suspicious activity notice, password reset without any reason, and false message business upgrade

xenek
New Community Member

Hello. I'm upset.


Today, without reason or any unusual transaction, I was unable to login to a paypal personal account, with a message 'suspicious activity'. The account is used for small transactions of a typical nature, nearly always to do with spending the limited income I have, volume normally <$500 AUD a week.


I've in in ICT for nearly three decades, so I have some views. The list of failures is long. I don't have interest or or financial capacity to volunteer my time to assist paypal with their failures of their system. But I'll be as succinct as possible nonetheless, and share my view in respectful words, to make my displeasure clear and assist your technical and management teams, who clearly need assistance, which doesn't speak well for their competence. This is the 'exceptionally kind, simple and abbreviated version of my views'.


My internet connection is as secure as any other that is available to any member of the general public, actually, given I'm using the very latest updated Iphone 13 Pro Max using a Telstra Business connection and connected using 5G, the latest mobile broadband data support, with 5 bars of signal, on a computer that is also fully updated with Windows 11, with the complete range of hardware security features, enabled, and using the latest manufacturer provided management software, and the latest firmwares across all devices.


1. No unusual transactions shown on the app on the phone, which shows all transactions near-immediately as a popup.

2. I try to login via my service provider, to pay a very important bill of about $5 AUD for a service that I value, in small part, because they accept Paypal. I use a password manager so there is no question about the password being incorrect in this instance. The password is very long and unable to be computationally broken using traditional computing, only through illegal surveillance by hackers or illegal misuse by authorities.

3. I receive the message that there is suspicious activity detected and that I need to verify my details. I confirmed the URL. I verified the details.

4. After a successful verification, I was asked to reset the password. At this point I became angry, as that's unreasonable and a forced time-wasting exercise that reduces security, in my opinion. Reasons?

a) There was no indication that the password had to be reset initially, I was only asked to verify details.

b) I've assisted many hundreds of people who would find this a crippling requirement, and would mistrust the request, and be anxious and alarmed.

c) the request reset website page, at the top, where the tab is, indicated 'business upgrade', or words to that effect, which has nothing to do with the personal account I have, and which also, would create mistrust and suspicion for paypal, on the part of the customer, who wouldn't be interested in upgrading, who didn't request it, who would be legitimately and rightfully angry at what clearly, visually, appeared to be a forced upgrade.

d) there were no suspicious transactions shown to me via the 'always signed in and active' iphone app

e) there were no notices of password use or failure

f) extending and making assumptions, if there is a 'concern' that requires paypal to, for security reasons, reset individual accounts, or thousands of accounts, or all accounts, to secure their business operations and the faith and trust of the customers in paypal to protect the funds or systems used to pay through accessing credit, I expect it completely reasonable that a more accurate explanation be given, rather than suggesting 'suspicious activity'. I find it illogical, deceptive, and unreasonable that such a vague message be given, which shifts the suspicion and mistrust to the customer, who has no indication of why there is 'suspicious activity' even though they have comprehensive systems to rapidly notice fraud, such as phone notifications or irregular statement activity.

g) a single password reset can create a cascade of failures for the individual, and the anxiety the unexpected and unexplained reset creates, is probably uncaringly ignored by Paypal, which also contributed to my anger.

h) the idiocy of the 'reasoning behind the password reset' is clearest if I describe it this way. When I am using the same external equipment (mobile phone tower, city, state & country, same carrier), and the same internet connection (same subscribed plan, same level of service), and the same phone, and same computer, to reset the account. Further, to reset the password means it's typically displayed onscreen, typed out, and saved in one or more different cloud-synced password systems, so it's disclosed again, and more frequently.

i) It's time consuming to reset the password online.

j) it's even more time consuming to verify that the entire process is legitimate.

h) it's frustrating that this much friction is created when I'm trying to pay a $5.00 account or bill for some services.


Paypal and associated parties: I'm caring that you work to keep things simple, and find great success in doing so. I'm respectful that you have provided good services at low costs to the consumer / customer, and I assume, relatively low costs to the merchants. I'm grateful that you work to avoid mistaken transactions that would mean I find myself in debt from someone doing an unauthorized transfer out. However, I'm very upset when the service I rely on, demonstrate such issues, such a long string of incompetent failures in engineering and in social consideration, that I know with certainty would add to the mistrust and anxiety of customers who in part, help create the scale of use, that enables me to also use it without failure, reliably for many years at what is no cost aside from what is passed on by the merchants.


Please work to address the issues with competence. If you want a single place to start, work out why the 'suspicious activity' message occurred without any transactions being displayed. I especially need to see a transaction or metadata on all of them, if there are suspicious ones, or at least, have the opportunity to review any blocked transactions, or transactions that are assumed invalid. Given I had no password failure or notice of failed login attempts, I'm assuming it's not a matter of someone trying to use my credentials or brute-force the account. But it is possible you are penalizing the merchant I used, where I tried to pay my bill, and that reflects equally badly on you as it highlights favoritism that might be criminal, so please, if you're flagging transactions as suspicious because of the merchant, I'd suggest you note that to me as well, but in a way that doesn't implicate the merchant unfairly. Eg. "Suspicious activity has been detected / related to this merchant / relating to your account / relating to country x / relating to current internet events in your region of the world etc. To protect & respect you and their trust in us, we must confirm your details once more. You may need to reset your password. We appreciate this is frustrating, but it's very important to us to be there for you in the future, and being sure it's you we're working for."


I'm assuming the 'suspicious activity' is not deposits to my account, as they should always be allowed. If suspicious, it's up to the receiver to determine if that is the fact. No matter the type or volume or amounts, as I doubt your organization or the authorities of any nation for that matter, has the ability and capacity to accurately and competently and completely determine if a paid transaction is suspicious or not. In this case, I am the receiver, and that means that responsibility is mine, not yours. Anticipating that your business model already operates like that, I assume hopefully correctly, that the 'suspicious activity' isn't related to deposits.


I've left this detail in the user-forum as it's indicative of issues that clearly, Paypal alone can't resolve, and I anticipate that competent community members with experience in managing complexity and detail will identify if there are improvements or issues beyond what I have raised.

Login to Me Too
1 REPLY 1

Gypsiblu
Contributor
Contributor
I was hospitalized on MARCH 2 , 2022. My purse, wallet, and phone were stolen during this time. Because I used the app the thieves had full access to my account as well as my debit cards. On March 29 I called PayPal to report all of this I changed my email and phone and went thru 3 different identity verification. First I answered questions the rep asked that only I would know such as the address of the first home I bought in 1992. I assed this. I sent a copy of my Driver's license (,brand new dated March 27, 2022.) And a selfie holding my license. I also verified the debit card numbers of my Navy Federal Credit Union and my One Financial debit cards attached to my account. Then I filed disputes for all of the unauthorized charges. On April 18 2022 I tried to log into my account to find that PayPal had deleted all of my current login info and my phone number and reverted it back to my old login info thereby giving the thieves access to my account once again. No one has ever told me why or apologized for this. I have received provisional credit for only 2 out of 10 transactions and the disputes that should have all been filed as unauthorized were filed in several different ways many of which were WRONG. I have had no choice but to contact legal representation and encourage anyone else who has been a victim of unauthorized changes made to their account to do the same. This is not only an immoral practice in the US it is also ILLEGAL. I used fairshake dot com to file my claim. Maybe if enough people stand up against this this kind of mayhem will stop. PayPal has forgotten that without their customers they would have no company.
Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.