Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday April 18 2017, @03:48PM   Printer-friendly
from the Email-confirmation-just-slows-us-down dept.

Recently, I received an email from PayPal asking to confirm my email address for a new account. Since I do not use PayPal, I figured it was a phishing scam and ignored it. However, I started getting other emails, which included updated address information and a sales transaction. The name for the account was not mine (but the first name was the same), and the address was in a different state.

Looking at the raw email headers, it appeared to be legitimate emails from PayPal. What confused me was that I never responded to the email confirmation message, so why would PayPal allow a person to perform a transaction without confirmation? Since the email in question is a Gmail account, I have had since Gmail beta, I wondered if my account had been compromised, but there is nothing to indicate that. Another idea was someone could be intercepting/listening to my email, but that is a lot of effort to do for a simple paypal transaction.

The likely scenario is PayPal failed to check the account email and suspend any further actions until the address is confirmed. PayPal sends an email to confirm the address, but does not bother to wait for the confirmation.

I called PayPal support, and after some time and educating the support person on how technology works, the person put in a support ticket. Not sure if the problem will ever get resolved or if PayPal will admit they have a problem. As of now, I have not received any more emails. I will have to decide if it is worth my time to call support again and get the disposition of the ticket.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by ledow on Tuesday April 18 2017, @06:09PM (7 children)

    by ledow (5567) on Tuesday April 18 2017, @06:09PM (#495938) Homepage

    Happens all the time.

    I have a name that's quite common in Ireland, and I own myname@gmail.com, have had since GMail Beta was a limited signup.

    About once or twice a year, I get someone sign up for paypal with - say - my.name@gmail.com, which obviously comes to me too. They don't realise that's not the email they created (usually they have, say my.name57@gmail.com or similar), but they forget and when signing up to stuff they often get the email wrong.

    Paypal will happily set up the account, send me the introductory emails, tell me they've added cards, inform me of their transactions, etc. And also let me lock it out, reset the password to my email, etc. I've never tried to misuse it, but I imagine you'd need card details or similar to activate it but I can't imagine it's impossible to do some mischief if you wanted to.

    Last time it happened, I used an online letter-posting service to send the guy a letter (because I don't know what his actual email is SUPPOSED to be! But I usually can see their postal address) with a brief note explaining that the email is mine, I'm not "hacking" them, but they should stop signing up with the wrong email because things could be stolen from them, the same as signing up to something with the wrong postal address.

    The last guy I sent it to was very grateful, shut down the Paypal as soon as he got the letter, sent me a nice letter of apology back, etc. Not all of them are that polite.

    But about every six months, someone else does it. I get everything from flight tickets to holiday bookings to Littlewoods orders, all sorts. Most of those things will let me password-reset to my email address, which would let me take over their account, cancel or modify orders, maybe even spend their money, I don't know.

    Sometimes, if I can track them down, I bother to tell people (if it's something like PayPal), but other times I just spam them. I imagine few people go to the lengths I would to try and track them down and educate them (and, hopefully, save them from fraud in the future).

    But it's not at all uncommon. Address verification emails aren't required for lots of things. And even where they are, you can often say "reset my password" without needing to verify the address and it will do just that.

    The fix, of course, is not technical. Make sure you have the right email. If you bought loads of stuff but accidentally put the wrong postal address down, you'd soon notice, and it's quite possible that the person at that other address will happily take all your ordered goods and claim they never saw them. Same with email. Check your details.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by ledow on Tuesday April 18 2017, @06:10PM

    by ledow (5567) on Tuesday April 18 2017, @06:10PM (#495940) Homepage

    Clarification: By "spam them", I mean "put the email in spam"!

  • (Score: 2) by nobu_the_bard on Tuesday April 18 2017, @06:44PM (4 children)

    by nobu_the_bard (6373) on Tuesday April 18 2017, @06:44PM (#495957)

    There could be a technical solution - not allow them to charge their cards until they have proven they control the email address by clicking the link in the first "Welcome to " email. Also, not allow them to even view the full information they may have provided when they configured the account, until they confirm the email, in case they did use a wrong email address. Have seen a handful of vendors with such setups.

    I think the poster for this story assumed that's what happens with Paypal, but it isn't what happens. Paypal emphasizes minimum hassle, not maximum security. You can sign up and use the new account (+card info) for a transaction inside a couple minutes without changing windows or looking at your phone or whatever. I use it for a variety of reasons also, but most of them boil down to "it simplifies some transactions".

    • (Score: 4, Insightful) by ledow on Tuesday April 18 2017, @07:08PM (3 children)

      by ledow (5567) on Tuesday April 18 2017, @07:08PM (#495970) Homepage

      Okay.

      So they send me an email by mistake when they create an account with the wrong address.

      I "verify" it for them.

      They don't necessarily even realise that I've even done that, if I leave it a few minutes, they'll just think they were finally successful at verifying things and start adding in credit cards.

      Now I still have their account.

      It's just a matter of timing.

      There is no technical solution here. User education is what matters.

      • (Score: 0) by Anonymous Coward on Tuesday April 18 2017, @07:50PM (1 child)

        by Anonymous Coward on Tuesday April 18 2017, @07:50PM (#495985)

        Not quite right. the problem here is that it is allowing account creation without clicking the verification link. I've seen it done with my email no less than 3 times, and I know for certain I never clicked the link, yet the account got created and used just fine. I took control of two of them with the password reset to delete them then gave up. I guess I could create my own account to prevent this, but why should I have to?

        • (Score: 2) by ledow on Tuesday April 18 2017, @08:09PM

          by ledow (5567) on Tuesday April 18 2017, @08:09PM (#495991) Homepage

          Isn't what you describe exactly what would happen if someone were to do what I said, but to you?

      • (Score: 3, Insightful) by Anonymous Coward on Tuesday April 18 2017, @09:34PM

        by Anonymous Coward on Tuesday April 18 2017, @09:34PM (#496030)

        Unless the verification link requires the user to type the password (which they've already set during creation); since the wrong-email recipient doesn't know the password, they can't verify it.

        You can use a cookie in lieu of the password, to make it easier on the user in the common case where the same browser is used to open the verify link that was just used to create the account; you still gotta fall back to password in case it's a different browser, cookies have been deleted/aren't stored, etc..

  • (Score: 3, Informative) by Arik on Tuesday April 18 2017, @08:47PM

    by Arik (4543) on Tuesday April 18 2017, @08:47PM (#496007) Journal
    "The fix, of course, is not technical. Make sure you have the right email. If you bought loads of stuff but accidentally put the wrong postal address down, you'd soon notice, and it's quite possible that the person at that other address will happily take all your ordered goods and claim they never saw them. Same with email. Check your details."

    Checking your details is well and good but there IS a technical fix for this and it's been known for decades and frankly anyone doing business on the internet without doing it should be kicked off. You ALWAYS verify the email address. ALWAYS.
    --
    If laughter is the best medicine, who are the best doctors?