I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give my username and password - then I receive a text message which can only be used once.

Searching for 2FA on PayPal doesn't return any results - nor does searching for SMS. *sigh* Ah! Wait! They call it "Security Key" - perhaps if I search for that… Nope. Nothing.

With help from a third-party site, I found out how to turn it on. Minus five points for Hufflepuff there.

Now, when I try to log in via the web, PayPal will send me a text message - a welcome measure of security!

Unless, of course, I try logging in via the mobile web. What band of chuckle-fucks thought that this was an acceptable solution? There's no technological reason not to have this page trigger an SMS - indeed some other mobile pages are quite happy to let me use 2FA.

I switched my mobile browser into desktop mode and was able to complete the transaction. What a farce.

PayPal is now a twisted nest of technologies - some of which can never be updated for fear of bringing the whole crumbling edifice crashing to the ground. If PayPal really cared about your security then they'd make switching on and using 2FA as easy as possible. Instead, they've done the bare minimum to tick a box in the product feature list and not bothered to test it thoroughly.

There is currently no way to report security issues like this to PayPal - their page at https://www.paypal.com/webapps/mpp/security/reporting-security-issues has been broken for months.

I eventually found an email address for them and, after some toing-and-froing, I got this response:

PayPal needs to make the usability of its security a priority. At the moment, it is failing.

So - here's my rant :-)

Google now let you pay for apps and games using PayPal. Well, I've got a bunch of credit left over in an old PayPal account, so I thought I'd use it to swell Google's coffers. No dice.

According to Google's "help" site a user can add a payment method via the Google Play app.

Errr.... not so much! I can redeem vouchers and add more credit cards - but I can't add PayPal.

The site also suggests that I can add a new payment method via the website.

Perhaps it's in "Add a new payment method"?

Yeah, that'd be the same problem...

I know what you're thinking, "Silly rabbit! PayPal is only for proper countries like the USA!"

sigh

If you - or one of your friends - are a Google employee, please can you find the person responsible and ask them to flick the switch which activates this?

Support

Now, I said Google don't offer support. That's a minor factual inaccuracy. They do offer a "Call Back" service.

After exactly 7 minutes on hold, I spoke to "Peter" from "The South Coast of England". I explained the problem and was asked to hold again.

I was eventually told that it was most unusual and that a "supervisor" would be looking in to it.

Yeah, yeah, yeah. I know Google don't exactly need my money - but it sure would be nice if they'd let me support the developers I like.

I'm not sure if Oxfam were in the audience that day. But if they were, they missed the point. QR codes are a solution for quick interactions with mobile phones. Let's investigate the Oxfam QR code seen in Metro.

The Advert

So, can donate by scanning the code? Well, it's not really made clear what the QR code is for. There's no text associated with it.

The Code

Let's take a closer look at the code. That's a huge URL stuffed into a tiny code - making it hard to scan. Ideally, codes should use black ink - the blue used here shouldn't cause too many problems, but coupled with the small size reduces the scanability.

The URL

Let's take a quick look at the URL before moving on.

https://www.oxfam.org.uk/donate/paypal/index.php?ito=4373

Good: Use of https for a secure connection. Bad: Just about everything else. Why is this so long? Why didn't Oxfam set up a redirect so that oxfam.org.uk/4373 went to the right place? If that's not feasible, drop the redundant index.php.

https://www.oxfam.org.uk/donate/paypal/?ito=4373

Even better, just direct to the target page. In this case

https://giving.oxfam.org.uk/

Doing that would have resulted in this smaller and more easily scanned code.

The Website

This is where things go from bad to worse. The first thing I saw - on several phones - was this certificate error. Given that Oxfam are expecting me to give them money, this doesn't give me confidence. But, it gets worse. Yes, that's right. Oxfam have decided to send my mobile phone to the full version of their website. Rather than provide me with an optimal experience, they're making it slow, costly, and awkward for me to give them money.

PayPal Mobile

After clicking through a few screens to try and give them some cash, we get to PayPal. Perfect. At this stage of the transaction - if the user has even got this far - PayPal provide their optimal mobile user experience.

Conclusion

• Poorly formatted code.
• Mobile unfriendly landing page with security issues.
• Multiple clicks to donate.
• Overall, why bother?

If anyone from Oxfam is reading, the interaction should go: Scan - mobile friendly landing page - straight to donation. No more than 3 clicks including the original scan of the code.

This is the presentation I gave for Charity Hack 2010.

If you're on mobile, you can view the mobile friendly version of the slides.

Audio and video coming later.

The gist of the talk is - use QR codes to drive mobile donations. Use return SMS to encourage people to share with their friends.