Curious about (payPal) security

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 12570
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Curious about (payPal) security

Post by ChrisGreaves »

I have just got off the phone with PayPal, their 1-877 number.
VERY fast (none of that "Your call is important to us" and "Press one, two three" nonsense) and got my money ($45) into my bank.

The web page was a bit unclear: did they really mean bankcard number or bank account number? And did they mean Password, or should I have used my PIN? I opted for the "pay me in 3-5 business days" rather than the "instant, but take 1%" option, and ended up mired in a bog.
Hence my call to their efficient help line.

In chatting with Fabian we discussed what was on my screen, confirmed which buttons to click and so on, and then came to a "Notification" which asked me to CLICK here to confirm that I was indeed on the phone with them at this instant.
I clicked.
Got a second request to CLICK here to confirm that I was indeed on the phone with them at this instant.
I clicked.

And we were done (well, I had to jump through the hoops again, but Fabian said he could see that the money was transferred, so I am optimistic)

As I was clicking "yes, I am indeed on the phone with you" the thought crossed my mind that were my hands incapacitated I might have called in my neighbour, David, to do the actual typing for me while I sat next to him, using my phone.
Next the thought "What if I were in the other room and had just shown David my passwords? He could just have clicked on the phone-confirmation button without me. He could have used my phone", and this of course escalated into "What if this robber had knocked me unconscious, opened my passwords.doc, used my phone etc.

In short: How on earth does clicking on "yes i am on the phone" offer any confirmation of identity when raiding (heh heh!) someone else's finanmcial account?"

Thanks
Chris
I don’t remember being born, and I won’t remember dying

User avatar
Jay Freedman
Microsoft MVP
Posts: 1156
Joined: 24 May 2013, 15:33
Location: Warminster, PA

Re: Curious about (payPal) security

Post by Jay Freedman »

I would say that if you lose control of your passwords, especially if you lose control of your phone as well, then you have no security at all -- whoever does have control can assume your identity. However, it's much easier and more common for a bad actor to have neither of those things. Instead, they comb the internet for enough information that, once they can trick you into installing some malware, they can go through the standard procedure for getting a new password and redirecting your money to their bank account.

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 12570
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Curious about (payPal) security

Post by ChrisGreaves »

Jay Freedman wrote:
24 Nov 2021, 21:32
I would say that if you lose control of your passwords, especially if you lose control of your phone as well, then you have no security at all -- whoever does have control can assume your identity. However, it's much easier and more common for a bad actor to have neither of those things. Instead, they comb the internet for enough information that, once they can trick you into installing some malware, they can go through the standard procedure for getting a new password and redirecting your money to their bank account.
Hello Jay, and I agree, that if I have lost control of my password(s), then I have lost control of my passwords.
However, I had not lost control of them; I knew my PayPal password and had successfully logged in to my PayPal account page.
Likewise I knew both my debit-card bank PIN and my online banking password.

I was logged in to both accounts.

It was in the middle of the 877-help line call with the PayPal Help operator that the web page asked me to click on the button "Yes, I am the person on the phone with you right now".

I don't see how that could be any way of verifying the validity of the "help" transaction.

If, as an example, that rascal (grin) Jay Freedman had managed to get hold of my PayPal password and then logged in to Jay Freedman's "Scotiabank" account, and had Jay Freedman then called the 877-help line, then Jay Freedman could just as easily have clicked on the button "Yes, I am the person on the phone with you right now". and how on earth could that help them prevent Jay Freedman from siphoning Chris's well-earned PayPal gains into Jay Freedman's bank account?

That part ("yes, I am on the phone with you") just doesn't make any sense to me at all.

Cheers
Your Friend
Chris
I don’t remember being born, and I won’t remember dying