|
|
Post by bernythedolt on Oct 12, 2020 18:00:30 GMT
Do you use PayPal? Be aware of a security loophole I have encountered and which they refuse to entertain. A person unknown to me (call him "X") opened his PayPal account some years ago, providing them his contact email address "Y". I presume he then allowed this address to go dormant because some time later I, quite by chance, applied for this same email address "Y" and was assigned it. It turns out the provider, hotmail.co.uk, allows their addresses to be recycled after they become dormant. Anyway, PayPal continue to this day to send me all X's account communications on the address Y which they continue to hold. They are an irritant, so today I decided to do something about it. Using his old dormant (which is now my) email address Y, I was easily able to reset his PayPal login password and login to his account. I immediately informed PayPal, via an online chat from X's account, that I was able to see inside X's account, see his balance, his home address, etc and... ...they weren't the slightest bit interested!  I was dealing with a halfwit because he asked me to provide a copy of my driving licence or passport to prove the account was mine. Despite telling him several times I was NOT the account holder, it made no difference. His script did not allow for this. I explained about recycled email addresses, to no avail. I asked to speak to a.n.other, but no dice. I may as well have been discussing non-Euclidian geometry for all the progress I was making. After an hour or more online chatting I was forced to give up. He just would not acknowledge any security issue. I even offered to write to their account holder, now that I've discovered his snail mail address, to see how impressed he is with PayPal's security. It was water off a duck's back to my man. So if you have an account with PayPal, do make sure never to allow your email address to become dormant, or your account can so easily be compromised. The exact same is true of eBay too, but I was at least able to speak to someone with a modicum of intelligence who did the right thing and dissociated my email address from their account holder's account. The root problem here is the recycling of email addresses, but certain companies don't seem to be wise to the implications of that. |
|
|
|
Post by bernythedolt on Oct 13, 2020 9:45:52 GMT
|
|
iRobot
Member of DD Central
Posts: 1,657
Likes: 2,450
|
Post by iRobot on Oct 13, 2020 11:09:36 GMT
Couple of links which maybe of interest to freebie MS email account holders - inc. msn.* , hotmail.* , live.*' and outlook.* domains Microsoft account activity policy " Except as provided below, you must sign in to your Microsoft account at least once in a two-year period to keep your account active. If you don’t sign in during this time, Microsoft will consider your account to be inactive."
- the list of exceptions is fairly extensive but centres mostly around ongoing subscriptions and the like. Microsoft Services Agreement (effective Oct 2020) " [The] email address that you use to create your Microsoft account will be unique to you for as long as your Outlook.com inbox or Microsoft account is still active. In the event your Outlook.com inbox or Microsoft account is closed either by you or by Microsoft pursuant to these Terms, the email address or username may be recycled into our system and assigned to another user." If the account has any value you to you at all, diarise a reminder to log in once a month / quarter / year (whatever frequency means you are unlikely to forget your password!) so as to not risk losing access. If it has no value, probably worth reviewing that account's inbox to see what emails you have received from service providers such as ebay, etc. You should then close those dormant accounts so as to not unwittingly provide an easily unlocked backdoor to unwanted visitors, as highlighted by BTD above. |
|
|
|
Post by bernythedolt on Oct 13, 2020 16:53:16 GMT
(b) I can certainly vouch for. I've been trying again today to get the message across that somebody should be notifying their security team that I've managed to access somebody else's account. They just cannot grasp the concept. I'm chatting to them from Mr X's account, so I MUST therefore be Mr X - to the help desk staff there is no other possible interpretation.
I've chatted to four or five help desk individuals now, and every one of them just keeps trotting out the various hoops I need to jump through to get "my" account working. Irrespective of how many times I tell them this ISN'T my account, I have no interest in it, I am not a customer and have no account with them. They just cannot grasp the concept behind recycled mail addresses giving a backdoor into someone else's account, despite having sent them the Computerworld link above.
Perhaps it's the American psyche. Scripted automatons with zero ability to think outside the box. Dare to pass up the chain and pester a busy security tech and be threatened with the sack. Most likely, though, it's just too much bother to deviate off script.
If this was something that actually mattered to me, I would be incredibly frustrated by now at the abysmal customer service.
So you are absolutely right @wallstreet. I could never consider a PayPal account for this reason alone. Their flaky security just confirms it.
|
|
benaj
Member of DD Central
Posts: 4,881 
Likes: 1,602
|
Post by benaj on Oct 13, 2020 18:54:00 GMT
bernythedolt Most certainly not. (a) Their fees are a ripoff (b) Customer service, as you have discovered, is non-existent (c) Their service is pointless if you are paying by credit card. In the UK you have the Consumer Credit Act, in Europe some equivalent, and most likely the same for the majority of "western" countries. The act of paying via Paypal removes your protections (because the card transaction is with Paypal not the merchant). So if something goes wrong, you are reliant on Paypal as a wholly un-necessary middleman .... which brings us back to point (b) above.  Maybe the only place it makes sense is US residents with US registered cards, given the US tends to have minimal consumer protections for US residents ? Well, many online sellers accepting Paypal transaction, there’s virtually not much protection at them. Too many abused the ebay / paypal policies and loopholes. To start with, paypal account holders not ID verified
|
|
adrianc
Member of DD Central
Posts: 9,011
Likes: 4,822
|
Post by adrianc on Oct 13, 2020 19:26:29 GMT
Surely there's a very easy solution to this...? www.paypal.com/myaccount/settings/ - and click on "Close your account". Job jobbed. I'm assuming this is the only email address on the account? If not, just change the primary (if it's still this hotmail) to one of the others, then delete the hotmail. |
|
|
|
Post by bernythedolt on Oct 14, 2020 1:45:55 GMT
Surely there's a very easy solution to this...? www.paypal.com/myaccount/settings/ - and click on "Close your account". Job jobbed. I'm assuming this is the only email address on the account? If not, just change the primary (if it's still this hotmail) to one of the others, then delete the hotmail. Thanks adrianc . That was my initial approach, to close the account, but it didn't work. They've placed several restrictions on the account after detecting suspicious behaviour in the past. One such restriction is to prevent account closure. To lift the restrictions, they sensibly require Mr X's proof of ID to be forwarded. I also tried your second solution at an early stage. Yes, it is the only email address on the account, but PayPal doesn't allow any amendment or deletion of the primary email address you open the account with. Even if you add a supplementary address, you still cannot delete the primary! This applies whether or not account restrictions are in place. They retain your primary address for ever. Having despaired of ever getting a savvy techie at PayPal to look into this, one of the few fields still amendable is the postal address. So I've now deleted their client's postal address on his account (I've copied it, so can reinstate it if they ask nicely) and replaced it with <The email address on this account has been> <recycled and no longer belongs to Mr X.> <Would you kindly delete it.> <County> <Postcode> or words to that effect. I've then messaged them, inviting them to peruse his address. Will see what happens. Most probably nothing... or it might just do the trick... or if you don't hear from me for a while, I got arrested for hacking.  Having got into Mr X's account, I've never intended anything more nefarious than to dissociate my email address from it, if necessary by force closing his account. But it's proving more difficult, so I'll just have to be more inventive. I like a challenge.
|
|
registerme
Member of DD Central
Posts: 6,211
Likes: 6,017
|
Post by registerme on Oct 14, 2020 2:21:02 GMT
In the past I've had legitimate emails sent to me as a legitimate Verizon customer. Only I'm not a Verizon customer.
Lord knows who entered their email address incorrectly.
Most recently, and more worryingly, I've had legitimate emails from Medicare. Only I am not a US citizen, was born in the UK, and would far rather rely on the NHS than... anything in that way aligned from the US.
Some poor person out there is waiting on some communication(s) from Medicare and not getting it, because it's coming to me.
That's not good.
|
|
|
|
Post by bracknellboy on Oct 14, 2020 7:42:12 GMT
In the past I've had legitimate emails sent to me as a legitimate Verizon customer. Only I'm not a Verizon customer. Lord knows who entered their email address incorrectly. Most recently, and more worryingly, I've had legitimate emails from Medicare. Only I am not a US citizen, was born in the UK, and would far rather rely on the NHS than... anything in that way aligned from the US. Some poor person out there is waiting on some communication(s) from Medicare and not getting it, because it's coming to me. That's not good. I recently had notification of creation of a Disney Store account, and of a login to that account. Except my name is not Jeanne, and I don't live in Virginia. Now, given my email address, its almost inconceiable it could have been accidentaly entered by someone called Jeanne as their email address. What is worse, is how come Disney Store systems did not require confirmation of the email address by way of sending out a verification link to that email address.
I wrote to them. I got no reply, of course.
|
|
|
|
Post by stan88 on Oct 14, 2020 13:21:34 GMT
Unrelated to this but might be of interest to PayPal inactive accounts holders. PayPal is set to introduce an annual fee of up to £12 for users whose accounts have been inactive for a year or more – but you can avoid the charge by logging into your account before the deadline in December. PayPal defines "inactive" as an account where the user hasn't sent, received or withdrawn money, or logged into their account. If your account has been inactive for over 12 months, the fee you're charged will be the lesser of £12 or your entire PayPal balance. If you don't have any money in your PayPal account, or your balance is negative, PayPal says you won't be charged a fee (even if you have a credit or debit card linked to the account). Avoid this by logging in before15/12/2020 PayPal will send out warning emails to the email linked to the account.
|
|
travolta
Member of DD Central
Posts: 1,458
Likes: 1,167
|
Post by travolta on Oct 14, 2020 13:24:20 GMT
Unrelated to this but might be of interest to PayPal inactive accounts holders. PayPal is set to introduce an annual fee of up to £12 for users whose accounts have been inactive for a year or more – but you can avoid the charge by logging into your account before the deadline in December. PayPal defines "inactive" as an account where the user hasn't sent, received or withdrawn money, or logged into their account. If your account has been inactive for over 12 months, the fee you're charged will be the lesser of £12 or your entire PayPal balance. If you don't have any money in your PayPal account, or your balance is negative, PayPal says you won't be charged a fee (even if you have a credit or debit card linked to the account). Avoid this by logging in before15/12/2020 PayPal will send out warning emails to the email linked to the account. Ah,a Martins Money follower....
|
|
|
|
Post by stan88 on Oct 14, 2020 13:28:16 GMT
Yes was not sure if any would pick up on it, also a lot of US sites reporting it. We do love our free banking in the UK  |
|
|
|
Post by moonraker on Sept 9, 2022 8:29:11 GMT
The other day I noticed that PayPal had appeared without prior notification among my small list of personal contacts on WhatsApp. There was absolutely no way of removing it. (I use Paypal to pay for various small items on eBay and from elsewhere, with my purchases this financial year likely to total less than £300. My receipts from sales on eBay are likely to be around £200.)
I started one of those conversations with a PayPal on-line "assistant" - one types a message in a box, a bot mis-interprets it several times, I get cross, leading to a message that a, presumably, real person will get back to me. Then I discover a British number for PayPal, get through quickly to someone who's patient and knows what she's talking about (I hope), confirms that the USA number in the WhatsApp details is genuine (which is something that was unable to determine for myself from Googling). To remove PayPal from my WhatsApp contacts I need to ask WhatsApp.
I thanked her for her help, but expressed my disquiet as to the method that PayPal has used, of imposing WhatsApp on me without notification or permission - especially as there are so many criminals who seek to exploit the company's name.
I guess that it's all for my own good, WhatsApp being secure, but in 20 years PayPal has never needed to contact me
|
|
adrianc
Member of DD Central
Posts: 9,011
Likes: 4,822
|
Post by adrianc on Sept 9, 2022 8:36:39 GMT
The other day I noticed that PayPal had appeared without prior notification among my small list of personal contacts on WhatsApp. There was absolutely no way of removing it. (I use Paypal to pay for various small items on eBay and from elsewhere, with my purchases this financial year likely to total less than £300. My receipts from sales on eBay are likely to be around £200.)
I started one of those conversations with a PayPal on-line "assistant" - one types a message in a box, a bot mis-interprets it several times, I get cross, leading to a message that a, presumably, real person will get back to me. Then I discover a British number for PayPal, get through quickly to someone who's patient and knows what she's talking about (I hope), confirms that the USA number in the WhatsApp details is genuine (which is something that was unable to determine for myself from Googling). To remove PayPal from my WhatsApp contacts I need to ask WhatsApp.
I thanked her for her help, but expressed my disquiet as to the method that PayPal has used, of imposing WhatsApp on me without notification or permission - especially as there are so many criminals who seek to exploit the company's name.
I guess that it's all for my own good, WhatsApp being secure, but in 20 years PayPal has never needed to contact me I think you may well have unwittingly done something there - I don't have PP in my WA contact list. I use both, and my primary PP phone number is my mobile. I don't use the PP app, but SWMBO does, and it's not in her list either.
|
|
benaj
Member of DD Central
Posts: 4,881
Likes: 1,602
|
Post by benaj on Sept 9, 2022 9:10:18 GMT
I don’t like having anyone’s phone number stored on my contact list unless I want to. I rather remember as numbers
Too many breaches by storing a number and people of the number stored on the contact list can be “nosey”
|
|
