or hacked accounts?

A Finextra member | 11 February, 2014, 14:58

Hmmm.  I'm thinking "Terminal Capabilities" field - showing EMV Capable Device but a Technical Fallback to Magstripe for an ICC Card (Service Code 2xx) - surely his Issuers system would raise an eyebrow to that one.

Seems like a PR stunt to me...

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 February, 2014, 17:18

Going by this article written by Zilvinas Bareisis of Celent (http://bankingblog.celent.com/2014/02/the-challenge-of-making-mobile-payments-work-at-the-pos/), Mr. David Marcus would have had a tough time putting through a single in-store transaction with PayPal. No transaction, no fraud. Ergo, Marcus is absolutely right, just not for the reason he'd have us believe. 

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

11 February, 2014
05 February, 2014
23 January, 2014
14 January, 2014
11 December, 2013
08 October, 2013
06 September, 2013
08 August, 2013
30 July, 2013

Related company news


Featured job

to £90k base + Commission + Benefits
London, UK

Find your next job