Has anyone else gotten a request from PayPal for info?
Has anyone else gotten a request from PayPal for info?
I have recently been receiving repeated requests from PayPal, both in email and when I log into my account, that I supply verification of my identity. Photocopy of driver's license, copy of utility bill, bank account number.
Seems strange, since I gave them all this info when I first signed up.
It occurs to me that these requests started coming shortly after the news broke that the https protocol, which of course PayPal utterly relies on, has for years had a giant security hole in it.
Maybe I'm being paranoid, but ...even paranoids have enemies, and ...I can't help but wonder, if PayPal's sudden and pressing need for me to re-transmit my info, and the news that https has been wide open all this time ...well, I wonder if the two items are somehow related.
For example, ...if I were PayPal, and one day I discovered that my security has all this time been ineffective...such that, my subscribers' accounts have been wide open, and so an unknown number of persons now possess an unknown fraction of all my customers' account info details...including bank account numbers, social security numbers, photo ID, residence address, and so forth ...everything needed to steal my subscribers' identities ...what would I do?
I know what my lawyers would tell me to do: they would tell me to send all my subscribers a request that they re-transmit their identifying data.
That way, if ever some of my customers get their bank accounts emptied out by cyberthieves, and it turns out the thieves got their identity-info horde from PayPal ...PayPal could always put up the defense in court, that there is a reasonable doubt whether the data was intercepted on PayPal's server, or at the servers of the various email providers through which the data was transmitted. PayPal would then have plausible deniability, and be off the hook for monetary damages.
And so...I am going to refrain from supplying the data which PayPal is requesting, for six months or maybe even longer. Just to wait 'n' see how PayPal shakes out, with regard to how secure its subscriber accounts have been.
I will prefer during this time that payments for items I sell be made by U.S. Postal Money Order.
So far, PayPal has not made re-submission of my personal identifying info a requirement before I can withdraw funds from my PayPal account.
They are, however, refusing to let me *deposit* funds in until I do.
Which itself seems peculiar. I can see why they would not let me *withdraw* funds from an account without re-verification of identity, if there was any genuine question that I am who I say I am. But, why should they care if an impostor *deposits* funds into my account?
It will be interesting to see if they escalate their demands to include a refusal to let me withdraw funds, and to see if meanwhile any thefts of identity info from PayPal come to light in the news during the next six months.
Side note: I also had recently opened an account at mtgox.com, the bitcoin exchange, which required me to similarly supply documentation to prove identity. Thank God I didn't have any dollars or bitcoins on deposit when mtgox went under!
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
JustPassinThru
04-25-2014, 05:56 PM #1Tinfoil hat on...
I have recently been receiving repeated requests from PayPal, both in email and when I log into my account, that I supply verification of my identity. Photocopy of driver's license, copy of utility bill, bank account number.
Seems strange, since I gave them all this info when I first signed up.
It occurs to me that these requests started coming shortly after the news broke that the https protocol, which of course PayPal utterly relies on, has for years had a giant security hole in it.
Maybe I'm being paranoid, but ...even paranoids have enemies, and ...I can't help but wonder, if PayPal's sudden and pressing need for me to re-transmit my info, and the news that https has been wide open all this time ...well, I wonder if the two items are somehow related.
For example, ...if I were PayPal, and one day I discovered that my security has all this time been ineffective...such that, my subscribers' accounts have been wide open, and so an unknown number of persons now possess an unknown fraction of all my customers' account info details...including bank account numbers, social security numbers, photo ID, residence address, and so forth ...everything needed to steal my subscribers' identities ...what would I do?
I know what my lawyers would tell me to do: they would tell me to send all my subscribers a request that they re-transmit their identifying data.
That way, if ever some of my customers get their bank accounts emptied out by cyberthieves, and it turns out the thieves got their identity-info horde from PayPal ...PayPal could always put up the defense in court, that there is a reasonable doubt whether the data was intercepted on PayPal's server, or at the servers of the various email providers through which the data was transmitted. PayPal would then have plausible deniability, and be off the hook for monetary damages.
And so...I am going to refrain from supplying the data which PayPal is requesting, for six months or maybe even longer. Just to wait 'n' see how PayPal shakes out, with regard to how secure its subscriber accounts have been.
I will prefer during this time that payments for items I sell be made by U.S. Postal Money Order.
So far, PayPal has not made re-submission of my personal identifying info a requirement before I can withdraw funds from my PayPal account.
They are, however, refusing to let me *deposit* funds in until I do.
Which itself seems peculiar. I can see why they would not let me *withdraw* funds from an account without re-verification of identity, if there was any genuine question that I am who I say I am. But, why should they care if an impostor *deposits* funds into my account?
It will be interesting to see if they escalate their demands to include a refusal to let me withdraw funds, and to see if meanwhile any thefts of identity info from PayPal come to light in the news during the next six months.
Side note: I also had recently opened an account at mtgox.com, the bitcoin exchange, which required me to similarly supply documentation to prove identity. Thank God I didn't have any dollars or bitcoins on deposit when mtgox went under!
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
Ninth Year Anniversary with STD on 1-9-2020
visit: www.dieselfuelinjector.guru
Project 2018: Really get the car finished -- Turbo OM617 greater than 175 MPH goal.
RED W123 - left Germany as 240D in 1982. Full AMG body kit less rear apron, 2:65LSD, five speed Getrag 717.400, manual steering, read leather interior, manual brake conversion, electric water pump (EWP), and a bunch of other goodies ...
That sounds too weird. I would call them first.
Ninth Year Anniversary with STD on 1-9-2020
visit: www.dieselfuelinjector.guru
Project 2018: Really get the car finished -- Turbo OM617 greater than 175 MPH goal.
RED W123 - left Germany as 240D in 1982. Full AMG body kit less rear apron, 2:65LSD, five speed Getrag 717.400, manual steering, read leather interior, manual brake conversion, electric water pump (EWP), and a bunch of other goodies ...
Mercedes Benz W210 E-Class 320CDI, lowered 2.5", 18" AMG wheels, Decat, EGR removed, Tumble flaps removed, C30 AMG injectors, 400kpa MAP, Custom GT2566XTV turbo, SW tweaked to 300+hp/750Nm
Had to do that also...when received payments exceeds €2.500.-a year....
Mercedes Benz W210 E-Class 320CDI, lowered 2.5", 18" AMG wheels, Decat, EGR removed, Tumble flaps removed, C30 AMG injectors, 400kpa MAP, Custom GT2566XTV turbo, SW tweaked to 300+hp/750Nm
Since then I have received no further requests for information from PayPal.
In the last week, as a test, I have accepted five payments via PayPal. All five were withdrawn by me from the PayPal account into my bank account without delay --in fact, even faster than before, it's taking only two days now instead of three as before-- and there have been no further "reminders" appearing on my PayPal sign-in page.
Therefore, I consider the matter closed until further developments (if any), and will resume taking payments via PayPal.
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
JustPassinThru
05-07-2014, 11:12 AM #4Followup: on April 27th I received an email from cs_surveys@paypal-customerfeedback.com which contained a pop-up survey, asking me my opinion of recent communications from PayPal. In my answers, I stated politely, but firmly, that I was not re-supplying the requested information specifically because PayPal had not furnished any explanation of why such re-submission of my identifying information was being requested. I also demanded that, as a condition of me re-submitting my information, PayPal disclose any hacking incidents it is aware of which may have compromised the security of my account.
Since then I have received no further requests for information from PayPal.
In the last week, as a test, I have accepted five payments via PayPal. All five were withdrawn by me from the PayPal account into my bank account without delay --in fact, even faster than before, it's taking only two days now instead of three as before-- and there have been no further "reminders" appearing on my PayPal sign-in page.
Therefore, I consider the matter closed until further developments (if any), and will resume taking payments via PayPal.
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
http://Time.com/107318/eBay-passwords/
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
JustPassinThru
05-21-2014, 01:57 PM #5Aha! The truth appears; eBay, the owner of PayPal, has been hacked:
http://Time.com/107318/eBay-passwords/
Gone but not forgotten: two W123 sedans and two W124 wagons.
W124 1987 300TD wagon, for sale, $1000 (some assembly required).
This is suspicious:
cs_surveys@paypal-customerfeedback.com
This is a classic sign of a phishing attempt - that email address might strike some as legitimate but if it were a real PayPal contact it would have ended with "paypal.com" not "customerfeedback.com". That's one of the first ways to help verify the identify of whoever is contacting you or whatever website your on - does the URL end correctly.
Another example - you might receive an email from Bank of America, supposedly, asking you to click a link to log in to your account to update your info. If you look at the path, it might show:
"bankofamerica.accounts.com"
This is not a real BofA website - logging in here is just handing them your username and password.
Anyway, maybe in this one case PayPal really does use such email addresses but it would fly in the face of best practices.
Anyway the bottom line is that when getting a request like this it's always best to manually navigate to the website you want to go to, such as paypal.com, and log in there instead of clicking any inline links in the email. Or call them to verify the request.
1979 300D Black on Black - 1985 300D Maaco job on Palamino
![[Image: LslW733.jpg]](http://i.imgur.com/LslW733.jpg)
The Baja Arizona Oil Burners
Send a message if you'd like to join the fun
Left to Right - UberWasser, Iridium, Stuttgart-->Seattle,, mannys9130
Visit the W123 page on iFixit for more than 60! helpful DIY guides!
uberwasser
05-23-2014, 04:17 PM #6It may be related in that this could be how the phisher got your email address for your eBay account to send you emails.
This is suspicious:
cs_surveys@paypal-customerfeedback.com
This is a classic sign of a phishing attempt - that email address might strike some as legitimate but if it were a real PayPal contact it would have ended with "paypal.com" not "customerfeedback.com". That's one of the first ways to help verify the identify of whoever is contacting you or whatever website your on - does the URL end correctly.
Another example - you might receive an email from Bank of America, supposedly, asking you to click a link to log in to your account to update your info. If you look at the path, it might show:
"bankofamerica.accounts.com"
This is not a real BofA website - logging in here is just handing them your username and password.
Anyway, maybe in this one case PayPal really does use such email addresses but it would fly in the face of best practices.
Anyway the bottom line is that when getting a request like this it's always best to manually navigate to the website you want to go to, such as paypal.com, and log in there instead of clicking any inline links in the email. Or call them to verify the request.
1979 300D Black on Black - 1985 300D Maaco job on Palamino
The Baja Arizona Oil Burners
Send a message if you'd like to join the fun
Left to Right - UberWasser, Iridium, Stuttgart-->Seattle,, mannys9130
Visit the W123 page on iFixit for more than 60! helpful DIY guides!
2 Guest(s)
2 Guest(s)