Coyote Blog

A few days ago I posted on the security hole I discovered in Paypal where payments to my email were flowing to someone else's account.  After denying the problem for quite a while, Paypal finally admitted it.

In the last two days, I have had two other problems with Paypal.  The first was that an account hold was slapped by Paypal on my account.  Apparently I accessed the account from an IP address (maybe a hotel on the road?) they had never seen me at before and so they froze my account until this morning when I had to spend an hour convincing them in various ways I really did control the account.

The second issue was when Paypal put a hold on a payment I received.  At first, I was ticked off at the buyer, thinking that person had received the item and then was trying to keep his money.  But it turned out the buyer had nothing to do with it.  Again, the Paypal computers saw the buyer account had been relatively inactive and held the payment until the buyer called in and convinced them the payment was legitimate.

Now, at some level, one can say that Paypal is trying to protect my money.  But if fraud is so prevelent in Paypal that these kind of onerous fraud checks and constant account and payment freezes are becoming the norm, then it may well be that their business model is in trouble.  Like strip searches at the airport, it may increase security but it may also kill the business.

If you had asked me five years ago, I would have said it likely that by 2009, we would have an online payments system that involved some type of digital certificates on individual computers tied to either a payment system or one's credit card number.  My corporate cash management account works this way, but the retail world does not.  Part of the problem is that there is only limited consumer incentive to demand such a system.  Currently, most fraud costs are pushed by card companies unto retailers rather than consumers (who can fairly easily void a fraudulent payment) reducing the percieved cost of low security.

Postscript:  It is always interesting to listen to the tone of customer service agents.  I talked to four different Paypal agents this morning, and the fairly clear undertone of their responses to my rants about these problems was "it's as bad around here as you think it is."

I have been having problems for a while receiving Paypal payments to my business account.  Today, I received an account notification for someone else's paypal account.  I have received phishing and spoof emails before, but I was pretty sure this one was legit.  I contacted the other person whose account notification I had received (they were horrified at that security breech, by the way), and sure enough, they were honest enough to admit they had been receiving some mystery payments they could not account for, which we quickly determined were mine.  I asked them to check their email addresses on their account, and sure enough, for some reason neither of us could fathom, my email address was listed as a secondary address on their account.  This is the same email that is the primary on my Paypal account, something Paypal claims is impossible.

I asked the other user to not touch it for a minute, and said I wanted to try an experiment.  I called Paypal and got a real person (a slog in and of itself) and described the situation:  I had solid reason to suspect that my email address on my account was on someone else's account as well.  They said that was impossible.  I insisted it might be possible.  Eventually, the customer service agent relented and said they would run a search (I presume they search their data base for my email address and check for multiple hits, an assumption later confirmed by the supervisor).

Well, the customer service agent returned and said "I am happy to tell you your account is fine and no one else has your email address."  She actually said the "happy" thing in a chirpy voice.  I said that now I was REALLY worried, as I had definitive evidence my email is on another account, and if their search programs are not finding the issue, I have no confidence that it is not on more accounts.  After getting nowhere with this, I asked for a supervisor.

I explained all of the above, and the supervisor admitted the first agent did not tell me the whole truth.  She said, "yes, in fact we did find your email on one other account and eliminated it.  The problem was on just that one other account.  We have had this problem a few times and are still trying to figure out why it happens because it should be impossible."  Fine.  But why did the customer service agent feel the need to lie?  I guess technically it was correct for her to report that my email was not on any other account, as they had eliminated the duplications before they took me off hold.  It just seems to be in the institutional nature of organizations to cover their errors and not admit them.

I guess this sort of thing might work with the average computer user who is unsure of his skills and can be convinced that he misunderstands the problem.  And to be fair, all of computer and software customer service seems to work this way, trying to convince users it was their error rather than a bug.  But in my case, knowing for an absolute fact that there was an error, this approach only panicked me more, as I became worried not only with the security hole in their payments system, but with the fact that the company was apparently unaware of the hole and unable to detect it.

The other issue is that I actually think I know how this happened, but neither the agent nor their supervisor took the time to try to get any background information on me that might help them diagnose what is obviously a bug in their system they have been chasing unsuccesfully.  It is a bit like having a mystery epidemic where a disease is spreading via an unknown vector but no one is doing any research into the patients' histories.  Yeah, I know they can't put a priority on every bug fix, but I would assume that for a payments processor a bug that allows money to flow to the wrong person might be of some priority.

Postscript: Not that it matters to any of you, but here is my hypothesis.  I actually had done a transaction with this other user years ago.  This user did not have a paypal account at that time, but one can actually send money via credit card to someone with a Paypal account even if the person sending money does not have an account.  The other user sent me the money with her Visa card from a public terminal, but called me because she could not complete the form because she did not have an email address.  I told her just to plug mine in, and if I got any emails on the transaction I would mail them to her.  Years later, she was more sophisticated and opened up her own Paypal account.  My hypothesis  (really, the only explanation that works) is that at the time she signed up, the Paypal computer went back into its records, found her name from this old transaction, and automatically attached the old email address (mine) from that transaction to the new account as an additional email.  Since this email was not entered via the data entry screen, it bypassed the duplicate email name check which presumably happens at data entry.  It is a back door that allows duplicates in.  I strikes me someone intheir development group might be interested in this hypothesis, since this is one of those bugs it is hard to track down, but no one asked.

A woman in Nigeria wants to buy 10 of my wife's handbags.   Right now, we have paypal's foreign credit card option turned off, and of course the Nigeria angle sends off warning bells.  Are there any good ways to accept money from Nigeria with minimal risk of fraud?