Disappointed in the way "Notice of policy updates" are poorly done and security practices

JonnyQ
Contributor
Contributor
Posted on
‎Feb-15-2019 06:26 PM

 

Item 1:

There are way too paypal phishing emails, and what disturbs me is why do official emails use links such as "<removed>" instead of paypal.com domain - this is just bad security practice. The average user should be trained to trust only paypal.com links no exceptions. The right way to do this is a link like e.g. <removed> not separate domains.

 

Item 2:

"Emails from PayPal will always address you by your first name and last name. Fake or ‘phishing’ emails tend to have generic greetings such as “Dear PayPal member”". It is a bad idea reassuring your users that phishing emails will always use "Dear Paypal member". What about socially engineered emails. There  is enough sloppy security in social media that makes this an increasing bad idea to make this the lead statement. The best practice is to emphasise links must be paypal.com (which is currently not the case) before you make statements like this.

 

Item 3:

The email I got was like this (yes it used my name):

Notice of Policy Updates

Hello [redacted], 

We are making some changes to our User Agreement, Privacy Statement, and Combined Financial Services Guide and Product Disclosure Statement. These changes will go into effect on 28 March 2019. 
...

My policy is never to click links in email no exceptions, but you send me emails like this that don't show the direct link "https://www.paypal.com/au/webapps/mpp/ua/upcoming-policies-full?locale.x%3Den_AU" - I was forced to click a link in an email that was not paypal.com link. The better practice is change your links to be  paypal.com links (not some other similar domain just like the malicious emails). An easy way to find link from paypal.com  would be a plus too.

 

Item 4: 

Now when I go view the revised 44 page pdf "<removed>" I find your changes obfuscated and your wasting my time. This is wasting my time because there was no annotation showing your revision - describing change is not sufficient. I have seen hard copy manuals from the 1970's where margin annotations indicated new and changed paragraphs, such a simple thing to save time and clearly document your revisions. How is it paypal can not do simple document change management that has been around over 40 years. While some other documents use underling to indicate change the margin annotation typically "|" and / or "+" is still not used. Any decent document manager can automate change annotations.

 

Not sure if I got community Category+Board correct.
(also sent to paypal )

 

 

Labels:
Login to Me Too
0 Kudos
Login to Reply or Kudo
1 REPLY 1

JonnyQ
Contributor
Contributor
‎Feb-17-2019 09:36 PM

I am disappointed that the moderator removed the  link examples on the grounds of bullet point one in posting rules it makes it harder to understand that using domains other than paypal.com in the emails paypal creates is a bad idea. I don't see how link examples make the criteria listed.

Login to Me Too
0 Kudos
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.