Paypal bank account confirmation... WTF? *super secure!!!*

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
Closed an old bank account that my Paypal account was linked to since they were now charging ridiculous maintenance fees, and decided to open up another account dedicated for my online dealings with my credit union (long overdue for the move). As usual, jumping through all of Paypal's hoops are fun, like clicking on the "Replace" account button and getting a message saying I can't do so while there are pending authorizations (wut? I haven't made any purchases with my paypal account in weeks).

But here's the kicker... confirming your account. There's still the good old classic way, where you wait for them to make the two small deposits and then you go in and confirm them with Paypal. But now they have this:

Confirm instantly with your phone
To confirm your <YOUR BANK NAME HERE> account instantly, we'll send you a 4-digit code and ask you to verify it. Simply select a phone number where we can send the code.

So what you're telling me is I can:
1) Randomly punch in any old account number that may or may not belong to me
2) "Borrow" some random phone where I can get a text message so I can get the 4-digit authorization code
3) ...
4) Profit???

Really?

I'm pretty sure even someone clinically brain dead can think up a better security scheme then this.
 

Jimzz

Diamond Member
Oct 23, 2012
4,399
190
106
Yea I have an bank account from 5+ years ago on my paypal account they will not let me remove due to the "pending" charges/authorizations message.
 

smackababy

Lifer
Oct 30, 2008
27,024
79
86
Closed an old bank account that my Paypal account was linked to since they were now charging ridiculous maintenance fees, and decided to open up another account dedicated for my online dealings with my credit union (long overdue for the move). As usual, jumping through all of Paypal's hoops are fun, like clicking on the "Replace" account button and getting a message saying I can't do so while there are pending authorizations (wut? I haven't made any purchases with my paypal account in weeks).

But here's the kicker... confirming your account. There's still the good old classic way, where you wait for them to make the two small deposits and then you go in and confirm them with Paypal. But now they have this:



So what you're telling me is I can:
1) Randomly punch in any old account number that may or may not belong to me
2) "Borrow" some random phone where I can get a text message so I can get the 4-digit authorization code
3) ...
4) Profit???

Really?

I'm pretty sure even someone clinically brain dead can think up a better security scheme then this.

I don't think it works quite like that. When I confirmed my new back account, I had to log into the site through paypal. I would think they are simply using 2 part authentication before allowing you to attempt to log in to your bank.
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
I don't think it works quite like that. When I confirmed my new back account, I had to log into the site through paypal. I would think they are simply using 2 part authentication before allowing you to attempt to log in to your bank.

I'm not sure I follow you here. Why would this have anything to do with logging me into my bank? At no point in the instructions for this process, unlike what Amazon, Amex, etc. all use, does this method even imply that it logs into your bank/online banking for confirmation if that's what you're going after here. I was actually expecting that as an option to be honest.

Granted, I could be wrong and it could simply be that their instructions for this process are... well... non-existent. The whole page seemed to imply that "Hey, we'll text you a number, you punch it in and *poof*, you're confirmed!"
 
Last edited:

ViviTheMage

Lifer
Dec 12, 2002
36,189
87
91
madgenius.com
I see what you're saying, that's a pretty horse shit security authorization. Are you sure you are not confirming your phone number or something?
 
Jan 25, 2011
16,818
9,167
146
Typically phone auth involves a business sending a code to a number that already exists on the account. Not just one randomly entered. If that is not the case then it's stupid but I haven't ever seen that be the case.
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
I see what you're saying, that's a pretty horse shit security authorization. Are you sure you are not confirming your phone number or something?

It's on the "Confirm your bank account" page - two options, by this phone method or the old 2 deposit way.

Typically phone auth involves a business sending a code to a number that already exists on the account. Not just one randomly entered. If that is not the case then it's stupid but I haven't ever seen that be the case.

I agree, and that's relatively trivial too - it takes all of what... 30 seconds to add a phone number to one's Paypal account profile?

I'm thinking it has to be something similar to what smackababy is describing, but really, REALLY poorly "documented". I mean nobody can possibly be THAT stupid when designing an account security feature, can they?
 

smackababy

Lifer
Oct 30, 2008
27,024
79
86
I'm not sure I follow you here. Why would this have anything to do with logging me into my bank? At no point in the instructions for this process, unlike what Amazon, Amex, etc. all use, does this method even imply that it logs into your bank/online banking for confirmation if that's what you're going after here. I was actually expecting that as an option to be honest.

Granted, I could be wrong and it could simply be that their instructions for this process are... well... non-existent. The whole page seemed to imply that "Hey, we'll text you a number, you punch it in and *poof*, you're confirmed!"

What you are saying isn't verifying anything, unless PayPal verifies the number with the bank, and if it matches, sends the authorization code. It might be doing that, but it doesn't tell you. There is no way they just send a code to a random phone number and say "well your bank account is now available!". And, even if they did, it wouldn't be hard for them to reverse the transactions and file charges against you. They have your phone number, shipping address, IP address, name, etc. And, in your case, another authorized bank account with that information, in case you decided to change things up.
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
What you are saying isn't verifying anything, unless PayPal verifies the number with the bank, and if it matches, sends the authorization code. It might be doing that, but it doesn't tell you. There is no way they just send a code to a random phone number and say "well your bank account is now available!". And, even if they did, it wouldn't be hard for them to reverse the transactions and file charges against you. They have your phone number, shipping address, IP address, name, etc. And, in your case, another authorized bank account with that information, in case you decided to change things up.

Exactly. This "method" didn't seem to add up at all to me, but as I said there was literally no explanation further than "Give us a phone number, we'll send you a 4 digit number, you confirm it". The only thing that may have been implied was that it required a phone number on file from your Paypal account profile, but it didn't explicitly say as such.

Of course they have my information, but imagine the ramifications for "new accounts".

I opted for the more traditional method, so I can't go back to test it.

At this point, I'm sensationalizing because it's fun, I'm tired, and there's nothing better to do.
 

smackababy

Lifer
Oct 30, 2008
27,024
79
86
Exactly. This "method" didn't seem to add up at all to me, but as I said there was literally no explanation further than "Give us a phone number, we'll send you a 4 digit number, you confirm it". The only thing that may have been implied was that it required a phone number on file from your Paypal account profile, but it didn't explicitly say as such.

Of course they have my information, but imagine the ramifications for "new accounts".

I opted for the more traditional method, so I can't go back to test it.

At this point, I'm sensationalizing because it's fun, I'm tired, and there's nothing better to do.
It might have just been poorly explained, but there is a good chance they verify it with the phone number on the paypal account AND the bank account in question.

But, in the event someone gets your bank account number and the state you live in, it is likely PayPal verification isn't going to stop them.
 

Kneedragger

Golden Member
Feb 18, 2013
1,187
43
91
Yeah I haven't made a Paypal purchase in years and all my accounts link to it have been closed because I moved to another bank. I have no way of getting into my Paypal account now because I need full account numbers to verify. I even emailed them and they didn't understand me. Paypal is a fucking joke..
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
Yeah I haven't made a Paypal purchase in years and all my accounts link to it have been closed because I moved to another bank. I have no way of getting into my Paypal account now because I need full account numbers to verify. I even emailed them and they didn't understand me. Paypal is a fucking joke..

You know that you can call and actually talk to a live physical human being, right?
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
I could but work gets in the way. An email to their customer service should have got somewhere but it didn't.

I actually just got off the phone with them to do just that... I was told that it was likely the case that you used Paypal to make a purchase with a vendor and the vendor did an authorization but never cleared it which is why it's stuck like that. Why it doesn't automatically clear after X number of days is beyond me, but whatever. Took all of about 2 minutes on the phone speaking to a very lovely young lady, totally flirtable.
 
Last edited:

monkeydelmagico

Diamond Member
Nov 16, 2011
3,961
145
106
I would never allow paypay to link to anything other than a credit card. I like having the option of disputing charges.
 

SunnyD

Belgian Waffler
Jan 2, 2001
32,674
146
106
www.neftastic.com
I would never allow paypay to link to anything other than a credit card. I like having the option of disputing charges.

Banks will happily allow you to dispute debits from my bank account that I claim as "fraudulent". In fact, I've done so before when my Paypal account was hacked and some asshat bought a couple hundred dollars of iTunes gift cards with the account. My bank sent me paperwork to file the claim (though I never had to because Paypal ended up reversing the transactions before I got a chance to).

As much as I hate Paypal, it's a necessary evil when you deal online sometimes. Just like anything in life, instead of being afraid of it, learn and understand its limitations and how to manage it. Make it your bitch, and you'll limit your exposure to risk.
 
Last edited:

John Connor

Lifer
Nov 30, 2012
22,757
617
121
I buy on Fleebay all the time and the fuckers own PayPrick too. There security model is a joke. When you pay for something on eBay and after you pay you are still logged into PayPrick. Also, they use RC4 encryption which has been broken. Sometimes eBay doesn't use a SSL connection and I have to reload the fucking page. I have to catch that before I enter my password. Does this in Firefox and Palemoon. My bank never does this or Yahoo E-mail. I have come to the conclusion it isn't my browser or any add-on, but fuck head ebay!

If I get some bucks I want to destroy the PayPal and eBay monopoly!

Every time I log onto PayPrick they want my mobile phone. Well I don't have one! And when I say no I donb't have a cell phone they say no problem we will call this number. It never works! It's as bad as YouTube pushing G+

So OP, all these companies want your phone number. I'm not as worried about the NSA rather than the corporate spy ring. They know everything about you and even want your god damn phone number so they can spam you or for some other nefarious purpose. I never could trust those smart phones. They are not like a computer that I can add malware/spyware security. I bet apps interact with apps that you download on your phone.
 
Last edited:

highland145

Lifer
Oct 12, 2009
43,973
6,334
136
I actually just got off the phone with them to do just that... I was told that it was likely the case that you used Paypal to make a purchase with a vendor and the vendor did an authorization but never cleared it which is why it's stuck like that. Why it doesn't automatically clear after X number of days is beyond me, but whatever. Took all of about 2 minutes on the phone speaking to a very lovely young lady, totally flirtable.
QFEvidence....:p

'sup, Dan. Hope all's well.