from the Email-confirmation-just-slows-us-down dept.
Recently, I received an email from PayPal asking to confirm my email address for a new account. Since I do not use PayPal, I figured it was a phishing scam and ignored it. However, I started getting other emails, which included updated address information and a sales transaction. The name for the account was not mine (but the first name was the same), and the address was in a different state.
Looking at the raw email headers, it appeared to be legitimate emails from PayPal. What confused me was that I never responded to the email confirmation message, so why would PayPal allow a person to perform a transaction without confirmation? Since the email in question is a Gmail account, I have had since Gmail beta, I wondered if my account had been compromised, but there is nothing to indicate that. Another idea was someone could be intercepting/listening to my email, but that is a lot of effort to do for a simple paypal transaction.
The likely scenario is PayPal failed to check the account email and suspend any further actions until the address is confirmed. PayPal sends an email to confirm the address, but does not bother to wait for the confirmation.
I called PayPal support, and after some time and educating the support person on how technology works, the person put in a support ticket. Not sure if the problem will ever get resolved or if PayPal will admit they have a problem. As of now, I have not received any more emails. I will have to decide if it is worth my time to call support again and get the disposition of the ticket.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @03:51PM (6 children)
I get regular emails from them for all sorts of wonderful things they can do for me. I keep going into my account an making sure all the email prefs are unchecked, but they apparently ignore those settings.
(Score: 0, Troll) by Anonymous Coward on Tuesday April 18 2017, @04:09PM (3 children)
You have a paypal account? Ha, ha. That's your problem, right there.
(Score: 2) by epitaxial on Tuesday April 18 2017, @04:43PM (2 children)
Kind of difficult to buy or sell on eBay without one. I remember when you could send money orders directly to the seller. Then eBay bought PayPal and made them the only option. People tried to use Google Wallet on auctions but eBay would cancel them.
(Score: 2, Insightful) by Anonymous Coward on Tuesday April 18 2017, @04:55PM (1 child)
Then don't use ebay if it requires to use scammers like paypal.
(Score: 2) by bzipitidoo on Wednesday April 19 2017, @04:39AM
Great. Mind mentioning some alternatives, especially ones you've had experience with?
I know of Etsy, Ruby Lane, Craigslist, Offer Up, Let Go, Ebid, and Bonanza. Apparently Amazon and Newegg have also moved into this area. On Etsy, I've had one sale and 3 other items that did not sell. Been a long time since I looked at Ebid, but I remember very well that they had this lifetime membership option which they could kill in an instant if they feel you violated their terms of service, no appeal, no refund. So I stayed away from Ebid.
Shipping is incredibly expensive. Big sellers can negotiate discounts of 80% from UPS and FedEx, little guys can't. Cost me $15 to ship a box a bit smaller than a Mini ATX case. They've made it more complicated to figure out the shipping costs. Used to be purely weight based, now they're doing this dimension based pricing.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @04:21PM (1 child)
I've had a paypal account since the late 90s and I don't get that crap.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @04:53PM
Likely these messages only come to people who don't already have a paypal account tied to their email.
And now that makes me think, in addition to being a way for a malicious user to use a paypal account not tied to the email it could also be a way for them to try and get money destined to other people. You can send money on paypal to any email address regardless of if it has an account set up or not, and if not it will just send an email saying to create an account. I've had coworkers (paying for picked up lunches, etc) send a paypal to me without confirming which of my multiple email addresses to use (and so now I have my PP account tied to all of them). It's possible a spammer could get free money by setting up paypal accounts tied to other people's email addresses.
(Score: 2, Touché) by Anonymous Coward on Tuesday April 18 2017, @04:08PM
On one of my older gmail addresses that gets lots of spam I've seen this happen 3 times. I would say they are not verifying emails at all.
On the first, I did forgot password to get into the account and closed it myself.
On the 2nd I called paypal to tell them to close it and to complain.
On the 3rd I just ignored it. I'm done messing with it. It's not tied to any of my personal information anyway, so it's just more spam.
(Score: 2) by Runaway1956 on Tuesday April 18 2017, @04:35PM (6 children)
Like AC, above, I've had Paypal for a long time. I guess it was 2002 or so when I started the account. I almost never hear from them. When I make a purchase using Paypal, it goes through. I get a periodic email, "your account is available for review online at wwwwhatever". Once, I got an email inquiring whether I intended to order some junk or other from someplace I had never heard of. Told them "No, never heard of it" and I was advised to review my security questions, change password, etc because someone had tried to use my account. In all the years I've used them, I've received maybe - MAYBE - a dozen spam-like emails from them. "Do you want to apply for Paypal credit?"
Knowing then, what I know of Paypal today, I probably wouldn't open an account with them. But, it was so convenient back then. Other methods of online payment were just to damned many hoops to jump through. With Paypal, I verified my identity one time, and it worked almost everywhere. No need to give my credit card number to some unseen, unknown person at the other end of a network connection.
Banks should offer the services that Paypal offers. On the other hand, my bank can't even maintain their own internet site, so maybe it's best they don't offer Paypal services.
(Score: 3, Interesting) by AthanasiusKircher on Tuesday April 18 2017, @07:06PM (5 children)
Knowing then, what I know of Paypal today, I probably wouldn't open an account with them.
Agreed. Paypal -- despite its claim to be "convenient" -- has mostly just caused me headaches over the years. I signed up for Paypal for one or two transactions over a decade ago. For some stupid reason, I somehow ended up with a credit card linked to that account. (Maybe I forgot to uncheck a "remember my card" box or something; I just don't remember. Frankly, I NEVER tend to "save" card info except on 1 or 2 sites I use very frequently and trust, so I can't imagine I'd allow this -- but maybe I used it once and somehow it linked.) Anyhow, maybe 5 years go by, and I try to pay online for something with my card. The people I'm paying (whom I trust, because it's a small organization I'm a member of) use Paypal. I just want to use a credit card to make a payment, but Paypal won't let me -- because my card number is associated with a Paypal account.
Except I don't know what that account is. I don't remember associating the card. I don't know if I even remember the username; I certainly don't have the password. And the email it was likely linked to (which presumably could do a password reset) has been dead for years. I swear that I had made payments through the Paypal interface with this card with no problems before -- i.e., without logging in. Everyone else on the planet who doesn't have a Paypal account can make a payment that way with a credit card. But now I couldn't use my credit card -- because I somehow was stupid enough to associate it with a Paypal account, so they wouldn't process my transaction without my logging in.
After trying to find something on their website that will help (and I think emailing support, which wasn't helpful), I finally give up and use a different credit card. I did that 1 or 2 more times over the next few years when I encountered a Paypal transaction. I tried to close the Paypal account at some point, but without the necessary info, there were some weird hurdles. For "security" reasons, I couldn't open a new Paypal account and add that card either.
But then my card number was changed by my bank -- I think because I had made a Target transaction back when that whole security breach happened. Anyhow, I thought, "Finally! I'll be able to use my credit card again, even for the occasional Paypal transaction." No dice. Now the transaction would seemingly go through until the end, until it would fail with some bizarre error, which caused me to have to contact the organization and check to see whether the transaction even went through or not. Somehow they still had associated my card with an account, even though the original card had long expired AND the number had changed. (I didn't even think that was normally possible.)
After the second time a transaction blew up, I finally called Paypal support and waited on hold for nearly an hour. I explained the situation and just said I NEVER, EVER, EVER want an account with them again -- that I really had used it only once a decade ago, and I don't even know how my card number got saved as associated with that account in the first place. After jumping through a bunch of hoops on the phone, I finally got the card disassociated from the account so I can actually use it again like any other normal person who wants to pay with a credit card and NEVER had a Paypal account.
So I find the summary actually really funny (in a terrible way) -- they insisted on making me log in and verify myself to use my own credit card, even though I never wanted to be associated with them. But they won't take the time to verify an email address before using it for transactions. Huh? Maybe that's how I got stuck in my whole mess in the first place too -- maybe I did something with a card transaction at some point and didn't realize I was logged into Paypal and it just saved the number or something without my confirmation to do so. I don't know... all I know is Paypal has only ever been an impediment to online payments for me.
(Score: 1) by purple_cobra on Tuesday April 18 2017, @10:45PM (1 child)
All these stories about PayPal being shitty and my own experience has been quite the opposite.
A couple of wankers tried to rip me off on eBay, once with a cloned/copied GameBoy Colour cart and once with a broken PowerMac Airport card (shows you how long ago these happened!). The wireless card was being resold by someone who said it didn't work on their machine and it turns out this was because it was broken; the vendor then tries to tell me if the *original* vendor refunds them, they'll refund me. One complaint to PayPal later and they refund what's in the vendor's account - about half the amount - then a few months later I get the rest. That knackered card is still at dad's place somewhere as they stopped responding to all e-mails about it after my initial e-mail.
The only cock-up was I bought something recently and PayPal sent an "e-cheque" instead; turns out this was because I'd let my credit card details lapse and they just hadn't told me about it. Fixed that and it's been fine since, he said with his fingers crossed.
(Score: 0) by Anonymous Coward on Wednesday April 19 2017, @01:48AM
I had a similar happy ending story although not necessarily because of paypal. Bought a phone on eBay and paid with a credit card via PayPal. Used the phone for four months when it suddenly stopped working. Carrier told me that it was just reported stolen and blacklisted (Presumably by the seller). Had to be an insurance scam. EBay and PayPal both told me it was outside the 90 day dispute policy, but the Paypal guy told me to dispute to credit card company. PayPal refunded credit card because seller didn't counter the dispute. I hope the seller pissed.
I don't like the PayPal horror stories, but I haven't had problems.
(Score: 4, Informative) by cubancigar11 on Wednesday April 19 2017, @03:13AM (2 children)
As someone who used to work at PayPal I think I can bring some background to this. PayPal is not considered a bank in USA. I don't know why, but the government allows it and PayPal wants it that way to avoid a myriad of regulations. Because of this distinction, PayPal is regulated in a different way - if a transaction happens on PayPal via a stolen card, it will be held legally held responsible unless they refund the whole amount to the buyer. There are many other factors and many other regulations that come because PayPal operates in multiple countries and handles forex etc.
Because of this, they have developed an internal engine called 'Risk' that gives flags every transaction with 'go ahead' and 'stop'. The whole company relies on this engine, which means two things: A) Help won't come easy if the Risk engine has stopped something to happen. B) The engine itself is slow moving, i.e., it is not easy to tweak it for the current season.
Now, when I used to work, this engine would flag close to 30%-40% of all transaction as a no-go. There is always a talk to lower the risk engine, but management has decided that anything below this has is too... risky (sorry for the pun :P)
While this gets them a constant stream of user with bad experience, they think any competitor won't be able to challenge them by taking more risks.
I personally don't use PayPal unless paying to my domain reseller... and that's it I suppose.
(Score: 2) by cubancigar11 on Wednesday April 19 2017, @03:21AM
Damn, going to get a coffee.
(Score: 0) by Anonymous Coward on Wednesday April 19 2017, @04:28AM
Very interesting, thanks for this story on the Risk engine. A recent transaction of mine was made "pending" and then I received an email asking for an explanation of who I was paying and why. Once I explained, it went through, so no long term trouble. As best I could tell, the reason it was questioned was that the message I sent was a 4 letter acronym that was quite close to "ISIS" ... but not quite, had one letter different--was actually the initials of a small university.
(Score: 4, Insightful) by wonkey_monkey on Tuesday April 18 2017, @04:56PM
Paypal not Confirming use Account Email Addresses?
Wow. No idea. Is that use (v.) or use (n.)? Not sure it makes sense either way...
And what the hell is up with the capitalisation? I know I'm always complaining about title case anyway, but this one is just crazy.
systemd is Roko's Basilisk
(Score: 4, Interesting) by Sulla on Tuesday April 18 2017, @04:59PM (3 children)
I recently had to deal with paypal for the first time I can remember. I have a very old ebay account that I use rarely and I used it to buy someone a few months ago. Product was broken and I returned it. Due to some bank error, between the purchase and return my card had been cancelled. Ebay refunded the money to a paypal account using an email address I had not used in a decade.
I did not have access to the email or know what my username was, but I knew my cash was there. Address validation didn't work because where I lived 7 years ago no longer exists due to building and street name changes.
Took two months to get access to my account for them to tell me they just sent it back to my bank. Was a perfect storm of annoyance.
Ceterum censeo Sinae esse delendam
(Score: 1, Funny) by Anonymous Coward on Tuesday April 18 2017, @05:50PM (2 children)
I recently had to deal with paypal for the first time I can remember. I have a very old ebay account that I use rarely and I used it to buy someone a few months ago.
Human trafficking with PayPal? I knew they were scum, but Geez, Louise!
(Score: 1, Informative) by Anonymous Coward on Tuesday April 18 2017, @07:29PM (1 child)
I was wondering how much for the little girl? Sell them to me! Sell me your children, bwahahah!
/Blues Brothers off
(Score: 2) by NotSanguine on Tuesday April 18 2017, @09:12PM
Belushi did it better [youtube.com]. He was a comic genius!
The clip above doesn't do him justice though. The whole scene [youtube.com] really sells it.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Interesting) by Anonymous Coward on Tuesday April 18 2017, @06:05PM (1 child)
Paypal allows you to add additional email addresses, it is possible that the secondary email addresses are not confirmed when added. You can use both primary and secondary email addresses as the userID for purposes of signing in.
(Score: 2) by termigator on Wednesday April 19 2017, @01:35PM
Doubt this was the case since I received an email to confirm the address. If it did happen to be a secondary address, PayPal failed to wait for confirmation of it since I received subsequent messages about account updates and a sales transaction. Why ask for confirmation if the system will still use it regardless?
Also, when talking to Paypal support, they did not state it was a secondary address. I got the direct impression that my address was the primary address on the account.
As others have noted, lack of confirmation seems to be a security problem since it is common for systems to use email addresses for password resets. I thought about seeing if this was the case, but I did not want to connect to Paypal in anyway that could legitimize my address with the account (I do not use Paypal so I do not know how their site operates).
Fortunately, I did not have to wait as long on the phone as someone else posted. However, I found it sad the lack of technical knowledge the second support person had. The first person transfered me over to someone else that could assist with the problem, but the second person was definitely limited knowledge-wise, including limits on what Paypal systems actually do. Note, the support person was nice and comprehended why the lack of confirming an email address is a problem.
(Score: 5, Interesting) by ledow on Tuesday April 18 2017, @06:09PM (7 children)
Happens all the time.
I have a name that's quite common in Ireland, and I own myname@gmail.com, have had since GMail Beta was a limited signup.
About once or twice a year, I get someone sign up for paypal with - say - my.name@gmail.com, which obviously comes to me too. They don't realise that's not the email they created (usually they have, say my.name57@gmail.com or similar), but they forget and when signing up to stuff they often get the email wrong.
Paypal will happily set up the account, send me the introductory emails, tell me they've added cards, inform me of their transactions, etc. And also let me lock it out, reset the password to my email, etc. I've never tried to misuse it, but I imagine you'd need card details or similar to activate it but I can't imagine it's impossible to do some mischief if you wanted to.
Last time it happened, I used an online letter-posting service to send the guy a letter (because I don't know what his actual email is SUPPOSED to be! But I usually can see their postal address) with a brief note explaining that the email is mine, I'm not "hacking" them, but they should stop signing up with the wrong email because things could be stolen from them, the same as signing up to something with the wrong postal address.
The last guy I sent it to was very grateful, shut down the Paypal as soon as he got the letter, sent me a nice letter of apology back, etc. Not all of them are that polite.
But about every six months, someone else does it. I get everything from flight tickets to holiday bookings to Littlewoods orders, all sorts. Most of those things will let me password-reset to my email address, which would let me take over their account, cancel or modify orders, maybe even spend their money, I don't know.
Sometimes, if I can track them down, I bother to tell people (if it's something like PayPal), but other times I just spam them. I imagine few people go to the lengths I would to try and track them down and educate them (and, hopefully, save them from fraud in the future).
But it's not at all uncommon. Address verification emails aren't required for lots of things. And even where they are, you can often say "reset my password" without needing to verify the address and it will do just that.
The fix, of course, is not technical. Make sure you have the right email. If you bought loads of stuff but accidentally put the wrong postal address down, you'd soon notice, and it's quite possible that the person at that other address will happily take all your ordered goods and claim they never saw them. Same with email. Check your details.
(Score: 2) by ledow on Tuesday April 18 2017, @06:10PM
Clarification: By "spam them", I mean "put the email in spam"!
(Score: 2) by nobu_the_bard on Tuesday April 18 2017, @06:44PM (4 children)
There could be a technical solution - not allow them to charge their cards until they have proven they control the email address by clicking the link in the first "Welcome to " email. Also, not allow them to even view the full information they may have provided when they configured the account, until they confirm the email, in case they did use a wrong email address. Have seen a handful of vendors with such setups.
I think the poster for this story assumed that's what happens with Paypal, but it isn't what happens. Paypal emphasizes minimum hassle, not maximum security. You can sign up and use the new account (+card info) for a transaction inside a couple minutes without changing windows or looking at your phone or whatever. I use it for a variety of reasons also, but most of them boil down to "it simplifies some transactions".
(Score: 4, Insightful) by ledow on Tuesday April 18 2017, @07:08PM (3 children)
Okay.
So they send me an email by mistake when they create an account with the wrong address.
I "verify" it for them.
They don't necessarily even realise that I've even done that, if I leave it a few minutes, they'll just think they were finally successful at verifying things and start adding in credit cards.
Now I still have their account.
It's just a matter of timing.
There is no technical solution here. User education is what matters.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @07:50PM (1 child)
Not quite right. the problem here is that it is allowing account creation without clicking the verification link. I've seen it done with my email no less than 3 times, and I know for certain I never clicked the link, yet the account got created and used just fine. I took control of two of them with the password reset to delete them then gave up. I guess I could create my own account to prevent this, but why should I have to?
(Score: 2) by ledow on Tuesday April 18 2017, @08:09PM
Isn't what you describe exactly what would happen if someone were to do what I said, but to you?
(Score: 3, Insightful) by Anonymous Coward on Tuesday April 18 2017, @09:34PM
Unless the verification link requires the user to type the password (which they've already set during creation); since the wrong-email recipient doesn't know the password, they can't verify it.
You can use a cookie in lieu of the password, to make it easier on the user in the common case where the same browser is used to open the verify link that was just used to create the account; you still gotta fall back to password in case it's a different browser, cookies have been deleted/aren't stored, etc..
(Score: 3, Informative) by Arik on Tuesday April 18 2017, @08:47PM
Checking your details is well and good but there IS a technical fix for this and it's been known for decades and frankly anyone doing business on the internet without doing it should be kicked off. You ALWAYS verify the email address. ALWAYS.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by kaszz on Wednesday April 19 2017, @12:32AM
[Anonymous Coward on 17-04-18 12:53]
Paypal allow money transfers to email addresses not signed up with PayPal which opens the possibility to scam users.
("verify your account details".. yeah sure!)
[AthanasiusKircher]
Paypal won't let go of your credit card unless you let the phone company charge for 1 hour phone queue and then tell Paypal to break the link. Not even expiring the card breaks the link.
[ledow]
Paypal won't verify the email used with them is the correct one. (ie make sure you type your correct email address)
To conclude, Paypal security is not even bad. It's nonexistent? ;)
(Score: 2) by MichaelDavidCrawford on Wednesday April 19 2017, @12:51AM
whenever a particularly sick patient is admitted to his hospital, I get an email that was supposed to inform him.
Marlon Crawford of New Orleans Louisiana is looking for a job as an auto mechanic, but not having much luck because he gives out my email address.
A landlord mailed me to let me know that an apartment was available for me to rent, in some faraway place.
Yes I Have No Bananas. [gofundme.com]