Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money.  And much to my chagrin, the schemers are enjoying some measure of success.

Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500.  She needed it because someone contacted her with an offer that was impossible to ignore or turn down.  If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million).  The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them.  And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it.  Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.

Now to be honest with you I was stunned to learn that this scam ever works.  I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail.  But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic.  But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter.  But what if that email finds someone who is perhaps a little lonely or a little desperate?  What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing?  I wouldn’t have thought it possible until last week but sometimes it works.  And when you think about it just a little bit more it’s the perfect scam.  Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities.  And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.

Then this week a story was shared with me about how someones identify was stolen but with a twist.  They didn’t try and completely take over the identity but rather borrow it.  The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them.  The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day.  This has proven successful for both Person A and Person B for several years.  Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request.  After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment.  Person B responded by asking “what payment?”.

Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity.  They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A.  So Person B had no idea there was something amiss and Person A saw very little outside of  normal communications.  But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation.  A long painful phone call ensued and some amateur detective work confirmed their suspicions.  And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.

That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing.  You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up.  And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking.  The popular adage about suckers has never been truer only now there are two to the power of X ready to take them.  There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.

So here’s the sum total of my PSA: If it seems too good to be true it is.  And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.

I was greeted by this status the other day on Facebook:  “Today’s game – PLACE OF BIRTH! Everyone please play! You will find it interesting to know where your FB friends birthplaces are. Copy & paste this on your profile, then put your place of birth at the end of this sentence…. Brooklyn, NY”.

Really?  I mean, really?

What’s next, have everyone post their Social Security number and date of birth to see how similar the numbers are?  Or even better, I suggested to someone that everyone post their Social Security numbers under the guise of seeing if people can guess where and when it was issued (that someone actually liked the idea).

So there I was, dumbstruck and amazed and started trying to figure out how to prevent this sort personal data exposure from happening in my own home.  I checked all of my PCs to see if the anti-virus software was up-to-date and functioning; it was.  I checked to make sure that all critical software updates were installed; they were.  I verified that each machine had a unique and strong password; they did.  And after conducting this basic sanity check it occurred to me that there’s still no automated solution to prevent ignorance or – dare I say it – stupidity.

Despite technology doing it’s best to prevent malicious or unwanted activity from occurring on your machine there’s nothing short of web-filtering to prevent people from doing what people do  best: act human.

When my family first became Facebook aware, I immediately instructed those who use it to avoid those lists that capture intimate details about your life (e.g. , 20 things no one would ever guess about you) and display it to all with access to your profile.  My family thought I was being paranoid but I explained to them how someone can take that information and guess password challenge questions or gain the trust of those who know you by making references to some of those details.  They weren’t happy with me because it all seemed to be in good fun but I assured them at some point, somewhere, it was a hacker’s mentality that came up with the idea.  You have to know, I’m the guy who refuses to use non-bank ATM’s, probes the card reader to see if it’s a permanent part of the ATM and checks the area for possible spy cameras that might capture my keypad input (no joke).  That same paranoia carries over to the online world we all spend so much time in these days.

It’s like the Trip-It application a number of my connections use on LinkedIn.  Here’s a great idea: Let’s advertise to hundreds of people when I plan to be away from home and for how long.  And while I’m at it, I’ll post some sensitive information about me on Facebook (because so many people mix their personal and professional networks) so that you could also potentially guess my alarm system access code or challenge question should the monitoring company call the house.

Really?  I mean, really?

Oh and hey, check back next week because I actually spoke with Rebecca Keen (see my March 2nd post) and will have an interesting update to share.