MOBILE USERS: m.isthmus.com
Connect with Isthmus:         Newsletters 
Skating at Olbrich
Thursday, December 18, 2014 |  Madison, WI: 20.0° F  Overcast
Collapse Photo Bar

wtf, PayPal?

If it doesn't fit anywhere else, it fits here

wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 8:57 am

These idiots are world class.

I get a legit email from PayPal with proper headers and everything, instructing me that my account has been limited until they hear from me.

So, I login in to Paypal by typing their URL (not using any embedded links, etc) and I'm met with the familiar green URL bar ensuring me that it's the real-deal site. The first page displayed is a page asking me for my full CC# and bank account # for linked accounts with the heading "Security Measures".

Both accounts have been closed for a couple of years now. I'm pleased that they have been, in fact. How much more idiotically suspicious could they make themselves appear?

I'm walking away from that paypal account as a result. If that's how they want to handle their verification, I'll never log into their site again.
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby snoqueen » Wed Feb 01, 2012 10:29 am

I've never opened any of those PayPal emails I get. I just assumed they were fake.

Are you very sure the URL you put in really went to their genuine page? It could have been redirected in some way. I think something is fishy here.
snoqueen
Forum God/Goddess
 
Posts: 11816
Joined: Fri Feb 14, 2003 11:42 pm

Re: wtf, PayPal?

Postby Prof. Wagstaff » Wed Feb 01, 2012 1:37 pm

The email you received was undoubtedly fake.

I can't explain how you ended up at a phishing site if you manually typed paypal.com into your browser, but the first page of PayPal is always a login (username/password) no matter if you type it in manually or click a link from another site. You are right to think if PayPal had pages like you described that they'd look suspicious. That's why they don't.

I suggest you run a virus scan cuz something ain't right.
Prof. Wagstaff
Forum God/Goddess
 
Posts: 9047
Joined: Tue Feb 19, 2002 6:35 pm

Re: wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 4:19 pm

Prof. Wagstaff wrote:The email you received was undoubtedly fake.

I can't explain how you ended up at a phishing site if you manually typed paypal.com into your browser, but the first page of PayPal is always a login (username/password) no matter if you type it in manually or click a link from another site. You are right to think if PayPal had pages like you described that they'd look suspicious. That's why they don't.

I suggest you run a virus scan cuz something ain't right.


I have the technical prowess to know what I'm dealing with here.

The email was legit with fully legit headers and a DKIM signature. This was a real email.

The website was paypal's actual site, complete with the additional green DNSSEC stripe at the far left that you can click to see the Verisign colonoscopy to prove that you are, in fact, hitting paypal and it's 100% https - no goofy iframe or XSS bullshit going on. I made the extra (redundant, in light of dnssec) step of verifying DNS after the fact. Nothing was amiss here.

I mentioned logging in to paypal explicitly in my original message. That's the first page you hit. It was normal. It didn't warrant further mention.

Once I logged in, they had enough relevant details of my (long-since shuttered) accounts to prove once again, that this was paypal.

There was nothing strange afoot with their site - just the completely ridiculous notion that they think it's appropriate to step you through a security process that starts in such a fashion. Even knowing that I was dealing with paypal's genuine (moronic) process, I wasn't about to hand them any more of my data.

The process is worth recoiling from. Who really thought that'd be a good idea?
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby Prof. Wagstaff » Wed Feb 01, 2012 4:41 pm

Whoops -- I certainly did read past where you say you logged in.

But if you were logged in officially, I guess I'm confused at what you're recoiling from. That they were asking you to verify the information they require to maintain your account? Or that they did so without making you jump through additional hoops first?

I'm still baffled by that email, though. Why would they have sent such a thing to begin with? I've been dealing with PayPal pretty much since they began, both to make purchases and as a business owner, and I've never heard of such a thing.
Prof. Wagstaff
Forum God/Goddess
 
Posts: 9047
Joined: Tue Feb 19, 2002 6:35 pm

Re: wtf, PayPal?

Postby kiwiwannabe » Wed Feb 01, 2012 4:57 pm

If you are not a frequent user, and I am not, they do this to verify that it's you and not someone using your dormant account to commit fraud.

My credit cards expire, for example, and they want me to verify before I put in the new expiration dates, since I haven't used the account in over 6 months or whatever.

I agree it's stupid, but that's how they do business.

Which is why I seldom use them in the first place!
kiwiwannabe
Forum Addict
 
Posts: 190
Joined: Wed Mar 19, 2008 2:23 pm
Location: High above W. Washington Avenue

Re: wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 5:08 pm

Prof. Wagstaff wrote:But if you were logged in officially, I guess I'm confused at what you're recoiling from. That they were asking you to verify the information they require to maintain your account? Or that they did so without making you jump through additional hoops first?


I guess what I was recoiling from was the very fact that it looked exactly like a well-engineered phishing attempt. This is the sort of stuff that should set off the spidey-sense of anyone that runs across it - and it's their automated procedure.

To be honest, I was never thrilled with them having my bank account info (I've long since changed banks and closed that account), and I'd closed the credit card that they've got on file.

I'm perfectly content to let that account die, especially given the fact that they want to verify details that I've long since shredded in order to keep it open.

I seldom use paypal and it's always for purchases at this point. I don't even need to maintain an account for those.
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby Prof. Wagstaff » Wed Feb 01, 2012 5:31 pm

Petro wrote:I guess what I was recoiling from was the very fact that it looked exactly like a well-engineered phishing attempt.
Isn't this argument circular? After all, aren't well-engineered phishing attempts designed to look like the legitimate sites they're aping? If PayPal changes, so will the phishing sites.

Which is what brings me back to that email. THAT is what phishing sites do. Why would PayPal email you if you haven't been using the account? Why wouldn't they wait to verify 2-year-old outdated info until you tried to use it?
Prof. Wagstaff
Forum God/Goddess
 
Posts: 9047
Joined: Tue Feb 19, 2002 6:35 pm

Re: wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 5:39 pm

Prof. Wagstaff wrote:Which is what brings me back to that email. THAT is what phishing sites do. Why would PayPal email you if you haven't been using the account? Why wouldn't they wait to verify 2-year-old outdated info until you tried to use it?


You'd need to ask PayPal. I've got a DKIM-signed email from them that's doing just that.
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby snoqueen » Wed Feb 01, 2012 5:41 pm

I've closed the bank account they know about too, and I haven't used the service for more than two years -- probably more like three or four. PayPal says they allow accounts to expire in that period of time (see below). To try and force old account-holders to come back to life seems strange -- if people want to use the service they'll stay active, and if not keeping old accounts open is nothing but a security problem.

I tried to log in as you described but I don't know the password any more and I'm not sure which email account I associated with PayPal so even if I wanted to re-up I probably couldn't. I can't be the only person in that situation. Maybe this is how PayPal cleans house and closes dead accounts, but it's clunky and weird I doubt it.

I'm wonder if someone hasn't stolen a list of obsolete PayPal acounts and is phishing to see who can be tricked into giving up their personal information. I know their page looks legitimate and secure, but does that mean it is, or does that mean this is a relatively sophisticated scammer?

You can't disallow the possibility a scammer could have installed a virus on your computer that's collecting keystrokes and stealing bank account numbers and passwords you type in, and the link to a legitimate PayPal page is just facilitating that capture.

I found the following on PayPal's User Agreement page:

7.3 Escheatment of Dormant Accounts. If you do not log in to your Account for two or more years, PayPal may close your Account and send the Balance to your primary address, or, if required, escheat (send) your Balance to your state of residency. PayPal will determine your residency based on the state listed in your primary address. If your address is unknown or registered in a foreign country, your funds will be escheated to the state of Delaware. Where required, PayPal will send you a notice prior to escheating or closing your Account. If you fail to respond to this notice, your Balance will be escheated to the required state. If you would like to claim any escheated funds from the state, please contact your state's Unclaimed Property Administrator.


It sounds like if we're getting email from PayPal after being dormant more than two years, something isn't right. Nothing says they have to, or intend to, notify us before deleting the account.

Communications we're told to expect from PayPal include:

You agree and consent to receive electronically all communications, agreements, documents, notices and disclosures (collectively, "Communications") that we provide in connection with your PayPal account ("Account") and your use of our services. Communications include:

agreements and policies you agree to (e.g., the PayPal User Agreement and the PayPal Privacy Policy), including updates to these agreements or policies;
annual disclosures, including prospectuses and reports for PayPal Funds;
transaction receipts or confirmations;
Account statements and history;
federal and state tax statements we are required to make available to you; and
any other Account, PayPal Funds account, or transaction information.

from:
https://cms.paypal.com/us/cgi-bin/?cmd= ... le.x=en_US

Doesn't say anything about "notices trying to get customers to reopen old accounts."
snoqueen
Forum God/Goddess
 
Posts: 11816
Joined: Fri Feb 14, 2003 11:42 pm

Re: wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 5:51 pm

I appreciate that people are trying to be helpful, but unless you understand the use and implementation of both DKIM in email and DNSSEC for page verification in the browser, you'll have to just trust me that it's a very real email sent from PayPal and I'm going to their website.

It's not a phishing attempt.

It's not a fake site.

It's just a terrible design and implementation.

*Note:
snoqueen wrote:"notices trying to get customers to reopen old accounts."
- those weren't my words, nor were they PayPal's.
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby snoqueen » Wed Feb 01, 2012 7:12 pm

They were mine. No problem there. I probably should have said "trying to get customers to respond so old accounts aren't 'limited,'" whatever "limited" means. Maybe they're trying to maximize the number of accounts they have for some bookkeeping reason. I don't know. You'd think the occasional PayPal user could just as easily sign up anew each time they buy something, and security would be as good if not better than it is now.

I guess if you're OK with the security on the web page you went to, and are comfortable no malware has been downloaded on you, then you're happy. You seem to know what you're doing. I get DNSSEC but I'm not knowledgeable of DKIM.

I agree with you it's a clumsy implementation of whatever they're trying to accomplish.

But if we agree PayPal's emails and verification system are unsatisfactory, what else is your complaint or your point? I'm trying to be cooperative here too but I'm confused. And PayPal has already lost my account.
snoqueen
Forum God/Goddess
 
Posts: 11816
Joined: Fri Feb 14, 2003 11:42 pm

Re: wtf, PayPal?

Postby Petro » Wed Feb 01, 2012 7:18 pm

snoqueen wrote:But if we agree PayPal's emails and verification system are unsatisfactory, what else is your complaint or your point? I'm trying to be cooperative here too but I'm confused. And PayPal has already lost my account with their iffy-looking emails.


I don't have any other complaint. I've already voiced it. Heck, all my responses were just there to clarify that I was fully aware that this wasn't a scam of any sort - they just did a terrible job of not making it look like a scam.

We're in the same boat. I'm going to just log in and send customer service an email telling them to close that account. All of the information tied to it is long since dead. I'd even stopped using the email address associated with it years ago - it was only forwarded to my current email address as a result of the legit DKIM signature.
Petro
Forum Addict
 
Posts: 365
Joined: Fri Jul 10, 2009 11:08 am

Re: wtf, PayPal?

Postby snoqueen » Fri Feb 03, 2012 7:51 pm

Strange that this should come up a day after our discussion:

http://www.nytimes.com/2012/02/04/us/fb ... ml?_r=1&hp

PayPal was indeed hacked by Anonymous.

Anonymous (and allied groups) do use phishing attacks that include keystroke capture.

Cautions for the future.
snoqueen
Forum God/Goddess
 
Posts: 11816
Joined: Fri Feb 14, 2003 11:42 pm


Return to Catch All

Who is online

Users browsing this forum: No registered users and 2 guests

moviesmusiceats
Select a Movie
Select a Theater


commentsViewedForum
  ISTHMUS FLICKR
Created with flickr badge.

Promotions Contact us Privacy Policy Jobs Newsletters RSS
Collapse Photo Bar