Is It Phishing? Or is it PayPal Mobile?

Every day I receive at least five e-mails purported to be from PayPal, urging me to update my account information. Given that I don't have a PayPal account, it's an easy choice to route it to my Spam filter along with alerts from the Fifth Third Bank. But the launch of PayPal Mobile appears to have given Phishers a new area of opportunity, and one that appears more insidious. With $500,000 in "Instant Prizes" as incentive, the PayPal (or faux PayPal) folks encourage recipients to "Activate PayPal Mobile Now!"

Does PayPal offer a mobile payment system? Yes...

It has a couple of flavors actually. An SMS/text based service to provide instructions for payment, donation and money transfer launched in March 2007. In mid-July, PayPal added a "portable checkout" which allows registered mobile subscribers in the UK, US and Canada to buy items from participating merchant Web sites. Examples of such merchant sites are SkyMall, DVD Planet, Moosejaw Mountaineering and ElectronicsShowplace.com.

Is the sweepstakes email from PayPal? Who knows...

But one thing is certain, payment systems security mavens regard wireless devices as the most inherently insecure pieces of transaction processing hardware in existence. "Think of the PC prior to the introduction of a security kernel and you'll understand where the smartphone is these days," I was told. "It's wide open."

This observation seemed to be validated by all the hackers who have exposed the vulnerability of passwords stored in the iPhone. Symbian, Windows Mobile, and PalmOS are just as bad.

Yet there is no question that payments initiated as text messages from mobile phones are already generating great interest and payment activity. For such activities PayPal Mobile and PayPal Checkout have competition from Obopay (already supported by Verizon Wireless) and textpayme.com. Such text-based services are relatively "secure" because they use the same payment "gateway" that other online merchants use, relying mostly on password protected access to payment instructions.

Perhaps it's a sign of early success to see that mobile payments through PayPal have sufficient critical mass to attract Phisher-folk.