Tag Archives: email

Paypal Prefers To Brand You A Criminal Forever, Rather Than Improve Their Fraud Prevention Practices

I wish I could hire Will Smith to sing all about how my brain got flip-turned upside-down by Paypal‘s baffling approach to fraudulent accounts, but alas, I am just one woman.

Paypal, however, is a company with nearly 20 years of experience, development and presumably, a team dedicated to the prevention of fraudulent activity, including money laundering.  After all, the company’s revenues of $6.6 Billion (2013 figure) should be worth protecting.

That said, it would seem that one of Paypal’s draws — that it’s easy for anyone with an email address to create an account — is one of its massive problems.

I currently run a music blog, Open ‘Til Midnight – a little operation I helm that is devoted to reviewing and promoting music, primarily indie artists and Canadian content.  I love what I do, but the sheer volume of emails involved is but one reason why I created a unique account for the website.  That address (otmblog at gmail dot com) is presented on our submissions page and ultimately, it’s not that hard to scrape up.

On October 21st, 2014, imagine my annoyance and surprise to find a welcome email for “Alexandra Macon” to Paypal, in my inbox.  Now, last I checked, I am not the Managing Editor of Vogue magazine.  I also have been a Paypal customer under my personal email address for nearly 15 years.

Now, here’s where things get interesting:  I then received a phishing email “from Paypal” within hours of this sign-up that falsely employed my email account:


Clearly bullshit.  I also received another “getting started” email from Paypal legitimately.

Now, I work in fraud for a financial institution for my day job.  What better way, I mused, to push a phishing email through spam filters and make it seem legitimate than to sign up for a Paypal account first, thereby sandwiching the phishing between two valid layers?

In any case, I clearly did not apply for a Paypal account and wanted my email removed from their system.  I also wanted to prevent anyone from making fraudulent transfers associated with my email (which is, ostensibly, my business account).  I went to Paypal‘s website and looked to report the account as fraud.

Problem #1:  I could find no other way to report this theft of my intellectual property than to sign in with my Paypal account to get a unique “verifying code”.  There was no easily accessible phone number.  I logged in with my separate personal account, got the code and phone number, and phoned in to Paypal.

Problem #2:  Despite my clearly being verified as a customer (through the above process), the first representative confirmed that yes, someone had used my blog email account and set up Paypal, but she could not deactivate the account in any way.  She then went on to challenge me on whether or not I owned the email address, refused to email it so I could sit on the phone and confirm it, and then said this was a “Google issue”.  Her excuses for the behaviour of this fraudster were “a typo” (otmblog?  REALLY?) or “a recycled email address”.

In fact, this “recycled email address” business was a very popular party line throughout my hour talking with three different employees, including a security manager.  As in, someone who should really know security, right?  Hmm.  See, no one could answer my counter to that (“Why would you sign up with an email address you cancelled years ago, when Paypal requires email verification to receive funds?”).  Second, the word blog is a fairly recent addition to common vernacular.  Third, I’ve held the account for years.  And fourth:  Google does not recycle usernames — not even to the person who deleted it.  From their own TOS:

Note: Deleting your address won’t free up your username. Once you delete your Gmail address, you won’t be able to use that same username (username@gmail.com) in the future.

Clearly not having any clue once I dropped the words “fraud” and “phishing”, I was passed to someone in the Security department.

Problem #3:  I was then informed that the account created with my email address, without consent, had been “limited” so it could not do any transactions without email verification.  However, my email would remain on the account forever.  I immediately questioned the logic of this, and was fed a series of nonsense reasons at first:  that maybe someone made an honest typo; maybe the address had been recycled; that it would somehow be wrong to delete the account of someone sharing the name of a famous person just because I said so.

Repeatedly, I indicated that they could email me right on the spot and confirm that the person on the phone was the rightful owner of the account.  I was denied, over and over.  As someone who works in fraud, I was scoffed at for pointing out that the phishing email proved that no good intentions could be held by the account creator (“Why would someone create an account to then send a phishing email?” the rep asked condescendingly).  Any account can send without email verification — which makes no sense — but somehow, that makes money laundering impossible, so hey, why require verification before an account can do anything?  I explained money laundering to Paypal‘s security rep.  It was embarrassing.

I became increasingly irate that my email would not be removed from the account.  It is mine, it is associated with my brand, and it belongs to me.  Finally, the rep relented with all other nonsensical explanations and revealed the truth.

Problem #4:  Apparently, the only way Paypal has figured out to track fraudulent information is to preserve these accounts forever, in a limited state.  My email would forever be associated with a fake name, likely fake address etc. for the sake of ensuring that specific constellation of information would never be used again.

Problem #5:  I can never use my valid email, associated with my brand, to open a brand-related Paypal account.  My brand is now tainted with a fraud label in a server somewhere.

I argued against the foolishness of this being the company’s only strategy.  I pointed out that fraudulent credit applications occur in banks all the time, but were the real Jane Smith to apply for a Visa, we wouldn’t ban her from our bank, because that would be turning away customers — in effect, what Paypal is doing with this policy.  “We don’t do credit,” was the reply.  “Ditto bank accounts for us,” I countered, “Which is equivalent to what you do.”

I’m escalated to a self-described Security Manager named Dan, who confirms all the nonsense above.  I’m increasingly incredulous.

“What if someone signed up with the customer service account of Boston Pizza, or its owner Jim Treliving?” I continued.  “Would their email be stuck forever in your fraud database?”  I was told yes, yes it was.  Huge loophole:  fraudsters could create Paypal accounts for every member of a major company with minimal effort.  Ludicrous.

“Okay, so you need to keep the profile to run it against future profiles,” I concede.  “Fine then:  why not have a generic email like ‘fraudaccounts@paypal.com’ that you could sub in so innocent people like me could have their damn accounts back?”  The response:  “That’s not a bad idea and I can send it along, but you cannot remove your email from this account.”

“Fine then.  Can I reset the password on it, since that will go to my email address, and then change it all up and delete it?”  Nope, I’m told, because I did the right thing and reported it.  It’s Limited so I can’t do anything to it.

After wasting an hour of my life, I hang up at midnight my local time and am utterly shocked by the lack of common sense, security protocols, anti-money laundering practices and general customer service Paypal exemplifies.

So, to recap:

  • Some fraudster or jerk signs you up for Paypal.  Maybe you would have wanted to use the service someday, maybe not.  Either way, too bad:  it’s theirs, despite the fraudster never having to verify the legitimacy of their email account.  Jesus, I needed to jump more hoops to join a radio station mailing list than Paypal requires.
  • Despite this lack of legitimacy, a fraudster can send illegally obtained funds from their Visa (or a stolen Visa, perhaps, as I see all day long at work) to another Paypal account, which can lead to a laundering chain.
  • The only way Paypal, a major company with billions and offices in Silicone Valley, can figure out to track fraud, is to brand emails with a broad brush and maintain thousands of fake accounts forever.
  • They have apparently never considered the notion of smart phishing (there’s a reason the Microsoft phone scam works – they use tricks to make themselves seem legit before the scam kicks in), nor have they considered how easy it is to steal email addresses from websites.

Way to fail, Paypal.  Seriously.  Apparently the only way people can protect themselves is to violate their own TOS and create accounts for every single personal email address, “just in case”.  It’s like a warped version of domain parking.

There have been plenty of critics of Paypal’s shoddy practices, particularly those involving seller protections, but this really takes the cake.  And I’m not the only one:  Google results will take you to community threads with others sharing the experience of an email account being stolen.  Identity theft is just par for the course, it seems.  No big deal.

This is a business that asks you to connect your credit card and personal banking information to your account.  I’m not so sure I feel comfortable using their services anymore.

Have a similar experience with Paypal?  I’d love to hear it.  Please leave a comment below.

Tagged , , , , , , , , , , ,

The Purposeful Social Networker

For my birthday, fiance and I finally got off our asses and saw Fincher’s The Social Network, the film chronicling the somewhat dramatic and most definitely embellished creation of Facebook and the subsequent lawsuits against Mark Zuckerberg for various forms of intellectual property theft and reportedly skeezy business dealings.  The film is fantastic, with biting dialogue and an incredible score.  It also raises a key point that few teenagers grasp in Generation Wired:  the internet is written in ink, not pencil.  In other words, once it’s out there, it can safely be assumed it will live on forever, one way or another.

I have always been aware of this fact; it’s why I usually indicate my postal code as 90210 when signing up for online accounts, and give a completely wrong birthday in many cases as well.  I have online pseudonyms to protect my privacy, and also use privacy settings with gusto.  That said, my Google Alert search on my birth name, in addition to telling me that there are name twins in Spokane and New Jersey, reveals that even letters to the editor during my university days live on, happily searchable online, with two words and a click.  Searches on my commonly used online handles reveal a plethora of information that I might not necessarily want known.  For anyone with a little knowledge about my life, it’s very easy to dig up a few skeletons, even on someone as net-savvy as I generally am.

I remember a former friend, whose job involves summarizing blog and other internet hits on various companies and famous people, who was unable to mention certain brands and trademarks on her public Twitter, lest the clients find out she was speaking of them.  Paranoia?  Not so much; one slag of, say, Harry Potter, would potentially have her ass being handed to her.  Then again, she was dumb enough to use her first name and last initial as a handle, so really, she’d castrated herself moreso than necessary.  Keeping her Twitter public to chat with celebrities as if they were friends also didn’t help.

That said, what of those of us who choose to be public?  What does this say about us?  I keep my Twitter public, and often spout off on personal topics.  I never reveal anything that would betray my identity (my fiance has a codename, as one example; I never refer to an employer by name), but I am pretty open.  I blog here, about my personal life, and also mention it on my music blog.  In this day and age, where archives are endless, what possible value could there be?  Aren’t we all doomed, as Zuckerberg is in Fincher’s film, to be remembered as the guy who compared farm animals to women, or similarly awful labels?

I believe, as someone whose passion lies in helping the mentally ill, that it is important for those who are currently in the trenches of their own personal wars – often teens and young adults, being as they spend so much time online – have the ability to connect with those who have made it, or are making it.  I believe that the only way for me to see value in misery is to turn it into cautionary tales and wisdom to be passed along.  I believe in connection, in its purest form, that life is now online as much as offline.  Zuckerberg gets that, too.  It’s why he understood the potential for Facebook and pushed onward.  The world is truly smaller, these days, with the advent of technologies like webcams and Skype, among others.  We may not have Hoverboards and self-adjusting clothing as predicted in Back To The Future 2, but we have a hell of a lot of new gadgets and tools to make and keep friends we may never have found without the internet.

The blog may also be educational, with some writers making a living by instructing and coaching others on a variety of topics.  I, too, choose to contribute here, blogging on political issues, the complexities of the music industry and why some artists need to be thrown off their high horses.  A well-tagged, well-composed entry may yield thousands of viewers who can read one blog and understand an issue that may have been a vague one before.  I pride myself on being thorough, and am pleased when some of the entries that matter the most to me are hit time and time again.  Knowledge is power; Julian Assange is likely going to prison for daring to turn that power over to the public, but he believes in that balance.  I believe in it, too.

For those who dare to be exhibitionists on the World Wide Web, there’s a smart way and a stupid way.  I firmly believe one should be bold, speak up, contribute to the discussion.  When doing so, however, protect yourself.  Opening yourself up means opening up to all kinds – good, bad and batshit crazy – so play safe.  Have an email with a pseudonym that is strictly for online site sign-ups; it centralizes spam and protects your identity.  I’ve had mine for half my life.  Avoid posting clear photos on public sites; you simply don’t know who’s a stalker.  My Gravatar is obviously not me.  Choose usernames more creative than ‘LucyDBToronto’ if going public, and codename your friends and family, even.  One of my public blogs had a key for who was who that I held privately, to ensure privacy.  Avoid using the same username everywhere; have different names for different ‘levels’ of connection.

Most importantly, know your privacy settings and when to use them.  Because your ‘farm animals to women’ will live on longer than any blog or email account, whether you like it or not.


Tagged , , , , , , , , , , , , , , , , ,