[LINK] PayPal security and account verification

Roger Clarke Roger.Clarke at xamax.com.au
Sun Mar 17 20:37:11 AEDT 2019

Report the scam to ASIC?

A security gap as large as that qualifies as a scam, I reckon.


On 17/3/19 5:17 pm, Ivan Trundle wrote:
> Hi Linkers
> I’m seeking assistance in dealing with PayPal. In a nutshell, someone has signed up to PayPal using my email address (not this one), and I’ve asked PayPal to decouple the email address from the user’s account. The response I received was not satisfactory.
> Because one of my email addresses is ‘attractive’ to some people, they often use it to sign up to sites and services without that site or service verifying the entered credentials. I’m used to dealing with it, and have generally had the issue resolved easily enough, though there are times when I’ve had to sign up to the service with my email address (parking my credentials) just to prevent others from doing the same. Or receive spam forever...
> Dealing with PayPal demands communication through their web interface, and all messages are deleted after 90 days. I asked for a phone number to call, and spoke moments ago to one of their American representatives, who was belligerent and unapologetic overall.
> The response was typically condescending: that my email account may have been recycled, or that the user mistyped, etc. All well and good, but all I asked was that my email address be returned to me, by decoupling it from the other user account set up yesterday. They said not possible without contacting the user first, and even then they suggested that it might not happen.
> So in signing up to PayPal, it is possible to type in a fake email address, and a phone number, and continue using that account without verification of the email address. Poor form on PayPal’s part, but it gets worse.
> I received a welcome message from PayPal (in German, since the account was set up in Germany using a German phone number, apparently), seeking to verify my credentials. I ignored this, and expected the matter to die naturally.
> Then, moments later, I received another communication from PayPal with confirmation of the user’s German Bank account details, and a reference number for future activity.
> At this point I wrote to PayPal seeking assistance, and received bland responses. After my third communication from PayPal about my new account, I asked for a phone number to call, and was told that there was little that could be done, and that the representative didn’t want to rely on Google Translate to talk with their German counterparts(!), and that all they could do was ask the Germany PayPal arm to perhaps phone the user. No offer of a solution at all, and I was left thinking that a simple exploit of PayPal would be to write a script to sign up thousands of accounts to PayPal using addresses scraped from the internet, thus blocking real users from setting up an account.
> But this aside, the continual email trail from this user’s activities would allow me to, for example, make large donations from the user’s account to charities (as has happened when bank account details have been published), and to track his purchases (already happened). Not just annoying, but remarkable given what PayPal is all about. I’ve had better responses from American hotel chains and Russian department stores...
> I can’t call him directly, since I only have part of his phone number (though I could track his name down perhaps), and I can’t access his PayPal account (because I don’t have the password, and password resets are managed via a phone number).
> So my only recourse is through the indifferent and unapologetic PayPal representative.
> Is there more that I can or should do?
> Thanks in advance
> Ivan
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list