Posted by: David Schneier
checking account, checks, credit, credit card, cyber security, data security, hack, hacker, hackers, hacking, identify theft, identity management, identity theft, information security, NPPI, password, password theft, phish, phishing, PII, privacy, regulation, regulations
I’m not much of a shopper. I decide what it is I need/want to buy, assess the market place to determine quality and price and once I have a generally strong sense for both make a decision and move forward. My wife on the other hand loves the constant trolling, scouring and scouting of just about any market and any product therein to find bargains, deals and steals. So for her eBay has been among the happiest distractions ever. She’s a bit of a night owl and after spending the first few decades of life being handcuffed by traditional store hours has found both eBay and the Internet to be the great equalizer. And it’s difficult to think of eBay without also thinking of its most important business partner PayPal, an online payment processor that has for all intents and purposes revolutionalized the way we spend our money.
Our family has had a PayPal account almost since PayPal has offered them. It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years. It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal. I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services. When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right. Now I’m not so sure.
Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit. It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much. But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”. So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card. No, seriously, those are the only two options.
My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information. It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again. I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal. I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists. Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details. Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.
Has PayPal lost its collective mind? Seriously, have they?
I was stunned, almost to the point where I couldn’t get coherent words to flow. I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous. Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response. It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email. I fired off a second email missive, this time way more specific. Here’s what I wrote: