After several months of inactivity on PayPal, I logged in to my account today to confirm that my address was correct. I noticed that a second address had been added to my profile, one that has not been used in any payment I’ve transacted.
So, I called PayPal support and chose the “fraud” option. The first lady I spoke with was able to identify when the address was added, and that it was added as a gift address, but told me not to worry about it … that I must have added it when making a payment. I explained to her that it was not related to either of my *two* PayPal transactions (the most recent of which was in January). I eventually was able to speak with someone with further insight into my account, who explained that someone had gained access to my account, added the address, tried to make a payment, and they had detected it as fraud. I was advised to change my password and security questions.
Contrast this with the fraud against my Discover Card this past spring. My CC was first denied, they locked down my whole account, and I had to get a new one. The card was denied before Discover had a chance to reach out to me, but I did receive a delayed phone call AND email notification that I needed to contact them about my account, after I had already called in to address the issue.
PayPal, you failed on four counts:
- You didn’t notify me that there was fraud against my account, and that I should change my password to avoid it in the future. Instead, I had to notice the issue two months later, and call you.
- You let the fraudulent address remain in my account profile.
- You blocked the email notification I should have normally received indicating that an address was added to my account.
- Your customer service rep … the one I reached when I said I was calling about fraud … told me not to worry about it.
This is a disturbing story. The fact that PayPal saves credit card numbers on the system month-years after it is used increases the risk to you. It would be nice if you could instruct PayPal to automatically delete your sensitive data but they will ignore you.
Disturbing indeed, considering the fact that I have bank account linked to my PayPal account for automatic transfer. How would a payment reminder work? Would the reminder be associated with that payment like a recurring payment would using the ID?
So many questions so little time.
There’s something else that bothers me about Paypal: I have been updating all my passwords (I have hundreds) making them more secure and storing them in a spreadsheet on an encrypted flash drive.
I type random strings of letters, numbers and special characters that I then copy and paste into each website. This works well for every site except – Surprise! – Paypal. That site will not allow a user to copy and paste a password, it has to be typed. As a result, a Paypal password has to be something I can remember and something I can remember is less secure.