I wish I could hire Will Smith to sing all about how my brain got flip-turned upside-down by Paypal‘s baffling approach to fraudulent accounts, but alas, I am just one woman.
Paypal, however, is a company with nearly 20 years of experience, development and presumably, a team dedicated to the prevention of fraudulent activity, including money laundering. After all, the company’s revenues of $6.6 Billion (2013 figure) should be worth protecting.
That said, it would seem that one of Paypal’s draws — that it’s easy for anyone with an email address to create an account — is one of its massive problems.
I currently run a music blog, Open ‘Til Midnight – a little operation I helm that is devoted to reviewing and promoting music, primarily indie artists and Canadian content. I love what I do, but the sheer volume of emails involved is but one reason why I created a unique account for the website. That address (otmblog at gmail dot com) is presented on our submissions page and ultimately, it’s not that hard to scrape up.
On October 21st, 2014, imagine my annoyance and surprise to find a welcome email for “Alexandra Macon” to Paypal, in my inbox. Now, last I checked, I am not the Managing Editor of Vogue magazine. I also have been a Paypal customer under my personal email address for nearly 15 years.
Now, here’s where things get interesting: I then received a phishing email “from Paypal” within hours of this sign-up that falsely employed my email account:
Clearly bullshit. I also received another “getting started” email from Paypal legitimately.
Now, I work in fraud for a financial institution for my day job. What better way, I mused, to push a phishing email through spam filters and make it seem legitimate than to sign up for a Paypal account first, thereby sandwiching the phishing between two valid layers?
In any case, I clearly did not apply for a Paypal account and wanted my email removed from their system. I also wanted to prevent anyone from making fraudulent transfers associated with my email (which is, ostensibly, my business account). I went to Paypal‘s website and looked to report the account as fraud.
Problem #1: I could find no other way to report this theft of my intellectual property than to sign in with my Paypal account to get a unique “verifying code”. There was no easily accessible phone number. I logged in with my separate personal account, got the code and phone number, and phoned in to Paypal.
Problem #2: Despite my clearly being verified as a customer (through the above process), the first representative confirmed that yes, someone had used my blog email account and set up Paypal, but she could not deactivate the account in any way. She then went on to challenge me on whether or not I owned the email address, refused to email it so I could sit on the phone and confirm it, and then said this was a “Google issue”. Her excuses for the behaviour of this fraudster were “a typo” (otmblog? REALLY?) or “a recycled email address”.
In fact, this “recycled email address” business was a very popular party line throughout my hour talking with three different employees, including a security manager. As in, someone who should really know security, right? Hmm. See, no one could answer my counter to that (“Why would you sign up with an email address you cancelled years ago, when Paypal requires email verification to receive funds?”). Second, the word blog is a fairly recent addition to common vernacular. Third, I’ve held the account for years. And fourth: Google does not recycle usernames — not even to the person who deleted it. From their own TOS:
Note: Deleting your address won’t free up your username. Once you delete your Gmail address, you won’t be able to use that same username (email@example.com) in the future.
Clearly not having any clue once I dropped the words “fraud” and “phishing”, I was passed to someone in the Security department.
Problem #3: I was then informed that the account created with my email address, without consent, had been “limited” so it could not do any transactions without email verification. However, my email would remain on the account forever. I immediately questioned the logic of this, and was fed a series of nonsense reasons at first: that maybe someone made an honest typo; maybe the address had been recycled; that it would somehow be wrong to delete the account of someone sharing the name of a famous person just because I said so.
Repeatedly, I indicated that they could email me right on the spot and confirm that the person on the phone was the rightful owner of the account. I was denied, over and over. As someone who works in fraud, I was scoffed at for pointing out that the phishing email proved that no good intentions could be held by the account creator (“Why would someone create an account to then send a phishing email?” the rep asked condescendingly). Any account can send without email verification — which makes no sense — but somehow, that makes money laundering impossible, so hey, why require verification before an account can do anything? I explained money laundering to Paypal‘s security rep. It was embarrassing.
I became increasingly irate that my email would not be removed from the account. It is mine, it is associated with my brand, and it belongs to me. Finally, the rep relented with all other nonsensical explanations and revealed the truth.
Problem #4: Apparently, the only way Paypal has figured out to track fraudulent information is to preserve these accounts forever, in a limited state. My email would forever be associated with a fake name, likely fake address etc. for the sake of ensuring that specific constellation of information would never be used again.
Problem #5: I can never use my valid email, associated with my brand, to open a brand-related Paypal account. My brand is now tainted with a fraud label in a server somewhere.
I argued against the foolishness of this being the company’s only strategy. I pointed out that fraudulent credit applications occur in banks all the time, but were the real Jane Smith to apply for a Visa, we wouldn’t ban her from our bank, because that would be turning away customers — in effect, what Paypal is doing with this policy. “We don’t do credit,” was the reply. “Ditto bank accounts for us,” I countered, “Which is equivalent to what you do.”
I’m escalated to a self-described Security Manager named Dan, who confirms all the nonsense above. I’m increasingly incredulous.
“What if someone signed up with the customer service account of Boston Pizza, or its owner Jim Treliving?” I continued. “Would their email be stuck forever in your fraud database?” I was told yes, yes it was. Huge loophole: fraudsters could create Paypal accounts for every member of a major company with minimal effort. Ludicrous.
“Okay, so you need to keep the profile to run it against future profiles,” I concede. “Fine then: why not have a generic email like ‘firstname.lastname@example.org’ that you could sub in so innocent people like me could have their damn accounts back?” The response: “That’s not a bad idea and I can send it along, but you cannot remove your email from this account.”
“Fine then. Can I reset the password on it, since that will go to my email address, and then change it all up and delete it?” Nope, I’m told, because I did the right thing and reported it. It’s Limited so I can’t do anything to it.
After wasting an hour of my life, I hang up at midnight my local time and am utterly shocked by the lack of common sense, security protocols, anti-money laundering practices and general customer service Paypal exemplifies.
So, to recap:
- Some fraudster or jerk signs you up for Paypal. Maybe you would have wanted to use the service someday, maybe not. Either way, too bad: it’s theirs, despite the fraudster never having to verify the legitimacy of their email account. Jesus, I needed to jump more hoops to join a radio station mailing list than Paypal requires.
- Despite this lack of legitimacy, a fraudster can send illegally obtained funds from their Visa (or a stolen Visa, perhaps, as I see all day long at work) to another Paypal account, which can lead to a laundering chain.
- The only way Paypal, a major company with billions and offices in Silicone Valley, can figure out to track fraud, is to brand emails with a broad brush and maintain thousands of fake accounts forever.
- They have apparently never considered the notion of smart phishing (there’s a reason the Microsoft phone scam works – they use tricks to make themselves seem legit before the scam kicks in), nor have they considered how easy it is to steal email addresses from websites.
Way to fail, Paypal. Seriously. Apparently the only way people can protect themselves is to violate their own TOS and create accounts for every single personal email address, “just in case”. It’s like a warped version of domain parking.
There have been plenty of critics of Paypal’s shoddy practices, particularly those involving seller protections, but this really takes the cake. And I’m not the only one: Google results will take you to community threads with others sharing the experience of an email account being stolen. Identity theft is just par for the course, it seems. No big deal.
This is a business that asks you to connect your credit card and personal banking information to your account. I’m not so sure I feel comfortable using their services anymore.
Have a similar experience with Paypal? I’d love to hear it. Please leave a comment below.