A Paypal Security Hole and Poor Customer Service Judgement that Made it Worse
I have been having problems for a while receiving Paypal payments to my business account. Today, I received an account notification for someone else's paypal account. I have received phishing and spoof emails before, but I was pretty sure this one was legit. I contacted the other person whose account notification I had received (they were horrified at that security breech, by the way), and sure enough, they were honest enough to admit they had been receiving some mystery payments they could not account for, which we quickly determined were mine. I asked them to check their email addresses on their account, and sure enough, for some reason neither of us could fathom, my email address was listed as a secondary address on their account. This is the same email that is the primary on my Paypal account, something Paypal claims is impossible.
I asked the other user to not touch it for a minute, and said I wanted to try an experiment. I called Paypal and got a real person (a slog in and of itself) and described the situation: I had solid reason to suspect that my email address on my account was on someone else's account as well. They said that was impossible. I insisted it might be possible. Eventually, the customer service agent relented and said they would run a search (I presume they search their data base for my email address and check for multiple hits, an assumption later confirmed by the supervisor).
Well, the customer service agent returned and said "I am happy to tell you your account is fine and no one else has your email address." She actually said the "happy" thing in a chirpy voice. I said that now I was REALLY worried, as I had definitive evidence my email is on another account, and if their search programs are not finding the issue, I have no confidence that it is not on more accounts. After getting nowhere with this, I asked for a supervisor.
I explained all of the above, and the supervisor admitted the first agent did not tell me the whole truth. She said, "yes, in fact we did find your email on one other account and eliminated it. The problem was on just that one other account. We have had this problem a few times and are still trying to figure out why it happens because it should be impossible." Fine. But why did the customer service agent feel the need to lie? I guess technically it was correct for her to report that my email was not on any other account, as they had eliminated the duplications before they took me off hold. It just seems to be in the institutional nature of organizations to cover their errors and not admit them.
I guess this sort of thing might work with the average computer user who is unsure of his skills and can be convinced that he misunderstands the problem. And to be fair, all of computer and software customer service seems to work this way, trying to convince users it was their error rather than a bug. But in my case, knowing for an absolute fact that there was an error, this approach only panicked me more, as I became worried not only with the security hole in their payments system, but with the fact that the company was apparently unaware of the hole and unable to detect it.
The other issue is that I actually think I know how this happened, but neither the agent nor their supervisor took the time to try to get any background information on me that might help them diagnose what is obviously a bug in their system they have been chasing unsuccesfully. It is a bit like having a mystery epidemic where a disease is spreading via an unknown vector but no one is doing any research into the patients' histories. Yeah, I know they can't put a priority on every bug fix, but I would assume that for a payments processor a bug that allows money to flow to the wrong person might be of some priority.
Postscript: Not that it matters to any of you, but here is my hypothesis. I actually had done a transaction with this other user years ago. This user did not have a paypal account at that time, but one can actually send money via credit card to someone with a Paypal account even if the person sending money does not have an account. The other user sent me the money with her Visa card from a public terminal, but called me because she could not complete the form because she did not have an email address. I told her just to plug mine in, and if I got any emails on the transaction I would mail them to her. Years later, she was more sophisticated and opened up her own Paypal account. My hypothesis (really, the only explanation that works) is that at the time she signed up, the Paypal computer went back into its records, found her name from this old transaction, and automatically attached the old email address (mine) from that transaction to the new account as an additional email. Since this email was not entered via the data entry screen, it bypassed the duplicate email name check which presumably happens at data entry. It is a back door that allows duplicates in. I strikes me someone intheir development group might be interested in this hypothesis, since this is one of those bugs it is hard to track down, but no one asked.
