For the longest time I have had a "Donate" button on my blog. Since some of my work is unfunded research, I thought it would be nice to receive donations. In all these years, I think 3 humans have ever clicked on the button. (I'm not bitter at all -- I rarely donate so this was more of a social experiment.)
If you notice, the "Donate" button is gone. The button used to go to PayPal -- a company that raises serious security issues all by itself. Today I received an email from them that said:
As part of our security measures, we regularly screen activity in the PayPal
system. During a recent screening, we noticed an issue regarding your account.
Case ID Number: PP-xxx-xxx-xxx [redacted]
For your protection, we have limited access to your account until additional
security measures can be completed. We apologize for any inconvenience this may
cause.
To review your account and some or all of the information that PayPal used to
make its decision to limit your account access, please visit the Resolution
Center. If, after reviewing your account information, you seek further
clarification regarding your account access, please contact PayPal by visiting
the Help Center and clicking "Contact Us".
We thank you for your prompt attention to this matter. Please understand that
this is a security measure intended to help protect you and your account. We
apologize for any inconvenience.
Sincerely,
PayPal Account Review Department
Please do not reply to this email. This mailbox is not monitored and you will
not receive a response. For assistance, log in to your PayPal account and click
the Help link in the top right corner of any PayPal page.
It reads and looks like a phishing scam; I enjoyed the part about "do not reply". However, there are no hyperlinks in the email (most phish link to an impersonating site). The email's header does not contain anything odd -- it really came from PayPal.
Logging into the real PayPal account, I see a similar message. Thus, in this instance, this is not a scam. According to them:
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?
Your account access has been limited for the following reason(s):
* To meet financial service industry regulations, we need more information to help confirm your identity.
Access to some of your PayPal account features has been limited. We apologize for the inconvenience. Please take a moment to respond to this request so we can work to restore your account access as soon as possible.
Uh, what "financial services industry regulations"? They don't say. Considering that PayPal is not a registered bank (except in
Luxembourg), not managed like a bank, and
not FDIC insured, I don't know what regulations they are referring to. Moreover, nowhere on their site could I find anything that explains the regulations PayPal must abide by.
As long as the account is limited, I can "receive payments, place logos into your auction listings or on your website, and update your account information". However, I cannot "send or request money, electronically transfer funds from your PayPal account, or close your account". Huh? If this were a real bank then I could always close the account.
No Limits on Stupidity
But it gets better... In order to resolve this issue, they want me to upload or fax them:
- Valid photo ID
- Driver's License
- Passport
- Military Identification Card
- Proof of address
Uh... so lets just list all of the things that are wrong here.
- In order to create a PayPal account, I do not need to provide any of these documents. In fact, as a US citizen, I am not required to have any of these documents. I have friends in New York who never drive -- they have no drivers license. I have friends who have never needed a passport, and many friends who have never been in the military. I also know people who do not own their own home and do not have any utilities under their own name. Thus, real people will be unable to validate themselves.
Real banks only require a tax ID. This can be a social security number or other employment tax ID. You can be homeless (no address), unemployed, non-military, and too young to drive -- and you can still have a bank account. And if I recall correctly, the tax ID is only needed if the bank is FDIC insured (mitigating insurance fraud) or interest bearing (you need to pay tax on the interest). This is why companies that do payday loans does not require a tax ID from clients. (They are not insured and the lender does not pay interest.)
In PayPal's case, they never ask for a tax ID. They are not FDIC insured and they do not pay interest. I see no reason why they need this information.
- How will PayPal validate this information? PayPal currently outsources to India. Will workers in India be able to tell if a scan or fax of a Wyoming Driver's License is real? In the airport, TSA usually waves a blacklight over the ID in order to see if it is real. You can't do that with a scanned image.
And what if my passport is from a foreign country? I seriously doubt that any country in the EU or Asia or Russia would assist PayPal in validating one of their citizens with a foreign company. Even in the USA, checking the records is not a free service. Will PayPal charge me for this?
- I've written plenty about image fraud. In my presentation about Digital Image Forensics, I give MySpace and Yahoo! as examples. To resolve a dispute, both companies want a copy of your ID to prove it is you... even though they have no means to validate that you are the person in the picture. In this regard, Yahoo! is actually worse than MySpace. MySpace just wants a picture of you -- with no way to prove that the person in the picture is actually submitting the picture and no way to tell if the photo has been photoshopped. Yahoo! wants a fax (I'm not kidding). Faxes are such low quality that any forgery will look real.
In the case of PayPal, they have no means to validate that the person submitting the documents is actually the person in the documents. I can create a PayPal account for the Internet Storm Center, take a headshot of Marc Sachs, look up his home address, doctor up a fake drivers license and fake utility bill and fax it in... and I'm pretty certain PayPal will accept it.
To recap: PayPal is asking for information that I may not have, that they cannot validate it if they get it, and even if validated they cannot prove it is me. Again, why do they think they need this?
Duh wha huh?
Adding to the confusion, PayPal has already validated my account. In order to transfer funds out of PayPal, you must provide a real bank account. (Real banks really try to validate people.) PayPal validated the bank account. Therefore, they can associate the PayPal account with a real person.
Ironically, while PayPal does permit adding bank accounts, they will not allow me to delete an account from their system. For this reason, I opened up a special bank account just for PayPal -- it is not tied to any other accounts -- and the bank has been asked to deny PayPal access to the account. When PayPal
gets compromised again, the bad guys will get nothing from me.
Besides being unable to remove my bank account, I cannot delete my PayPal account. PayPal won't let me delete it until I first validate myself. (No validation to create, but must validate to delete... sounds backwards.)
And don't even bother trying to get hold of their customer service. Phone calls (when you can
find a number) have long hold times, emails either receive no reply or automated unhelpful responses about unrelated problems, and their online "Chat with a customer service bot" just sucks. (If you really need a phone number, refer to the
phone list at paypalsucks.com.)
Serious Security
What we have here is a company with a
history of compromises. They are asking for information that may not exist and that they cannot justify needing. This sounds like a security risk to me.
If you have never created a PayPal account, then I strongly recommend not starting one. If you use PayPal, then consider not using them. And if you receive a request for this detailed personal information,
don't send it.
That's an excellent questions.
You are correct that there is no universally supported solution like PayPal. However, there are alternatives.
For outgoing payments: there are very few online payment systems that only support PayPal. Consider getting a pre-paid visa card for use online. Don't use a debit card since they don't offer the same protections.
For incoming payments...
There are services like http://www.merchantinc.com/.
CNN Money.com also has some alternatives:
http://money.cnn.com/galleries/2008/fsb/0802/gallery.paypal_alternatives.fsb/index.html
NOTE: I have no experience with ANY of these services.
Some banks also offer donation services, but your mileage will vary. It does not hurt to ask your bank.
If the person only wants to pay you using PayPal, then they can always export the payment as a check to you.
And if they demand to use PayPal, then do you really need their business? (I stopped writing for Security Focus when they sent out a letter saying all future payments would only be made on PayPal.)
Maybe you haven't had issues with PayPal. Maybe you don't care about giving your personal information to the world risking identity theft and a potentially totalitarian state. But I assure you, eventually they will lock your account too and ask for the same private information.
PayPal does not even have a brick and mortar building for me to walk into, why in the world is my photo id necessary? Oh yeah, and today the representative called PayPal a "financial institution" - F that, in my eyes they are just a WEBSITE, not a BANK.
Paypal lures you in onto opening an account by telling you all you need is a credit card. This then becomes a we need a bank account for verification. Which then becomes, utility bill, then becomes photo id to the point that they asked me for my P60 Tax documents!
Anyways, to cut the story short, got in touch with the financial ombudsman services who mediated on my behalf as i found it like talking to blank wall and thick shits. Eventually lifted the limitation after 9 months of mediation without any photo id. All hunky dory. 3 months of enjoying my ebay sales and purchases, BANG, same letter same problem, want my photo ID again. I'm jst worried that it is going to take exactly the same amount of time as last time to get this sorted as I have mentioned my previous case to them but they sort of ignore the whole email and cut and paste chunks out of there terms and conditions.
Paypal is incompetant at what they do. They should cease to exist and the public should do something about tis monopoly!
Now, 6 weeks into my new life, PayPal has cut me off for the same reason - and they have ALL my money! I have sent Criver's licesense, pay stubs, utility bills, etc. I have had my PayPal account since 2003.
It's been a week now and even my Sold items are now being left to flounder. PayPal will not even take money any more. Tough it is an eBay company, eBay seems not to know about this as it keeps letting my items sell, but then there is no was to collect the money. I would just cancel every last one of my auctions but I keep thinking that any day now, this nightmare will be over.
So far, I just can't wake up.