I got a call this week from PayPal Executive Escalation, which I didn’t even know existed and certainly wouldn’t have guessed would be based in Omaha, Nebraska. This was either in response to my PayPal account being restricted as I described in my last column or — much more likely — to the simple fact that I’d made such a stink about it in print. The guy who called was very polite and helpful, too, but what I learned was also disturbing enough that I feel the need to share it with you.
“Do you use an anonymizer?” asked the guy from PayPal. I don’t use an anonymizer, which masks IP addresses, and told him so. Then he explained to me that the account restriction had come because of a pattern of my PayPal account being accessed from countries including Ukraine and the Czech Republic. But the final straw for PayPal, he told me, was the account being accessed from what he called “a sanctioned country” which I’m guessing means Iran or maybe North Korea.
I had clearly been hacked even though I’ve never shared my PayPal account details with anyone.
“Have you recently changed your password?” he asked.
“Of course I have, you made me change it,” I replied. Surely he knew this and it was just another identity test for me.
Forcing a password change was the equivalent of armoring airliner cockpit doors after 9/11. That alone probably enabled the eventual reopening of my PayPal account.
Now here’s the problem as I see it and the reason for this column: prior to this call nobody at PayPal ever told me I’d been hacked, nor did they even warn me that I might have been hacked. What PayPal told me in its original communication was that my account had been “chosen at random for verification.”
Chosen at random.
Random my ass.
At best that was dissembling, but my Mama would have called it a lie.
So I looked in the ever-changing PayPal terms of service and couldn’t find anywhere a clause that said something like, “we may from time to time lie to you or withhold information important to the safety of your account.”
I can’t see any downside for PayPal in simply telling me the truth, can you? Their fear may have been that my account was completely taken over by bad guys so they would have been giving the truth to an enemy. But what would that matter? They’d be telling the bad guys what the bad guys certainly knew already — that I’d been hacked?
If there is a downside for PayPal I’d think it’s more in the possibility that folks like me who’ve been told their accounts were chosen at random when that wasn’t at all the case might file a class action lawsuit against the company.
Then there’s the problem that I e-mailed PayPal using their support system and they didn’t respond. I called using their 855 support number and they never called back (the guy from Omaha claimed not to know about either of these attempts at communication).
As a business PayPal relies on automation to minimize expensive human involvement. This incident with me probably cost them all the profit they’d earned from 15 years of my business. But that’s not my problem.
PayPal needs to dramatically improve its customer service and stop lying to customers.
Maybe they never thought of it that way.
Maybe now they will.
So, are people actually PayPal’ing you $.01 at a time?
I’ve actually done that a time or three to get someone’s attention.
I have had a number of issues with AppleIDs lately, whereby they seemed to just change my security settings with no notice. Several of them required a phone call to Apple support to get the account re-enabled.
I wonder if it is the same as PayPal, someone has tried to hack the accounts?
Only in my case, it may have been me accessing it overseas. Banks have worked this out. They *require* us to tell them if we are going overseas, where were will be and what dates are involved . All of this must happen before we go.
Given the ease of international travel nowadays, it seems that Internet companies are definitely behind the times in not having any way to notify them when we will be out of our normal range of access.
My experience with PayPal has led me to sort of think that they have a corporate mindset which regards customers as a nuisance. A necessary nuisance to be sure, but a nuisance none the less.
With PayPal, so long as everything works perfectly, there are no problems. But the second there is an issue that seems as if it should be easy to solve, you’re down the rabbit hole and through the looking glass. I won’t get into the specifics, but I recall an experience in dealing with PayPal’s customer
frustationservice department over a hold on funds once where no matter what I said the end result was like speaking with an automaton who could only spit out the same utterly unhelpful answer (which was complete BS.) I came away believing that PayPal’s customer service reps are really not there for customer service (and have zero power to do anything even if they were) but merely to deflect and delay and in the end, even having agreed with your every point, to tell you “Sorry, this is PayPal policy.”The nexus of eBay and PayPal is a black hole of common sense and customer service. Woe unto you who find yourselves in the grip of their gravity field.
(PayPal was not always so bad. It was after eBay took them over and applied the old eBay management magic and customer non-service ethos that PayPal went to hell.)
In addition to the points you raise, there is another issue that faces PayPal and reduces their level of customer service.
I have talked with their people in both Omaha and Scottsdale, AZ, and in both cases the picture that they painted was one where they are squeezed between two irreconcilable worldviews.
The first worldview is that of a online retailers providing a computer-based service to customers. We all get that one, and sometimes they do a good job, and at other times a poor job.
The second worldview is that of a financial institution operating under the current US Government regulatory environment. This means that they need to be a) rapacious and predatory to suck all the money out of the system, while at the same time b) paranoid and rules-bound, seeking at all time to win the War on Drugs and the War on Terror simultaneously.
If there is a better recipe for craptastic customer service than blood-sucking banking combined with gimlet-eyed government red tape on an ecommerce site, I don’t know what it is.
My experience with PayPal has led me to sort of think that they have a corporate mindset which regards customers as a nuisance. A necessary nuisance to be sure, but a nuisance none the less.
With PayPal, so long as everything works perfectly, there are no problems. But the second there is an issue that seems as if it should be easy to solve, you’re down the rabbit hole and through the looking glass. I won’t get into the specifics, but I recall an experience in dealing with PayPal’s customer
frustrationservice department over a hold on funds once where no matter what I said the end result was like speaking with an automaton who could only spit out the same utterly unhelpful answer (which was complete BS.) I came away believing that PayPal’s customer service reps are really not there for customer service (and have zero power to do anything even if they were) but merely to deflect and delay and in the end, even having agreed with your every point, to tell you “Sorry, this is PayPal policy.”The nexus of eBay and PayPal is a black hole of common sense and customer service. Woe unto you who find yourselves in the grip of their gravity field.
(PayPal was not always so bad. It was after eBay took them over and applied the old eBay management magic and customer non-service ethos that PayPal went to hell.)
I had no trouble cancelling my PayPal account just now. It’s under My Settings.
I told ’em Cringely sent me.
Now that’s funny 😉
Why did you have an account in the first place if you did not need it?
[…] Link. Toast. […]
PayPal has customer service? I suppose if you consider “customer service” to be an IVR and a bunch of outsourced folks who have no power to do anything other than say, “Yes sir, I agree your problem is very difficult, but this is paypal policy. Click.”
The only reason you got a phone call from someone “real” is because you’re known in the industry and the paypal muckymuck who read your previous post made it happen. Those of us who don’t have a big blog or a large tech-savvy audience end up with our accounts permanently “disabled” with no way to re-activate. And guess who keeps the money?
When Paypal needs more operating cash… they simply “suspend” a bunch of accounts. Poof. The account owner has literally no way to even contact the company, let alone get access to their cash again. So now Paypal is free to use that money as if it were their own.
How do you know that was paypal calling? You don’t. Possibly “Executive Escalation” does not exist.
I recently had a run in with their verification scheme. After a few requests to verify my name that I ignored figuring they were phishing attempts, I finally logged in and checked it out. They needed an image scan of my Residence Card to verify that I am who I claim to be. Easy enough, I make the scan, upload it, and change my name from Katakana to the Latin alphabet as it says the names have to match.
But I left off my middle name because (1) I never use it (except it somehow always gets onto official documents), and (2) the form didn’t have a field for it – only “First Name” and “Last Name.” (They will only present me with the Japanese version of the form, and Japanese don’t have middle names.) To complicate things, entering a middle name into one of those fields sounds awfully like a prosecutable offense (especially under the CFAA if someone in North America decided to get involved).
So I get a letter from Dawn stating, “Your account name must be identical to the document. Please modify your full name for your account.” She then cites the relevant FAQ page that says that this process is to protect me from identity theft, to prevent money laundering, and to prevent the funding of terrorism.
So I reply:
— Start reply to Dawn —
The name I provided matches the documents I provided with the exception that there is no field for middle name in your validation page, and the names are in all-caps on the documentation.
I generally fill out forms in Japanese with my name written ア***** カ*****, which is how I’ve had my PayPal account since the beginning many, many years ago. Now you ask me to change it to “A***** C*****” (in ローマ字), I comply, and you tell me that it doesn’t match my residence card?
Look, I am who I state I am. I never use my middle name, and I have no intention of adding it to my profile.
I am not some idiot terrorist support nor money launderer. (Religion and criminal activity have no appeal to me.)
Either you can verify who I am with the information I’ve provided or you can’t.
Please let me know which way it is. PayPal is a convenience, not a necessity.
Good day.
— End reply to Dawn —
That prompts Bella to apologize for any inconvenience, but “In accordance with applicable laws and regulations, PayPal is required to confirm your identity through documentation collection to prevent identity theft, money laundering, and the financing of terrorism.”
To which I reply:
— Start reply to Bella —
Here’s the problem: I cannot see how having my account name listed as “A***** B***** C*****” instead of “A***** C*****” will magically prevent identity theft, money laundering, or terrorism. Payments will NOT be any safer by adding my middle name to my profile.
I was willing to change my profile name from Japanese to English to conform to this idiotic bureaucratic nonsense.
I was under the impression that the method you use to verify if I am who I say I am is to send me some snail-mail containing a number I have to enter online. Adding a middle name will not change the mailman’s (actually, it’s a woman most of the week) ability to deliver the mail to me.
In light of the complete foolishness of this process, I have reverted my name back to Japanese, as it has been just fine for the past several years without a single identity theft, currency laundered, nor terrorist funded.
If you feel that the only way to protect yourselves from me committing any of these absurd crimes that I would never commit is to limit my account, so be it.
— End reply to Bella —
So Erica gives it a shot, first apologizing for the delayed response.
Erica actually admitted that the stated purpose is hogwash by stating, “I want to explain that only changing your name can not prevent identity theft, money laundering, and the financing of terrorism.”
Great! I got somebody to recognize reality. The real reason for this nonsense is “[According] to Japanese law, we ask every user to verify their account as to the security of account info. To do this process, the documents info need to match account info completely.”
So in my reply, I give a complete history of the issue at hand, and what each side has claimed. With this concession, I push forward:
— Begin partial reply to Erica —
It appears that there’s still something that needs to be completed before the process can continue. And if, as I believe Erica meant that I am to “verify [my] account as to the *accuracy* of [the] account info,” I have done so. It is accurate. The process is not complete!
But you will still object to it not being “identical.”
Here is what it comes down to. I believe the following to be equivalent:
A***** == ア*****
B***** == [Not necessary]
C***** == カ***** == 漢字
As a side note, I have “漢字” registered at the local 区役所 as my official 印鑑 and have used it to purchase land and a home. Therefore, there is precedent of transliterations being considered equivalent.
Now I shall reiterate what I’ve said before, as it you keep avoiding the root issue.
THE PURPOSE OF VERIFICATION IS TO CONFIRM THAT A PERSON IS WHO HE/SHE STATES HE/SHE IS.
THE NAME ENTERED INTO A WEB FORM NOT BEING IDENTICAL TO SOME ARBITRARY PHYSICAL DOCUMENTATION DOES NOT CHANGE THE FACT THAT HE/SHE IS OR IS NOT THE PERSON REFERENCED IN THE DOCUMENTATION.
If there is a law that says that my name cannot be written “ア***** カ*****” or I will be considered a terrorist, then THAT LAW IS NOT REASONABLE. I am not a terrorist, no matter how my name happens to be written.
— End partial reply to Erica —
But alas, Alex contacts me to say that he changed me name for me, the account will be reviewed, and the PIN should be in the mail and to me within 5 business days.
Nothing I said mattered. They finally solved the problem themselves by not requiring me to do it myself.
The the review revealed another issue. Apparently my address was not written exactly the same as it was on the document either.
Since Alex quoted that idiotic line about identity theft, money laundering, and financing of terrorism, you know that I had to rant about that in my reply. I’ll just skip that here and get to the new issue:
— Begin reply to Alex and additional issue —
Because my address was already in Japanese, I figured that the issue was that I didn’t included the back side of my residence card, which may (but does not) have a change of address on it. So I scanned the back of my residence card and sent it. As you can see, my address has not changed.
Then I found my address on your site, confirmed that it was correct, and figured I was done. But just to be sure, I checked my residence card and noticed that they write the number with 番 and 号 on it, which I imagine you don’t consider to be the same as the number being hyphenated. (Roll eyes.)
One of the things I had read originally was that a utility bill may be supplied as confirmation of one’s address. So I have now scanned and included a copy of December’s electric bill. I highlighted my name (ア***** カ***** which IS THE SAME AS “A***** C*****”) and address (**市 **区**町##-##) which has the **県 missing because it’s sent from within the same prefecture. This is normal. This is EXACTLY THE SAME as what I have as my address and what is written on my residence card.
If these laws and regulations to which you keep referring to cannot see that these are equivalent, then the laws and regulations are wrong and should be considered null and void. I believe that I have already expressed my views of the evil that anti-terrorism laws do (and expressed my displeasure in PayPal using these poorly written laws to label Wikileaks’ founder Julian Assange as a terrorist – which he clearly is not – and cut off his funds).
Questions about this procedure:
1. Is the purpose of this exercise to prove that I am who I say I am?
2. Does my name as “A***** C*****” really mean something different than “A***** B***** C*****”?
3. In what way does having 番 and 号 instead of a hyphen (-) in my address change the result?
You are behaving like a poorly written Touring Machine. (http://en.wikipedia.org/wiki/Turing_machine) And your anticipated inability to answer the above three questions just goes to show that I must be talking to a machine rather than a person.
Hmm. I wonder if this can be submitted as evidence that corporations aren’t people.
— End reply to Alex and additional issue —
Then magically, the PIN arrives in the mail a couple days later.
No, they never answered any of my questions. And I never changed my name or address to meet their requirements. But it all somehow worked out. And they did remove my middle name after I requested it, but have not changed my name back to being written in Japanese, which I would prefer.
i’m curious about a couple of things here. in your last column you said that you weren’t sure whether the email you received was a phishing attempt or not. can’t you just right-click on the link and see if the URL is a legitimate PayPal link or not? or if you aren’t sure, do a WHOIS lookup on the URL? i was under the impression that figuring out whether an email is a phishing attempt or not was very easy to do.
also, in this column you say there’s no downside for PayPal to simply tell you the truth. actually, it seems to me that there’s a significant upside — the bad guys would know that PayPal is on to them, and thus hopefully they would get out of town fast. i don’t see what PayPal was hoping to accomplish by temporarily limiting your account until you provided more info — you provide the info, the account is reactivated, and the hacking goes on. somehow they thought you would read between the lines and cancel the account of your own accord?
this is the problem with security on any internet account where the only means of communication is via email. once you’ve been hacked, you don’t own the account, and so resolving the issue via email is virtually impossible as the hackers will see everything that transpires. the only way to resolve issues like this is via phone or better yet in person. which is the last thing companies like PayPal want to do, since as you note, one phone call pretty much cancels out whatever profit margin they made on the account over the years.
How long will it take PayPal to add additional security to the login process?
After all it doesn’t need a genius to realise, that publicly known email addresses of paypal users will only require guessing/attacking the password. Nothing more.
Having a secret passcode/passphrase at login, known only to the account holder and paypal would deter most attacks, and save millions of its customers wasting their time dealing with barely-adequate customer service/resolution process.
PayPal froze my account for some unknown reason 5 years ago. Multiple calls proved fruitless.
They just now have finally turned my funds over to my states unclaimed money fund.
Obviously the customer shouldn’t have to reveal the entire passcode/passphrase, just be challenged for a character at random position #N
PayPal is so 1990’s. Haven’t you heard that all the cool kids are moving to BitCoin?
Am I the only person who thinks the Paypal executive that spoke to Bob was not telling the truth? Blaming it on a hack, and making Paypal look like they care about their account holders? My guess is this exec is full of it and just trying to spin this story. Don’t believe these guys Bob, Paypal is a rotten company! Just look online and read the many stories of small online business that lost thousands due to Paypal fraud, had their accounts limited, and had their money held for indefinite periods of time. This company needs to go away!
I was thinking the same thing. If the account has been hacked, wouldnt there transactions logged? I’d ask to see them.
Paypal seems to be established in California and California civil code requires disclosure of a security breach, at least to residents of California, according to civil code 1798.82: https://www.dmv.ca.gov/pubs/vctop/appndxa/civil/civ1798_82.htm
The problem is that someone else logging into your Paypal account doesn’t immediately reveal one of the pieces of information involved in the requirement for disclosure, such as an ssn, driver’s license or bank account number, etc.. It’s a different story if one can demonstrate that access to your account was obtained due to a security breach of Paypal itself.
Not disclosing to you that someone else is apparently logging into your account seems to be legal, although still immoral, especially is someone can potentially transfer your funds.
Suspicious activity means your account may have been hacked not that it actually was. Although I have not had a problem with PayPal, I sometimes have a problem with my credit card no longer being accepted with no warning or explanation until I call them. They used to call me for verification but I think they stopped doing that since the bad guys may have stolen my phone and other identifying documents. They figure the bad guys will discard a nonworking card but the real owner will call and complain. PayPal policies may be similar. We may have to just accept the fact that to a financial company, just like to Hollywood or Microsoft, everyone is a thief.
Well the good news for everyone in this is that someday soon when either Dwolla gets registered in Europe or Flattr gets registered in the US there will be a nice little collaboration that will mean you won’t ever have to deal with messes like this again.
Except at eBay, where I believe Paypal remains the only accepted form of payment.
Can’t tell if you’re joking. A few companies collaborating is not necessarily going to fix bureaucracy. But maybe true competition will help.
Bob
I had a similar incident with Paypal. My account was suspended and I was unable to re validate online which forced me to call them.
Unlike you, I got a real person and she explained my account had been suspended because someone accessed the account from some place called “Adelaide” (she obviously was not Australian had no idea where Adelaide was. I live in Sydney but travel often to Adelaide. After I explained that Adelaide is part of Australia and it was me, not some hackers accessing my account it was reinstated. Interesting that all takes to get your account suspended is to use it in another city. Perhaps Paypal need to find a better way to improve their security.
Wow, so my account was hacked 18 hours ago and someone tried to purchase an iPad from my account through Newegg (no fault of them since I didn’t have a newegg account). Anyway, the hacker changed my shipping address to somewhere in Vancouver and put the ~$400 order through when I had less than $4 in my PayPal account!!!
I guess since I had my bank account linked, they somehow though I moved to Vancouver all of a sudden TO THE SAME ADDRESS!! So my street address remained same but cities and postal code changed with the seconday address changing as well.
I am not a professional programmer but if I were to design a system for detecting hacks/frauds, I would implement an algorithm to detect something like this.
I called them twice and each time I was placed on hold for 30min+ forcing me to hang up eventually…
Yahoo seems to be playing the same “don’t tell” game, too: I recently got the following message:
“Hi Pat,
We detected a login attempt with valid password to your Yahoo! account from an unrecognized device on Fri, Mar 8, 2013 9:59 AM EET.
Location: Romania (IP=5.15.79.143)
Note: The location is based on information from your Internet service or wireless carrier provider.”
For the record, my name is not Pat, and I am in the U.S., not Romania.
Yahoo Mail has had the same ongoing problem with hacking for several years…I get spam from people I know, always blasted out to THEIR email phonebook, and always ends after they change their password.
Bob, whatever makes you think that they are telling you the truth this time?
The simplest thing would be to ask for a list of transactions on the account – I’m not a paypal user so I don’t know how this would work but surely they owe you that as a minimum?
You can sometimes use PayPal’s shortcomings to your advantage. I time I had an issue with a vendor over an item that I purchased using PayPal. They wouldn’t resent/refund for an item I never received. So I finally just told them… “I will file a dispute with PayPal, and they’ll lock your account. Google ‘paypal locked’ and you’ll find that you may never get it unlocked.”
My money was promptly refunded.
Ah! So that’s what they mean by “eBay Buyer Protection” 🙂
——————————————————————————————-
Service Unavailable.
Technical description:
504 Gateway Time-out – The web server is not responding
Bob, could you please try posting once a day in the afternoon to experience the new problems with the website that started this year. Just say “I’m not commenting on this post, just testing the website. Thanks.”
Sometimes a new post gets through even though an earlier reply to a previous post does not.
Is it possible the random verification e-mail was phishing?
Have you looked at Dwolla?
They seem to avoid many of PayPal’s issues, at least so far.
I had a server problem last night, too
My coder is trying to persuade me to move to .net
from PHP. I have always disliked the idea because of
the costs. But he’s tryiong none the less. I’ve been using Movable-type on various websites for about a
year and am concerned about switching to another platform.
I have heard great things about blogengine.
net. Is there a way I can transfer all my wordpress posts into it?
Any kind of help would be really appreciated!
The only thing I find interesting, is that there is still some clients left to screw after 10 years of continuous campaign to kill clients. Once you enter the suspicious activity list, there is no going back, just forget the service even if the account is unfreezed. I suspect, that they have lot of profit made from holding money for 180 days.
I came away believing that PayPal’s customer service reps are really not there for customer service (and have zero power to do anything even if they were) but merely to deflect and delay and in the end, even having agreed with your every point, to tell you “Sorry, this is PayPal policy.”
Same issue – Account limitation because of activity from a sanctioned country (Iran).
The credit card in question is a Chase Rapid Rewards which I use for every purchase in my life. No other merchant has a problem with it.
I have never knowingly purchased anything from Iran.
My best guess is there was some sort of fraudulent attempt – which Chase deflected and I never knew about.
They refer to it as something I can access and provide some sort of documentation about. I have provided all the other documentation they ask for (photo ID, bills etc.) – which is basically an identity theft kit and I don’t feel secure uploading to their servers..
Anyway – it’s a good question. Why do I give a shit? Who cares about Paypal? I sure don’t and think their service will be obsolete shortly (as better and easier payment APIs are available to small business websites) – BUT, in the meantime – there are small businesses that only accept Paypal as a way to pay for their services online. I current;y am unable to buy a replacement filter for my water filtration system on my kitchen sink because you can only order them on their website and they only accept Paypal payment. Even if you choose “Use my credit card” – Paypal still processes the order and the limitation is still in effect.
F#@k Paypal
buy fifa 15 coins
Do not rush/push me.