Report the scam to ASIC?
A security gap as large as that qualifies as a scam, I reckon.
________________________
On 17/3/19 5:17 pm, Ivan Trundle wrote:
Hi Linkers
I’m seeking assistance in dealing with PayPal. In a nutshell, someone has
signed up to PayPal using my email address (not this one), and I’ve asked
PayPal to decouple the email address from the user’s account. The response I
received was not satisfactory.
Because one of my email addresses is ‘attractive’ to some people, they often
use it to sign up to sites and services without that site or service verifying
the entered credentials. I’m used to dealing with it, and have generally had
the issue resolved easily enough, though there are times when I’ve had to sign
up to the service with my email address (parking my credentials) just to
prevent others from doing the same. Or receive spam forever...
Dealing with PayPal demands communication through their web interface, and all
messages are deleted after 90 days. I asked for a phone number to call, and
spoke moments ago to one of their American representatives, who was belligerent
and unapologetic overall.
The response was typically condescending: that my email account may have been
recycled, or that the user mistyped, etc. All well and good, but all I asked
was that my email address be returned to me, by decoupling it from the other
user account set up yesterday. They said not possible without contacting the
user first, and even then they suggested that it might not happen.
So in signing up to PayPal, it is possible to type in a fake email address, and
a phone number, and continue using that account without verification of the
email address. Poor form on PayPal’s part, but it gets worse.
I received a welcome message from PayPal (in German, since the account was set
up in Germany using a German phone number, apparently), seeking to verify my
credentials. I ignored this, and expected the matter to die naturally.
Then, moments later, I received another communication from PayPal with
confirmation of the user’s German Bank account details, and a reference number
for future activity.
At this point I wrote to PayPal seeking assistance, and received bland
responses. After my third communication from PayPal about my new account, I
asked for a phone number to call, and was told that there was little that could
be done, and that the representative didn’t want to rely on Google Translate to
talk with their German counterparts(!), and that all they could do was ask the
Germany PayPal arm to perhaps phone the user. No offer of a solution at all,
and I was left thinking that a simple exploit of PayPal would be to write a
script to sign up thousands of accounts to PayPal using addresses scraped from
the internet, thus blocking real users from setting up an account.
But this aside, the continual email trail from this user’s activities would
allow me to, for example, make large donations from the user’s account to
charities (as has happened when bank account details have been published), and
to track his purchases (already happened). Not just annoying, but remarkable
given what PayPal is all about. I’ve had better responses from American hotel
chains and Russian department stores...
I can’t call him directly, since I only have part of his phone number (though I
could track his name down perhaps), and I can’t access his PayPal account
(because I don’t have the password, and password resets are managed via a phone
number).
So my only recourse is through the indifferent and unapologetic PayPal
representative.
Is there more that I can or should do?
Thanks in advance
Ivan
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
