First of all (as i opened this topic): thanks for discussing my posting so intensive.
Now, after one year without paypal i figured out a solution which seams to work for me.
Basically it is a check against the paypal account email-address.
Here are my steps:
I used the normal "Paypal Basis" method with the NVP API and php curl which is described here:
https://www.paypal.com/de_DE/html/IntegrationCenter/ic_home.html (unfortunately in german - i was not able to find the english version quickly, but i'm sure there is one)
The good thing with that is, that there are 3 steps of communication with paypal (which is harder to manipulate:
1. customer chooses paypal and the amount at my website - at this step my site communicates with paypal and get a unique token from paypal.
2. the customer will be forwarded to paypal (with the token and some other transaction details of a2b) to login and confirm the payment details (no payment is made at the step)
3. After that step the customer comes back to my site to initiate the payment (so i can make some checks on the paypal-details)
This scenario is a bit better then simply forward the user with some data (amount, ... and a return-link), because the real payment ist made on your site. But surely that alone is not really an improvement for stolen paypal accounts, but it maybe helps against situations "nicson" had to deal with.
And now my security implementation:
Now, as the user pays on your server within a php script in "step 3", i was able to implement a checkup i long had in mind before. The important thing is, that paypal gives us some information back like the Paypal customers name and the paypal-account out customer wants to use.
First i made a simple check if the paypal account matches the email adress which the customer has registered.
(something very simple like "if (paypalaccount == $customeremail) { DoPayment... }"
As A2B checks the email at the time of customer registration I think you can be pretty sure, that the owner of the paypal account is in fact the same person which registered at your site.
So with this method you can be quite sure, that no one pays with stolen paypal accounts. But unfortunately a lot of customers use different email-addresses for paypal and your service. (i normally do that too
)
So the second step was a possibility to use different paypal accounts as well.
I created a additional mysql database with two table (whitelist_paypalaccounts and blacklist_paypalaccounts). Naturally you also can just create two more tables within the a2b db, but i wasn't that sure, that i just wanted to use this db just for a2b and even for a2b-updates i think it is cleaner this way.
For now i just use the "whitelist_paypalaccounts" table, but maybe it makes sense in any way in the future to blacklist paypal accounts as well. (I'm sure there are scenarios for that)
Now, if the customer tried to use a paypal account which differs from the registered email address he gets a dialog instead of the final payment step to verify this paypal-account.
After confirming this my system sends a email to the paypal-account email-address (not the one from the customer in the system) with an activation link (random 30character string) which i also stored in the db.
After clicking the activation link in the email the paypal account is verified an ready to use. (also for further payments)
The point is, that only the real paypal account owner should be able to read the verifcation email.
Naturally there is a possibilty, that the email account of the paypal account owner is also hacked an the bad guy is able to verify the link to.
But i think that is not the normal fraud situation as i guess that 99% of the paypal fraud just uses stolen paypal accounts with passwords to do the fraud. In many cases this people has just bought the stolen paypal accounts from any other bad guy....
So i guess (and hope) this secures my paypal payments enough for now.
The downside surely is that my customers have to make this additional step to verify there paypal account (if its not the same as there a2b-email) the first time they uses paypal to pay at my site. I tried to explain why it has to be like this to my customers (with a information link) and as i can see, my customers uses it quite normal.
But i have to say, that i also have some other payment methods my customers can use if they don't like that (credit card, direct-banking and normal bank transfer)
I really would appreciate to get feedback from you guys if i made a logical failure with this or someting.
I cannot publish the code right now as it is really dirty!
I am not a developer or something.
But if anyone wants advise or has questions you are welcome!!