What is inconceivable is not simply that Paypal is so insecure, but that they have so little understanding of how easily they could become secure and so little concern about the problem. My Paypal account was permanently locked (despite an $800 balance) because someone with information of record (last 4 digits of my SSN, last 4 digits of a bank account) that is probably available to literally thousands of people called, claimed to be me, and asked for a funds transfer (while i was logged on, so it "looked suspicious". I explained that it was an acquaintance who did it because he thought I owed him money, and that I had told him off, and changed all my security information, and that I was making no claim of any missing funds. The Paypal rep told me they were permanently closing my account. I explained that allowing people to authenticate over the phone based only on information of record was so completely insecure that it was almost laughable for a company that claims to be a "bank". It's no wonder there are hundreds or thousands of hyjacked accounts. To use 128-bit encryption and then allow someone to authenticate for financial transactions with information of record reveals a total lack of either understanding or concern. I patiently explained to her that there were simple ways to authenticate over the phone, such as providing the user with an arbitrary PIN. She said there was a "mobile PIN" but it was only for mobile login and not for voice authentication. She then told me that there was an optional procedure to obtain a voice authentication PIN. I asked where it was on the website. She insisted it was there but SHE COULD NOT FIND IT ON HER OWN COMANY WEB PAGE!!! Most banks use pin authentication over the phone just for service calls, and don't allow any financial transactions without digital authentication. If you lose your information you have to request a new mailing or appear in person. Anyone can find out your mother's maiden name. So what I was told is that because it is simplest just to ask for two or three pieces of information of record, that is all they will ask for, and no, they don't care if you have been doing IT for 30 years, they are not going to listen to you. This would NEVER have happened when Elon Musk was running the company. Best regards, Dan Woodard
... View more