Has anyone else gotten a request from PayPal for info?
Has anyone else gotten a request from PayPal for info?
Tinfoil hat on...
I have recently been receiving repeated requests from PayPal, both in email and when I log into my account, that I supply verification of my identity. Photocopy of driver's license, copy of utility bill, bank account number.
Seems strange, since I gave them all this info when I first signed up.
It occurs to me that these requests started coming shortly after the news broke that the https protocol, which of course PayPal utterly relies on, has for years had a giant security hole in it.
Maybe I'm being paranoid, but ...even paranoids have enemies, and ...I can't help but wonder, if PayPal's sudden and pressing need for me to re-transmit my info, and the news that https has been wide open all this time ...well, I wonder if the two items are somehow related.
For example, ...if I were PayPal, and one day I discovered that my security has all this time been ineffective...such that, my subscribers' accounts have been wide open, and so an unknown number of persons now possess an unknown fraction of all my customers' account info details...including bank account numbers, social security numbers, photo ID, residence address, and so forth ...everything needed to steal my subscribers' identities ...what would I do?
I know what my lawyers would tell me to do: they would tell me to send all my subscribers a request that they re-transmit their identifying data.
That way, if ever some of my customers get their bank accounts emptied out by cyberthieves, and it turns out the thieves got their identity-info horde from PayPal ...PayPal could always put up the defense in court, that there is a reasonable doubt whether the data was intercepted on PayPal's server, or at the servers of the various email providers through which the data was transmitted. PayPal would then have plausible deniability, and be off the hook for monetary damages.
And so...I am going to refrain from supplying the data which PayPal is requesting, for six months or maybe even longer. Just to wait 'n' see how PayPal shakes out, with regard to how secure its subscriber accounts have been.
I will prefer during this time that payments for items I sell be made by U.S. Postal Money Order.
So far, PayPal has not made re-submission of my personal identifying info a requirement before I can withdraw funds from my PayPal account.
They are, however, refusing to let me *deposit* funds in until I do.
Which itself seems peculiar. I can see why they would not let me *withdraw* funds from an account without re-verification of identity, if there was any genuine question that I am who I say I am. But, why should they care if an impostor *deposits* funds into my account?
It will be interesting to see if they escalate their demands to include a refusal to let me withdraw funds, and to see if meanwhile any thefts of identity info from PayPal come to light in the news during the next six months.
Side note: I also had recently opened an account at mtgox.com, the bitcoin exchange, which required me to similarly supply documentation to prove identity. Thank God I didn't have any dollars or bitcoins on deposit when mtgox went under!
That sounds too weird. I would call them first.
Had to do that also...when received payments exceeds €2.500.-a year....
Followup: on April 27th I received an email from cs_surveys@paypal-customerfeedback.com which contained a pop-up survey, asking me my opinion of recent communications from PayPal. In my answers, I stated politely, but firmly, that I was not re-supplying the requested information specifically because PayPal had not furnished any explanation of why such re-submission of my identifying information was being requested. I also demanded that, as a condition of me re-submitting my information, PayPal disclose any hacking incidents it is aware of which may have compromised the security of my account.
Since then I have received no further requests for information from PayPal.
In the last week, as a test, I have accepted five payments via PayPal. All five were withdrawn by me from the PayPal account into my bank account without delay --in fact, even faster than before, it's taking only two days now instead of three as before-- and there have been no further "reminders" appearing on my PayPal sign-in page.
Therefore, I consider the matter closed until further developments (if any), and will resume taking payments via PayPal.
Aha! The truth appears; eBay, the owner of PayPal, has been hacked:
http://Time.com/107318/eBay-passwords/
It may be related in that this could be how the phisher got your email address for your eBay account to send you emails.
This is suspicious:
cs_surveys@paypal-customerfeedback.com
This is a classic sign of a phishing attempt - that email address might strike some as legitimate but if it were a real PayPal contact it would have ended with "paypal.com" not "customerfeedback.com". That's one of the first ways to help verify the identify of whoever is contacting you or whatever website your on - does the URL end correctly.
Another example - you might receive an email from Bank of America, supposedly, asking you to click a link to log in to your account to update your info. If you look at the path, it might show:
"bankofamerica.accounts.com"
This is not a real BofA website - logging in here is just handing them your username and password.
Anyway, maybe in this one case PayPal really does use such email addresses but it would fly in the face of best practices.
Anyway the bottom line is that when getting a request like this it's always best to manually navigate to the website you want to go to, such as paypal.com, and log in there instead of clicking any inline links in the email. Or call them to verify the request.