Paypal and your online bank account

Please register or login

Welcome to ScubaBoard, the world's largest scuba diving community. Registration is not required to read the forums, but we encourage you to join. Joining has its benefits and enables you to participate in the discussions.

Benefits of registering include

  • Ability to post and comment on topics and discussions.
  • A Free photo gallery to share your dive photos with the world.
  • You can make this box go away

Joining is quick and easy. Log in or Register now!

Sinbad the Diver

Contributor
Messages
1,311
Reaction score
9
Location
VA
# of dives
50 - 99
I know a lot of people here buy and sell on ebay and use Paypal. This happened today and I was so shocked that I wrote it up and sent it to several technology security reporters, media outlets and bank fraud departments. If Paypal thinks this is OK, consumers need to know.

-------------------------------------------------
As a technology professional one of the first things we teach a user when it comes to information security is NEVER give anyone your username and password. This is one of the core security best practices and like a lock on your door, prevents the vast majority of crimes of opportunity. So when a coworker of mine came to me and laid out the events below, I was somewhat taken aback and still question whether or not Paypal is compromised at a spectacular level, or whether they have lost their collective mind.

1. My coworker spent some time on the phone and on-line attempting to change the credit card associated with his paypal account. He has moved from Canada to the US and there were several issues with address verification. Long story short, Paypal gets things set up and tells him that in order to verify the account, a $1.95 charge will be posted to the credit card and he can enter the transaction number to verify the card and make it active on his paypal account. He follows those directions, and begins the verification process. A few steps in, they request that he provide his bank account number in order to confirm his account. His radar is up at this request, but he enters the number and hits submit. This attached window pops up requesting the username and password to his on-line banking account.


2. Alarms go off in his head now, and he immediately comes to me. Assuming that Paypal must have been hacked and this is phishing scam, we called paypal’s customer service number and spoke to Paula. We explained the situation to her and she does not find a problem with the fact that they are asking for his on-line banking log-in credentials. She even explains to us that “we don’t keep or store that information, so there is no problem”. She also told us that “we only do this with banks that we have agreements with”. So we ask to speak to her supervisor, hoping that as a front line CS agent, she is just not aware of the serious issues involved here.

3. The supervisor, Arra, that she transfers us to, provides the same answers. So we ask to speak to someone in the Fraud or Security departments. After a long delay, we speak to Anne. She also tells us this is a legitimate request. She also tells us we shouldn’t worry, “everyone is doing it”.

4. We asked Anne if someone from our bank requested that we provide them with our Paypal password, should we? She answered “We recommend you never provide you password to anyone”. I’ll let that response speak for itself.

5. We then contact his bank fraud department who tells us he has no idea why they would be requesting that and that he should never provide that to anyone, the answer we expected.

There is so much wrong with this that I don’t know where to start. First, the idea that a company that is trusted with millions of dollars of credit transactions in an environment that is always under attack by criminals and scam artists would violate one the simplest and most important security and privacy protection tools available (don’t give out your password) just floors me. Second, what could they possibly do with it? At some level I can understand them asking for the bank account (though even that would have stopped me cold) but they could just use that to verify an active account and if you are a paypal account holder you are already placing a great deal of trust in them anyway. So why would they need your on-line banking log-in credentials. They can’t legally use them to transfer funds, so what do they have the ability to do that they couldn’t do before?

In order for this to be a scam, it would have to be pretty elaborate and Paypal’s web sites would have to have been hacked, the scammers would have to know when a new account is created and and their contact numbers redirected to the scammers. That’s pretty deep, but not out of the realm of possibility. But with the number of people that can be scammed without going to all that trouble, seems like a little over the top.

So I suspect Paypal has just implemented a practice that violates every concept of security and common sense. If so, what else are they doing? This is definitely one of those times where I’m glad I’ve never understood the value they bring and have never been willing to trust them with my financial information. I would be very interested in Paypal’s response to this.
 
I dunno

I've used PayPal for years with no problem, so have countless others.

If my credit card is fraudulently billed I'm not liable for much, if anything.

The bank account I have PayPal associated with only has a few hundred bucks in it at any given time.

I sleep ok
 
I dunno

I've used PayPal for years with no problem, so have countless others.

If my credit card is fraudulently billed I'm not liable for much, if anything.

The bank account I have PayPal associated with only has a few hundred bucks in it at any given time.

I sleep ok

Ditto :D
 
I dunno

I've used PayPal for years with no problem, so have countless others.

If my credit card is fraudulently billed I'm not liable for much, if anything.

The bank account I have PayPal associated with only has a few hundred bucks in it at any given time.

I sleep ok

would you give them the login information to your bank account?
 
I would NEVER give anyone a login to my online bank account. I have changed my credit cards in paypal and never had to do this. I am impressed that your friend was actually able to get someone on the phone from paypal.
 
would you give them the login information to your bank account?

Would I give them my online logon name and password?

No.

But I would give them the account number and routing numbers, which is probably what they really wanted.
 
Would I give them my online logon name and password?

No.

But I would give them the account number and routing numbers, which is probably what they really wanted.

no, that's not what they asked for....

here's the screen shot....

paypalwindow.jpg
 
Ok, yeah, I reread your initial post, I'll admit I skimmed the first time.

Looking at that screenshot-

All I can tell you is that based on what you have posted, it appears that PayPal apparently does have a tie in with some banks and that's how they work it. I don't think I'd go any further with the application if it was me who was presented with that screen.

Doesn't make sense that it would be necessary for ANY online merchant to have that information in order to withdraw funds, normally all they need is the account and routing numbers.
 
So pick the 2-3 day option.

Then you don't have to enter the password

They apparently do that so that a customer can use the bank account immediately
 
and I'd want to know if my bank was willing to enter into agreements like that so I could find another bank

the point here is that you beat people over the head constantly to get them to not give out their passwords, then a company, a company that is a major financial services provider in a very dangerous environment, puts in a process that violate one of the key concepts of info security. It has to make you question the people making decisions there. Then top it off with the so called security person saying it's fine, but never give out your password and don't worry, everyone is doing it.
 
https://www.shearwater.com/products/perdix-ai/

Back
Top Bottom