Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

Before you read any further please fire up Netflix or hit up Redbox and rent “Catch Me If You Can” the DiCaprio-Hanks movie about Frank Abagnale Jr. the infamous check forger.  The movie covers in sufficient detail how Mr. Abagnale figured out how to forge checks and stay one step ahead of the law for years.  Take sufficient notes and then consider remote deposit capture and how it solves so many of the issues he had to figure out work-around’s for.

I’ve written in the past about how insane I think it is that we send unsecured documents via the mail that contains all of our bank account information including name and address without so much as a second thought.  When you consider how relatively pervasive ACH payments are these days (I pay at least a half-dozen of my monthly bills that way) I’m amazed that hasn’t become the newest criminal hot spot.  And now we’ve gone and made it that much easier to exploit this antiquated and poorly designed system of moving our money around.  You no longer need to even steal a persons check book, you only need to make copies of their blank checks so that later on you can fill in the appropriate details and use remote capture to process it.  When you consider the amount of time it would take to even figure out what just happened the thieves will be long gone.  First a person has to get their monthly statement and even figure out that a rogue check was presented against their account (and if you keep the amount small enough that might not even happen).  Then they’d need to contact the bank who would have to investigate and pull up check images to try and verify the customers claim.  By the time that all happens it’s potentially been at least a month, plenty of time for the perpetrators to close the account where funds were deposited and move on.  And with bank accounts being setup online all the time you wouldn’t even have video footage or images of the people behind the theft.  And that’s only one possible way to use remote deposit capture to rig the system (I’ll keep the other ideas I have to myself lest this post become a self-fulfilling prophecy).

Seriously, if the banks introduced a new service offering where you can pay for purchases by simply sending a copy of your credit card you’d all think it insane and no one would use it.  How is this any different?  If the stores and restaurants we frequented required that they make back-and-front photo copies of your credit card for their records you’d stop using your credit card.  But with checks it’s not so big a deal?

With regards to remote deposit capture, all because you can doesn’t mean you should.