PayPal Insecurities
Posted by Harry McCracken | Friday, July 29, 2005 12:05 AM PT
Blogger Mark Evanier has a good thread going on his trouble with his PayPal account--and the trouble he had getting help with it. Key passage:
As I'm waiting here for the PayPal people to find someone there
with an I.Q. over room temperature, I've been reading this
statement on my screen, which is from a "security" page I can't get
past because of this account number snafu...
For your security, PayPal will never ask you to re-enter your full
bank account, credit, or debit card number without providing you at
least the LAST TWO DIGITS of the number. These digits let you know
that we already know the full number and are asking you for the
rest of it. Beware of any website or email asking for these numbers
for "verification" that does not PROVE that it knows the number by
providing at least the last two digits.
That seems odd to me...the suggestion that if someone knows the
last two digits of my account number, I should presume they have
the full number and it's okay for me to then give that full number
to them for verification. Spam/Phisher/Whatever people send out
bogus e-mails, pretending to be my bank or PayPal or credit card
company, by the zillions. There are 100 possible combinations of
the last two digits. So if they send out 1,000,000 e-mails that
say, "We know the last two digits of your account number are 33,"
they're going to be right around 10,000 times. That's 10,000 people
who, if they follow PayPal's advice, will then give their entire
account number to these people. That's probably a better rate of
return than the Spammers get on most of their fraudulent offers.
An excellent (and unsettling) point...and if Mark's figured it out, you gotta think that phishers--who already love to target PayPal customers--will, too.
Click here to read Mark's whole PayPal chronicle (scroll up to see the whole thing).
i keep as little money in my paypal account as possible, and assume someday i will have a problem significant enough to close the account.
etradebank sucks also. the customer service is only good for copying, pasting, and emailing "We value you as a customer" emails that dont address or even pretend to solve the problem you contacted them about.
the good news is that i predict a lot less outsourcing of customer service jobs to India, etc. in the future.
I have a problem w\ AOL making unauthorized withdrawals from my Paypal account even when it went negative. I called Paypal to change my debit card numbers but they did not do so. I have not used my Paypal account since!
Fairly simple solution that would eliminate a good percentage (if not all) phishing victimizationa:
Don't give any personal/account information to any web site in response to any prompting whatsoever. If YOU did not initiate the communication, give nothing.
On the other hand, it sounds like the person in question had a problem logging in to his account and needed to initiate such action. In this case, shame on PayPal for having such a weak policy! We comsumers need to exercise our RIGHT to have better practices than this from companies that are both making money off us and also potentially exposing our money to the various Internet knuckleheads.
A rare word in favor of Paypal: someone hacked my hotmail account and, because of my stupidity, was then able to access my Paypal account, and I soon found an $1100 payment taken out of my bank account. Paypal quickly investigated, believed me that I'd never heard of the person the payment went to, and refunded my money. Not saying this will be the experience of everyone who has a problem with Paypal, but it was mine.
I created a seperate account at my bank to handle paypal transactions. Unless I am paying for something, the balance will be $.01. When I need to pay via paypal, if not paying via my CC, they only have a penny to play with.
Brian M:
Great idea!
Since it is becoming more and more customary for some companies to use Pay Pal, I find I'm using it more. They don't have any of my money. My payments are made directly using my charge card, not credit card. So my question is, why do they have anyone's money?
ANOTHER REASON THAT THIS IS REALLY, REALLY POOR SECURITY IS THAT ALMOST EVERY RECEIPT THAT YOU GET FROM A FINANCIAL TRANSACTION HAS THE LAST FOUR DIGITS OF THE ACCOUNT YOU ARE PAYING WITH ON IT!!!
Pay Pal's software is horribly innadequate. They do not have a rules based system. It is easy to do and we could reccoment many good systems people and companies who could get it right. They have been dragged before the courts for their software and paid up. They should have imporved their software but did not. They would rather pay up to the courts than get outside help. Caveat - their phone line service people are genuine, helpgul and even thoughtul. They however, do not have the authority to make PayPal bring in the help they need to get it right to begin with. They seem to feel that it is cheaper than pay millions of dollars as fines rather than straighten out the software. Too bad.
Pay Pal is innadequate--I have tried all day to send money to the UK from Australia via Visa card only to be reminded constantly that I have entered the wrong ammount and telling me to enter 5.00. for the sum of 5 pounds stirling after doing so it tells me to do the same thing over & over again --- I have NO pound font on my keyboard --so what is one to do --I am supposed to be able to send monies to all parts of the world ro so they say -- what a joke !! I give up