Sinbad the Diver
Contributor
I know a lot of people here buy and sell on ebay and use Paypal. This happened today and I was so shocked that I wrote it up and sent it to several technology security reporters, media outlets and bank fraud departments. If Paypal thinks this is OK, consumers need to know.
-------------------------------------------------
As a technology professional one of the first things we teach a user when it comes to information security is NEVER give anyone your username and password. This is one of the core security best practices and like a lock on your door, prevents the vast majority of crimes of opportunity. So when a coworker of mine came to me and laid out the events below, I was somewhat taken aback and still question whether or not Paypal is compromised at a spectacular level, or whether they have lost their collective mind.
1. My coworker spent some time on the phone and on-line attempting to change the credit card associated with his paypal account. He has moved from Canada to the US and there were several issues with address verification. Long story short, Paypal gets things set up and tells him that in order to verify the account, a $1.95 charge will be posted to the credit card and he can enter the transaction number to verify the card and make it active on his paypal account. He follows those directions, and begins the verification process. A few steps in, they request that he provide his bank account number in order to confirm his account. His radar is up at this request, but he enters the number and hits submit. This attached window pops up requesting the username and password to his on-line banking account.
2. Alarms go off in his head now, and he immediately comes to me. Assuming that Paypal must have been hacked and this is phishing scam, we called paypals customer service number and spoke to Paula. We explained the situation to her and she does not find a problem with the fact that they are asking for his on-line banking log-in credentials. She even explains to us that we dont keep or store that information, so there is no problem. She also told us that we only do this with banks that we have agreements with. So we ask to speak to her supervisor, hoping that as a front line CS agent, she is just not aware of the serious issues involved here.
3. The supervisor, Arra, that she transfers us to, provides the same answers. So we ask to speak to someone in the Fraud or Security departments. After a long delay, we speak to Anne. She also tells us this is a legitimate request. She also tells us we shouldnt worry, everyone is doing it.
4. We asked Anne if someone from our bank requested that we provide them with our Paypal password, should we? She answered We recommend you never provide you password to anyone. Ill let that response speak for itself.
5. We then contact his bank fraud department who tells us he has no idea why they would be requesting that and that he should never provide that to anyone, the answer we expected.
There is so much wrong with this that I dont know where to start. First, the idea that a company that is trusted with millions of dollars of credit transactions in an environment that is always under attack by criminals and scam artists would violate one the simplest and most important security and privacy protection tools available (dont give out your password) just floors me. Second, what could they possibly do with it? At some level I can understand them asking for the bank account (though even that would have stopped me cold) but they could just use that to verify an active account and if you are a paypal account holder you are already placing a great deal of trust in them anyway. So why would they need your on-line banking log-in credentials. They cant legally use them to transfer funds, so what do they have the ability to do that they couldnt do before?
In order for this to be a scam, it would have to be pretty elaborate and Paypals web sites would have to have been hacked, the scammers would have to know when a new account is created and and their contact numbers redirected to the scammers. Thats pretty deep, but not out of the realm of possibility. But with the number of people that can be scammed without going to all that trouble, seems like a little over the top.
So I suspect Paypal has just implemented a practice that violates every concept of security and common sense. If so, what else are they doing? This is definitely one of those times where Im glad Ive never understood the value they bring and have never been willing to trust them with my financial information. I would be very interested in Paypals response to this.
-------------------------------------------------
As a technology professional one of the first things we teach a user when it comes to information security is NEVER give anyone your username and password. This is one of the core security best practices and like a lock on your door, prevents the vast majority of crimes of opportunity. So when a coworker of mine came to me and laid out the events below, I was somewhat taken aback and still question whether or not Paypal is compromised at a spectacular level, or whether they have lost their collective mind.
1. My coworker spent some time on the phone and on-line attempting to change the credit card associated with his paypal account. He has moved from Canada to the US and there were several issues with address verification. Long story short, Paypal gets things set up and tells him that in order to verify the account, a $1.95 charge will be posted to the credit card and he can enter the transaction number to verify the card and make it active on his paypal account. He follows those directions, and begins the verification process. A few steps in, they request that he provide his bank account number in order to confirm his account. His radar is up at this request, but he enters the number and hits submit. This attached window pops up requesting the username and password to his on-line banking account.
2. Alarms go off in his head now, and he immediately comes to me. Assuming that Paypal must have been hacked and this is phishing scam, we called paypals customer service number and spoke to Paula. We explained the situation to her and she does not find a problem with the fact that they are asking for his on-line banking log-in credentials. She even explains to us that we dont keep or store that information, so there is no problem. She also told us that we only do this with banks that we have agreements with. So we ask to speak to her supervisor, hoping that as a front line CS agent, she is just not aware of the serious issues involved here.
3. The supervisor, Arra, that she transfers us to, provides the same answers. So we ask to speak to someone in the Fraud or Security departments. After a long delay, we speak to Anne. She also tells us this is a legitimate request. She also tells us we shouldnt worry, everyone is doing it.
4. We asked Anne if someone from our bank requested that we provide them with our Paypal password, should we? She answered We recommend you never provide you password to anyone. Ill let that response speak for itself.
5. We then contact his bank fraud department who tells us he has no idea why they would be requesting that and that he should never provide that to anyone, the answer we expected.
There is so much wrong with this that I dont know where to start. First, the idea that a company that is trusted with millions of dollars of credit transactions in an environment that is always under attack by criminals and scam artists would violate one the simplest and most important security and privacy protection tools available (dont give out your password) just floors me. Second, what could they possibly do with it? At some level I can understand them asking for the bank account (though even that would have stopped me cold) but they could just use that to verify an active account and if you are a paypal account holder you are already placing a great deal of trust in them anyway. So why would they need your on-line banking log-in credentials. They cant legally use them to transfer funds, so what do they have the ability to do that they couldnt do before?
In order for this to be a scam, it would have to be pretty elaborate and Paypals web sites would have to have been hacked, the scammers would have to know when a new account is created and and their contact numbers redirected to the scammers. Thats pretty deep, but not out of the realm of possibility. But with the number of people that can be scammed without going to all that trouble, seems like a little over the top.
So I suspect Paypal has just implemented a practice that violates every concept of security and common sense. If so, what else are they doing? This is definitely one of those times where Im glad Ive never understood the value they bring and have never been willing to trust them with my financial information. I would be very interested in Paypals response to this.
