I have worked on various e-commerce projects that accepts online payment. However, most of the medium-to-large size organization in Malaysia do not incorporate PayPal into their payment method options. Majority of them is because their finance unit is restricted with payment policies, legal and audit issues. This is beyond the website strategies and lies on the business operations.

I do use PayPal for online payment, and would prefer that online merchants has this option

I call PayPal as e-wallet. It allows me to withdraw (purchasing) and deposit (through selling) money. I usually do not withdraw funds from PayPal as I prefer to use it to buy something online instead of using my credit card, as some small online stores only accept PayPal, WorldPay or Moneybookers; another reason which I feel uncomfortable or insecure in using my credit card when purchasing from small website, even though it is VeriSign secured.

I believe in Internet transaction security and understand the payment system process flow, but what we don’t know is whether they (merchants) capture our sensitive data or not. This is the most worrying part of Internet transaction- privacy. Their system may be very good and secure, but are their staff trustable and reliable?

I trust the online payment system security but not the people

I used to work in an organization 11 years ago where they do not process online transactions in real-time, their secured web pages (https- SSL) captures customers data into a database and forward the request to respective personnel to process the purchase with a merchant machine. This is not the right way in processing online transactions and customers data should not be viewed by any parties. Think about the consequences, what if the respective personnel discloses customers data?

I used to work in an international bank, practices very good security where staffs are not allowed to print, email, copy and even carry handphones or any computer devices during work, customers data is only accessible by higher level staff. Furthermore, the computer is well secured with customized OS, website access limitation and all external ports are disabled. Unless you’re an expert, or else stealing data from bank is not easy, this is how the bank build its trust and reputation.

What consumers want and how can you solve their problem?

As an online consumer, I want a secured, trustable payment service and options.

As a merchant, I would want to provide as many payment method as possible. This will be my website’s value, which is solving the people’s problem- allow PayPal users to utilize their e-wallet money to spend on something that they don’t need to use credit card.

Bottom line

The growth of the online consumers and PayPal users are rapidly increasing by the days. According to the survey conducted by third party, there are more than 15% of online consumers in Malaysia using PayPal for online payment. If you want a bigger piece of cake then please consider the 15% of online consumers’ preference on the online payment options.

PayPal Malaysian launch party on Friday, December 11th, 2009 from 7pm until late. Location at Neo restaurant (opposite equitorial hotel, KL).

This party is by invitation only. Closing date on December 8th and seat is limited.

Condition:
(1) You are PayPal User (PayPal account email address is required for verification) or
(2) You are the guest that invited by PayPal User.

If you are PayPal User, please send an email to sea_marketing@paypal.com include your full name, PayPal email addresss, eBay ID (if applicable), country of residence, total number of guest (max 2 – you + one guest) for registration.

Below is the invitation… see you there.

PayPal Malaysia Launch Party Invitation

Phishing attacks have become a common method for stealing personal identification information, such as bank account numbers and passwords. It is the fastest growing method of fraud on the Internet.

I have recently received a scam email from a well known airline, it claimed that I have bought an air ticket from their website and my credit card has been charged for an amount. The message also provides the login username and password information and attached an e-ticket receipt for my record.

I know it is a fake phishing email and the attachment might have contains the virus or worm or something will harm my computer or steal my information. I believe many of you also have received this kind of fraudulent email messages, it is a common Internet confidence scam, the increasing number of email scam become our mentally challenge when filtering those unnecessary email from our mailbox, and worry when will accidentally open an email contain the “Boom”.

The people who create the phishing email using the psychology technique to attract people open their email such as attractive message subject and real/trustable email sender (ie. admin, support, person name), and email contain message that you will first feel desires or denied. For an example above email message, if I first think that I didn’t buy it and want to check the receipt whether it’s my information then I fell into their trapped.

There’s more way doing scam. Some would install the spy ware/worm/virus into your computer, some will ask you to click on the link on the email message to a website that will request to obtain your P&C information. Anyhow their purpose and objective is to steal your information whether is worm resist in your computer or manually provide by you enter on a web page.

I used to study on a spam research, the results was turned out 3 out of 10 person was fell into spam trap. Below is the whole process:

Note: The name/company/website using here is just an example.

A smart phishing email creator know how to protect and clean his/her backside:

1. Register 2 Paypal accounts- one Paypal account with fake information and another one with real information which has your credit card details.
2. Register 2 eBay accounts- one account (A) with a real Paypal account and one account (B) with fake Paypal account.
3. Account (B) offer a product on ebay and let the account (B) win the auction bidding, then transfer the money from account A (real paypal account) to the account B (fake Paypal account). The amount of money as long as enough to buy a domain name and web hosting for one month.
4. Close/terminate the real Paypal account.
5. Ready to use the fake Paypal account money to register a domain name and web hosting. There are many third world / Europe countries offer no restriction hosting. Many illegal group host their website in Europe / Russia to avoid government tracked/banned/suspended.

Above is basically a money laundering process and cover backdoor-fire method, which using the Internet technology to perform illegal process that beyond government ability/boundary.

Creating a website that you know:

Those Malaysia well known e-commerce website simply to become the victim. Let say, Maybank2u.com, AirAsia.com, kwsp.gov.my and etc. For our example, Maybank2u.com- nearly 30% of Malaysian have accounts with Maybank, and those with Maybank accounts will usually activated their online banking.

See how can I create a Fake Maybank2u site:

1. Register a domain name “look” like Maybank2u.com or intentionally create a typo error domain name. For example: Mayban2u.com, Moybank2u.com, Maybak2u.com, Maybank2u.de, Maybank2u.asia, Maybank2uu.com or whatever similar.

2. Copy the Mayban2u.com website layout and duplicate it on the fake website. Let we use “Mayban2u.com” as for our fake website example.

3. A page on “Mayban2u.com” with the URL: http://www.mayban2u.com/mbb/scripts/mbb_login.jsp?do=Login. The reason for this is because it look like the actual login URL and also more text can confuse people visually overlook the domain names.

4. Create a web application behind that will capture username and password when user really enter the login information. Upon recorded the login information then forward to actual Maybank2u.com’s login page. (At this point, the fake phishing email creator has already achieve his/her objective. The account holders may think that the page at Maybank2u.com is not working and etc)

For process 2 & 3, the creator need to have a little of web programming skills.

Preparing and sending out the fake phishing email to anyone.

1. Design a corporate and professional email newsletter with the actual logo. Attached the fake link mentioned above in the newsletters and mask it with the actual URL (the actual link is just the text and when you click on it, it will lead you to different page), and of cause, newsletter will not designed in the way of “I want your username and password” style. It must made the recipient either feel desire or denying, this is the psychology technique. For a sample:

—————– Begin of sample: fake phishing email —————–
Dear Valued Customers,

Thank you for being a Maybank2u.com account user. We would like to inform you that your online account will be deactivated in 3 days (31st October 2008) due to following reason:

Status code: MI109947463-3
Description: In-active account – 3 months.

Please take note that you will need to manually re-active your online account through Maybank2u.com’s Customer Account Control Panel (login required) BEFORE the deactivation date.

Please ignore this notification if you do not wish to continue the online account.

For enquiries, please contact our customer care centre.

Thank you.

Regards,
Customer Care Dept
Maybank Berhad
Address: bla blabla

Email:customercare@maybank2u.com
Website: www.maybank2u.com
Call centre hotline: blablabla
Fax: blablabla

—————– End of sample: fake phishing email —————–

The message “Customer Account Control Panel (login required)” which is the link to the fake URL. When user click on it, it will lead you to a page that look exactly like the Maybank2u.com page.

2. Design an attractive email message subject that will make recipient desire to know more. For an example: “Maybank2u.com – Deactivate Account Notification” or “Important Notice: Your Maybank2u.com account will be deactivated”

3. Sending the email out by a common sender name. You can set this in your web hosting configuration for email account. For an example: “Cutomer Care”, Company Name, “Support”, “Admin”, “Billing”…

4. That’s it. The last process will be who do you want to send to? I believe those fake phishing email creator already has thousands or even millions of email address records on their hand. (See our junk mail box already know how many of them have our email address)

Is Phishing Illegal?

Yes and no. There is no crime in asking you to volunteer information. It isn’t a crime to send you an important-looking message. Its a copyright infringement if the originator of the message uses a copyrighted or trademarked logo (which are easy to steal) to make the message look more authentic, but that’s a crime against the owner of the logo not you. Identity theft is illegal but no crime is committed until the thief actually uses the information you unwittingly provide. Its attempted fraud of course but if it were easy to catch these people, Phishing wouldn’t be a problem.

Phishing, Identity Theft and Bank Fraud Detection – Netcraft Toolbar

To protect your savings from Phishing attacks, there’s a freeware ‘Netcraft Toolbar’ is available for download at http://toolbar.netcraft.com/, it is something like Google Toolbar / Yahoo Toolbar, it will integrated with your web browser once you installed. I am using this tool to gether the information from the website that I visited, lower the risk, browse in safety and check the reported phishing attack (and help defend the Internet community from fraudsters.)

Beside the Netcraft Toolbar, you can also subscribe to their Netcraft Phishing Site Feed (RSS). More: http://news.netcraft.com/phishing-site-feed

Tips on Phishing

Know your senders

• Is this someone I do business with?
• Is this something I was told I’d receive?
• Look for other ways to respond

Stay on guard

• Look for clues – improve your PhishingIQ
• Don’t be afraid to ask
• Know how your system is updated
• Protect your system
• Check your records

Disclaimer: The name/company/website used above is for an example. It is not a real case.

My field is web related. A few of my clients with IT knowledge asked me a similar question- Which country do you recommend to host my website? Malaysia or US?

“It depends on your target audience and market- local or international and; what features/plan that you want to have in your web hosting package. There are advantages and disadvantages for website hosted in either Malaysia or US. This is why I am here to assist you to understand your need, and to provide a right solution…” this is my formal biz conversation.

Many people think that US web service is more expensive than Malaysia. In actual fact, not really.

US market is very competitive, thousands of web hosting service providers offer the best-deal-in-town packages with low prices to attract potential customers, this is how we consumer get benefits from their “price war”. But choosing the right and reliable web hosting provider needed some experience in this web industry.

Domain Name (Website name ie. whoiskenny.com)

When I first step into this field 11 years ago, I bought my first domain name from NetSol (NetworkSolutions.com) at the cost of USD35. It was costly for me to buy a domain name at the cost of USD35/RM133 when I just earning a peanut. (NetSol was the only appointed registrar by Internet Corporation for Assigned Names and Numbers (ICANN) that could process domain name registrations for .com, .net, and .org before 1999. During Malaysia economy crisis in 1997, Malaysian Ringgit is fixed at the static exchange rate by USD1.00 = RM3.80)

There are more than thousands of website offering domain name registration nowadays, the domain name registration fee is much cheaper compre to last time.

There’s something Malaysia Web Hosting providers/domain registrar still can’t beat- the price war in US. For an example, a domain name registration package, it come with more features and cost only USD9/RM28.80 (exchange rate by USD1.00 = RM3.20). Honestly, I still haven’t find any local providers can offer this price, I even compared the local dealer/reseller price.

Another reason I would prefer to buy the domain names from US is because they can provide better domain name features like free private registration, free parked page, free POP3 email, domain locking, free blog, free hosting (with banner ad), website forwarding / masking and etc. This is a good plan for website starter, which they just need an email contact and a few pages of website.

With the above attractive features, why not? Of cause, regardless it is a reliable company.

If you are interested to view the list of ICANN accredited domain name registrar, below is the URL:

http://www.internic.net/alpha.html

For .my country-code top level domain (ccTLD), the Malaysia Network Information Center (MYNIC) domain name registrar list is available here:

http://www.mynic.net/reseller.php

Web Hosting (Where you host your website content)

With my experience, I usually recommended local hosting (hosted in Malaysia) for my SME or small entity client. Beside the website response time (speed) faster, the hosting plan/feature offer by local web hosting service providers are sufficient enough to meet my client’s need.

Budget does not come to primary in this decision, the website response time, provider service, data centre infrastructure and server performance is my main concern. Malaysia web hosting providers can now provide the standard requirement for a normal website need at the reasonable price, hence there’s no reason why should I seek for oversee solution, unless special requirement which local provider can’t deliver such as bound by Law restriction or demand higher bandwidth allocation.

And most of my client’s website also target the local market, the e-commerce website’s payment method is another concern. Hosted the website with local provider with payment gateway enabled is an advantage, at least they can process Ringgit Malaysia transaction and easy on billing issue. You may not know, out of 50 in 100 credit card online transactions have problems. 50% could be fraud cases, authorisation failure, process issue, connection issue, insufficient credit card information for verification, credit card blocked by the issuing bank for some reasons and etc. So, it may need to walk-in the payment gateway solution provider office for further discussion or need to call for clarification on case-by-case basis. Don’t you hope their office is just next to yours?

Another reason, some of the reliable and low-risk payment gateway solution providers from over sea do not accept RM payment/ Malaysia merchant account or charge a higher transaction commission.

If you are looking for payment gateway to process your website’s e-commerce transaction with Malsyian Ringgit, there’s few I would recommend:

International:
- www.worldpay.com
- www.2checkout.com
- www.paypal.com (problem to withdraw money from local bank, unless you have US bank account such as etrade)

Malaysia:
- www.maybank2u.com (transfer money from own account to third party account)
- www.ipay88.com

Well, the worry for Malaysia web hosting is the unreliable country backbone infrastructure, but it is ISP (Internet Service Provider) issues.

It can be easy to setup a website, regardless you have domain name, web hosting knowledge and experience and programming skill. Otherwise, I will suggest you engage a web specialist to do it for you. As I always told my clients- don’t worried, please leave the task to us, we will let you concentrate on your biz!

I welcome your comment if you have a different point of view.