[LINK] PayPal security and account verification

[Ivan Trundle]

> On 19 Mar 2019, at 9:32 am, Tom Worthington <tom.worthington at tomw.net.au> wrote:
> 
> On 17/3/19 5:17 pm, Ivan Trundle wrote:
> 
>> ... someone has signed up to PayPal using my email address ...
> 
> Could you use the "reset your password by email" function, to regain control of the address? https://www.paypal.com/re/smarthelp/article/i-forgot-my-password-for-my-paypal-account.-how-do-i-reset-it-faq1933

That’s what I generally try in most instances like this (to force the user out - I get these once every week or so, from big accounts like DropBox to nasty little websites that I’d prefer to not mention).

Unfortunately, PayPal offers a choice of factors with which to authenticate, and if the user does not elect to use email as one of those factors (and instead chooses to use a phone number), then this closes the opportunities for this kind of activity.

So whilst I can claim that I have ‘forgotten my password’ (using my email address), the response is:

‘A 6-digit code has been sent to 0*** ****1085: please verify your account with this code’. 

This prevents me from intercepting anything, and I rapidly got bored sending 6-digit codes to a number that I cannot see (the *** component is shown that way), though I got some pleasure out of sending them at random hours of the (German time zone) day and night for the last five days. I’m hoping that it matched the same level of annoyance that I have experienced, but is of little use in resolving the issue.

Since last Friday, I’ve spoken numerous times to PayPal representatives, and finally received a (German) email telling me that ‘my’ account was temporarily restricted, and that to remove the restriction, I needed to ‘log into PayPal’ to confirm my credentials. It didn’t say how or what I needed to confirm, but that’s fine so long as no message went to his phone number and he hasn’t verified the account by some other means: no-one in PayPal would tell me the process.

The email defined the next step as follows: 'After completing the necessary actions, we will review them and contact you about your account status within 5 business days. Thank you for taking care of this matter.”

Odd, since I am not taking care of the matter at all. And I’ve no idea what actions are entailed. Anyone want to set up a fake account and see?

I spoke with PayPal about my concerns that an unverified account can still be sent emails (to the wrong address) with confidential information, whilst welcoming the individual to the world of PayPal. But of course no-one in PayPal wanted to talk with me about this (comments were noted, but no promise of action - the usual lack of transparency and accountability).

I have 5 days to wait for information about the status of my Non-account. I have been assured that the email address cannot be used by anyone (including me) forever. Which may present another problem if that remains my ONLY email address.

So I’ve now got a brilliant play to sign up thousands of fake accounts using popular and famous names and email addresses, and wait for them to be locked, too…

I’m now convinced that PayPal is run by incompetent amateurs who don’t value financial security matters as much as most would have hoped.

Be warned, all.